A newly found loophole enables researchers to see through walls

A research team from the University of Waterloo created a drone-powered tool that uses WiFi networks to penetrate barriers.

Called Wi-Peep, the device can fly close to buildings and then use the WiFi network of the occupants to identify and locate any WiFi-enabled devices quickly.

The study was presented at the 28th Annual International Conference on Mobile Computing and Networking.

The Wi-Peep takes advantage of what the researchers refer to as courteous WiFi. Smart devices will immediately react to contact attempts from any device in range, even if a network is password-protected, as per the University of Waterloo.

The Wi-Peep uses many messages to communicate with a target device while it is in the air, measuring each message's reaction time to determine the target device's location within a meter.

“The Wi-Peep devices are like lights in the visible spectrum, and the walls are like glass,” Dr. Ali Abedi, an adjunct professor of computer science, said.

“Using similar technology, one could track the movements of security guards inside a bank by following the location of their phones or smartwatches. Likewise, a thief could identify the location and type of smart devices in a home, including security cameras, laptops, and smart TVs, to find a good candidate for a break-in. In addition, the device’s operation via drone means that it can be used quickly and remotely without much chance of the user being detected.”

$20 worth of cheap components

It was created by Abedi's team utilizing a drone purchased at a store with $20 worth of cheap components.

“As soon as the Polite WiFi loophole was discovered, we realized this kind of attack was possible,” Abedi said.

To prove their theory, the team developed the Wi-Peep, but they soon recognized that anyone with the necessary skills could make a similar gadget just as simply.

“On a fundamental level, we need to fix the Polite WiFi loophole so that our devices do not respond to strangers,” Abedi explained. “We hope our work will inform the design of next-generation protocols.”

He also urges WiFi chip manufacturers to implement an artificial, randomized variance in device reaction time.

Study abstract:

We present Wi-Peep - a new location-revealing privacy attack on non-cooperative Wi-Fi devices. Wi-Peep exploits loopholes in the 802.11 protocol to elicit responses from Wi-Fi devices on a network that we do not have access to. It then uses a novel time-of-flight measurement scheme to locate these devices. Wi-Peep works without any hardware or software modifications on target devices and without requiring access to the physical space that they are deployed in. Therefore, a pedestrian or a drone that carries a Wi-Peep device can estimate the location of every Wi-Fi device in a building. Our Wi-Peep design costs $20 and weighs less than 10 g. We deploy it on a lightweight drone and show that a drone flying over a house can estimate the location of Wi-Fi devices across multiple floors to meter-level accuracy. Finally, we investigate different mitigation techniques to secure future Wi-Fi devices against such attacks.