The many Wi-Fi devices that pervade our homes, workplaces and lives — from phones and smartwatches to TVs and voice assistants to desktops, laptops, tablets, security systems, and more — use an encrypted network to communicate securely, yet despite cryptographic protection they may be leaking sensitive information.
“Networks use Wi-Fi security protocols to prevent unauthorized devices from joining a network, so you might think that a Wi-Fi device would acknowledge data packets it receives only from its associated access point or from other authenticated devices on the same network,” says Ali Abedi, an adjunct professor at the Cheriton School of Computer Science. “But a couple of years ago, we found a loophole in the 802.11 Wi-Fi protocol that allows someone to force any Wi-Fi device to send back data packets. By exploiting this loophole, a malicious attacker could make any Wi-Fi device send packets, the wireless signals they generate.”
The behaviour was termed polite WiFi because a contacted Wi-Fi device responds with an electronic hello — an acknowledgement or ACK — to all data packets it receives, even from devices that are not authenticated by the network as long as the destination address matches their MAC address, an identifier unique to every device on a network.
“Wi-Fi signals go through rooms and walls, so a question immediately came to our minds: Given that these wireless signals pass through buildings — and because of the polite Wi-Fi loophole where anyone could force a device to generate an ACK — what kind of information could be leaked from a Wi-Fi device,” Professor Abedi said. “In a recent study with my colleague Deepak Vasisht at University of Illinois Urbana-Champaign we looked specifically at whether we could obtain location information of Wi-Fi devices.”
The attack is unnervingly easy to do, and it does not rely on installing software on target devices or use of expensive hardware. The attack also does not require bulky antenna arrays for triangulation, a technique that is not only impractical because of the time required but also easy to spot.
Given that Wi-Fi devices always respond with an ACK to data packets, even if the packets are outside the Wi-Fi network and are unencrypted or incorrectly encrypted, this protocol flaw can be used to perform time-of-flight measurements to any target device. A small Wi-Fi device that the researchers call Wi-Peep, which costs about $20, could be attached to a lightweight drone to send a signal to Wi-Fi devices in a building. Wi-Peep then uses the time taken for an ACK reply to arrive back to it to determine the location of every Wi-Fi device in a building to a precision of about a metre.
“The challenge in using polite Wi-Fi is that Wi-Fi devices are in sleep mode most of the time and their radio is turned off to conserve power,” Professor Abedi said. “But it would be easy for an attacker to use a technique that keeps the radio of target devices on during an attack so they keep sending ACK replies. To Wi-Peep, these Wi-Fi devices are like lights in the visible spectrum and the walls are like glass.”
An attacker could, for example, track the movements of security guards inside a bank by following the location of their phones or smartwatches. And a would-be thief could identify the location and type of smart devices in a home, such as an expensive laptop or smart TV, to find a good candidate for burglary. Wi-Peep’s operation via a drone means that it can be used quickly and remotely with little chance of the user being detected.
Professor Abedi is unequivocal that this research is not meant to be a how-to article to case out a neighbour’s house or to conduct espionage.
“As soon as we realized this attack is possible, we warned people in industry as well as Wi-Fi chip manufacturers that this leakage of privacy-sensitive information is real and someone can do this,” he explained. “Using the Wi-Peep device attached to a drone hovering outside a building, we demonstrated we can obtain the location of Wi-Fi devices in a building even those that are in a basement. And, importantly, we also started developing solutions to stop this attack — changes to Wi-Fi devices to prevent or circumvent such leakage of information.”
“Wi-Fi penetrates all of our physical spaces including homes, offices, cafes and shopping malls,” adds Professor Vasisht, coauthor of the study. “Given the prevalence of Wi-Fi, the vulnerabilities exposed by Wi-Peep need to be addressed to ensure location privacy in these spaces. We hope our work will spotlight the challenges associated with ensuring privacy in wireless networks broadly and encourage more thoughtful design of these systems.”
To this end, the researchers explored a solution that device manufacturers could implement. Since the attack relies on the round-trip measurement of time — how long it takes for a packet to reach a device and how long it takes for the ACK response to arrive — the solution is based on introducing some artificial variation in this time-of-flight measurement.
“When a Wi-Fi device receives a packet, instead of responding after 10 microseconds it could delay the ACK response a little bit, say, to 10.1 microseconds, or it could respond at 9.9 microseconds,” he explained. In one microsecond a radio signal travelling at the speed of light would cover about 300 metres, so that tiny bit of variation in time translates to tens or hundreds of metres, more than enough to render positional information useless.
“We show that this time randomness in an ACK response messes up this attack to the point that the accuracy of localization becomes 10 or 15 metres, which is the boundary of a building. All you would know is that a Wi-Fi device is in the building. And if we keep changing the response time, an attacker will think a device has moved when it hasn’t.”
Professor Abedi cautions, however, that the time randomness response solution may not be possible with all current Wi-Fi devices.
“Some devices have firmware on their hardware that controls what’s happening on the Wi-Fi chipset and this suggests that the ACK timing solution could be implemented in the device’s firmware,” he said. “But in some devices the ACK mechanism is coded into the hardware and unless you change the hardware you cannot fix it. That’s why a solution has to come from the next generation of devices. The real fix is a device update.”
To learn more about the research on which this feature article is based, please see Ali Abedi and Deepak Vasisht. 2022. Non-cooperative Wi-Fi Localization & its Privacy Implications. MobiCom ’22. Proceedings of the 28th Annual International Conference on Mobile Computing and Networking, October 2022, pp. 570–82.