“Wi-Peep” Uses Wi-Fi-enabled Drone to Spy Through Walls

November 07, 2022 by Aaron Carman

Leveraging a loophole in Wi-Fi, University of Waterloo researchers built a drone that determines the position of connected devices within seconds.

University of Waterloo researchers have identified a Wi-Fi security threat that allows third-party devices to localize a connected device through walls and identify the device's position.


The completed Wi-Peep device

The completed Wi-Peep device costs just $20 for electronics components combined with a commercial drone to accurately determine the positions of Wi-Fi devices. Image used courtesy of the Association for Computing Machinery


Their research prototype, a Wi-Fi-enabled drone called “Wi-Peep,” used a probe to find all devices connected to a local network and continuously determine their position in a matter of seconds, highlighting a major vulnerability in Wi-Fi systems.


How Secure Is Wi-Fi, Anyway?

With an abundance of Wi-Fi connections, any small leakage can be devastating to user privacy. The Wi-Peep device leveraged weaknesses in the IEEE 802.11 Wi-Fi standards to elicit responses from devices in a wireless network.

First, the Wi-Peep spoofed a beacon frame, causing all devices to immediately send a response that the Wi-Peep detected and used to determine all devices’ MAC addresses. After determining the MAC addresses, the Wi-Fi sent an unencrypted data packet to a target device. Without proper encryption, this packet could not control the device; however, thanks to “Polite Wi-Fi,” the device sent an acknowledgment, regardless of the contents of the packet.


Wi-Peep overview

Wi-Peep overview illustrating the functional principle of the device. The time of flight determined the target distance, while the drone's movement allowed Wi-Peep to estimate the angle of arrival for the acknowledgment, effectively localizing the device. Image used courtesy of the Association for Computing Machinery


This acknowledgment effectively closed the loop between Wi-Peep and the target device, allowing Wi-Peep to determine the device’s location using a time-of-flight (ToF) measurement combined with the localization model. The measurements accurately determined the device's position with around a meter of accuracy, making it a disturbingly effective localization method.


Continuous Non-cooperative External Position Monitoring

The Wi-Peep device illustrates how, even on a password-protected network, external sources can quickly, covertly, and reliably determine the position of smart devices without connecting to the target network. This could allow attackers to locate high-value items or personnel in a secure building.


Professor Ali Abedi flying the Wi-Peep device

Professor Ali Abedi flying the Wi-Peep device. Image used courtesy of the University of Waterloo


As designers, it is important to effectively mitigate these vulnerabilities with a multi-layered response. In a broad sense, the Wi-Fi Alliance can update 802.11 standards to rework the “Polite Wi-Fi” mechanism to improve network security from outside attacks. Even this improvement, however, would still leave attacks from inside the network vulnerable.

Developers can deter ToF measurements by employing a variable short interframe space (SIFS). The University of Waterloo group noted that the SIFS randomness between devices could pose issues, but their algorithm corrected for SIFS variability on a per-device level if the SIFS was constant. By using a variable SIFS instead of a constant SIFS, developers can add enough randomness to the ToF measurements to block localization.


Should You Build a Faraday Cage Around Your Home?

With the rollout of Wi-Fi 6 technology and Wi-Fi 7 on the horizon, it is certainly possible that the findings of the University of Waterloo group will be taken into consideration when designing the next generation of connected devices. The group themselves have already reached out to Wi-Fi AP and chip manufacturers to allow them to get ahead of the curve regarding this new vulnerability.

However, despite one’s own networking habits, the vulnerability of a wireless network typically boils down to the weakest link. While the publication of these loopholes may seem to tip off malefactors, in reality, they are crucial to improving network security. After all, when it comes to cybersecurity, the greatest threat is the one that we don’t know about.