On a scorching summer day, at 4 PM, drowsiness creeps in. After carefully surveying the surroundings and confirming that the boss is nowhere nearby, you sneak into the forgotten supply closet in the corner of the office, a blind spot in the surveillance camera system, and enjoy a delightful little nap. You even leave your phone and laptop at your workstation to avoid any possible location tracking.
When you wake up and return to your desk, however, you still receive a "friendly reminder" from an administrative colleague, sending a chill down your spine.
In November 2025, three researchers from the Karlsruhe Institute of Technology (KIT) in Germany published a paper at CCS (ACM Computer and Communications Security Conference), a top-tier conference in computer security, detailing how signals emitted by Wi-Fi routers can be used to identify individuals.
This identification method relies neither on facial features nor on voice, but on an individual's gait—that is, the unique way each person walks.
In our common understanding, Wi-Fi is merely a data transmission pipeline. As long as we disconnect from the network and turn off our phones, it knows nothing about us. But this perception is now being challenged: it's as if physical boundaries have been broken, and cyber data attacks can now deliver a real-world punch.
Wi-Fi signals are essentially electromagnetic waves. As they propagate through space and encounter objects, they undergo various changes—reflection, scattering, absorption, and so on. By analyzing these signal alterations, we can reconstruct the positional information of objects.
When a person enters this space, they affect the signal in a certain way. Moreover, each person's gait is distinctive. Therefore, when different individuals walk through a Wi-Fi coverage area, their bodies interfere with the existing signal in unique motion patterns. By analyzing these changes and differences in the signal, it becomes possible to determine who has entered the area.
In fact, the technology for constructing spatial information via Wi-Fi has been under continuous development. However, in the past, acquiring such information required not only specialized hardware but also modifications to the equipment. This time, the three paper authors discovered a simpler approach: using the BFI (beamforming feedback information) signal introduced with Wi-Fi 5, they could obtain this information.
The BFI was originally developed to improve Wi-Fi signal quality. Traditional routers broadcast signals equally in all directions, without the ability to focus signals toward the area where one's device is located. Wi-Fi 5, however, by continuously transmitting and recording BFI signals, can explore changes in the signal throughout the space, calculate the position of the device, and thereby "focus" the wireless signal into a directional beam aimed at it.
While previous Wi-Fi acted like a loudspeaker broadcasting in all directions, Wi-Fi 5 with BFI works more like a directional megaphone.
However, BFI signals are generally transmitted without encryption. The researchers found that with a simple setup, these data could be intercepted. By comparing the gait information of specific individuals, they could determine who had entered the space. In their experiments, the researchers even placed the receiving device in an adjacent room; although the recognition accuracy dropped slightly, the system could still accept data and complete the identification.
Having covered the unsettling aspects, let's now turn to some reassuring points. This technology is still in the laboratory stage, and there are significant hurdles to deploying it in the real world.
First is training data. To genuinely identify who you are, an attacker would need to pre-collect a substantial amount of walking data from you, with your identity already known, and use it to train a dedicated model. In other words, they would need your gait data first before they could match and identify you. At present, this requires considerable effort to specifically collect.
Second is the scalability issue. The experimental dataset in the paper consisted of 197 individuals—a relatively large sample size for academic research in this field. However, it remains unknown how well the identification performance would scale in an office building with thousands of people or a city subway station.
Compared to Wi-Fi-based identification, the more immediate threat to ordinary users like us remains the information security risks associated with public Wi-Fi. Some Wi-Fi dangers don't require laboratory-grade techniques: they are already happening in real life.
In April 2024, on a domestic flight in Australia, cabin crew noticed a suspicious Wi-Fi network whose name closely resembled the airline's official in-flight Wi-Fi.
The Australian Federal Police launched an investigation. In the suspect's carry-on luggage, they found a portable wireless access device, a laptop, and a mobile phone. Using these devices, he had set up a deceptive Wi-Fi network. Unfortunately, anyone who connected to this network and entered their "login email and password" could have their private data from online sites stolen.
This type of attack, known as an "Evil Twin," is neither new nor sophisticated. The attacker uses a portable device to create a fake hotspot with a name similar to or even identical to a legitimate public Wi-Fi network and boosts its signal strength to be stronger than the real one. When your phone or laptop selects a network, it follows the logic: "connect to the network with the strongest signal and the same name"—and so, you unknowingly connect to the fake one.
After connecting, you see a familiar "login page" asking you to enter your email or social media credentials to continue browsing. The suspect collected account passwords this way and then attempted to log into personal social networks to steal information.
As the investigation deepened, police discovered that the suspect hadn't only tampered with networks on that flight. Over a period of more than six years, he had set up similar traps at multiple airports and had stolen and copied over 700 photos and videos from the accounts of 17 women.
Although this technique is not complex, it can be highly deceptive in public settings. To protect your personal information when connecting to public Wi-Fi, there are several key principles to follow:
First, confirm the correct Wi-Fi name. When connecting to free Wi-Fi at airports, hotels, cafes, and similar places, always verify the correct network name with staff before connecting. Some networks with names like "Free xxxx" may not be officially provided.
Second, be wary of public Wi-Fi that requires personal information. Some Wi-Fi networks require login verification after connection. If a "free Wi-Fi" asks you to enter your email, phone number, and password to log in, that itself is a warning sign.
Third, disable the "auto-join network" feature on public Wi-Fi. When your phone remembers a network name like "Starbucks," it will attempt to connect whenever it encounters a hotspot with that name, anywhere. The problem is that anyone can set up a Wi-Fi network named "Starbucks"—not every one of them belongs to the coffee chain. When using public networks, you can turn off auto-join and manually connect each time you need to use it.
Finally, for highly sensitive operations such as money transfers or logging into important accounts, it's best to switch to cellular data.
Related News:
Deepline | The 'are you sure' benchmark: Why AI can't stop people-pleasing
Deepline | Jalapeño's here: OpenAI's first chip tastes spicy in more ways than one
Comment