// ref · bfi privacy risk

BFI Privacy Risk

Three published attacks. One root cause. Every Wi-Fi 5, 6, 6E, and 7 client continuously broadcasts a spatial fingerprint of its physical environment -- in plaintext -- as part of the standard beamforming procedure. This page maps the attack surface, assesses enterprise exposure, and documents what mitigations currently exist.

— Shankar K. · Last reviewed: May 2026 · See also: /beamforming-sounding for the protocol mechanics

// root cause -- one sentence

IEEE 802.11 requires beamformee clients to transmit Compressed Beamforming Reports (CBR) to the AP as plaintext Action No Ack frames -- there is no provision in the standard to encrypt them -- and these frames contain quantized channel measurements that encode the geometry and movement of everything in the RF path, including people.

// the bfi attack family -- three papers, one plaintext frame
BFId Identity Inference ACM CCS 2025 · KIT KASTEL · DOI: 10.1145/3719027.3765062
WHAT IT DOES
Identifies individuals from BFI alone using a recurrent neural network on raw Givens angle time series.
ACCURACY
99.5% +/- 0.38% on 197 subjects. Works across walking styles and perspectives.
HARDWARE NEEDED
Any Wi-Fi adapter in monitor mode. No association, no modified drivers, no MITM required.
TARGET DEVICE REQUIRED?
No. The person being identified does not need to carry any device. Other associated clients generate the BFI that encodes room occupancy.

The key advantage over CSI-based methods: one passive monitor captures BFI from all associated clients simultaneously, providing multiple spatial perspectives of the same scene. At 197 subjects, BFId outperforms per-client CSI approaches precisely because of this multi-perspective aggregation. Training time is under one minute per subject on a standard GPU; inference takes seconds per identification.

why this works -- common question answered

Wi-Fi cannot reconstruct a 3D skeleton. A 5 GHz antenna array (~10 cm aperture) has ~35° angular resolution -- insufficient to resolve body joints separated by 10-30 cm. BFId does not attempt 3D reconstruction. It trains an RNN directly on the φ/ψ angle time series. Gait identity does not require knowing where the knee is -- it requires recognising the person-specific perturbation pattern that the knee movement produces in the SVD decomposition, repeated at 0.8-1.2 Hz. That pattern is stable, compressible, and person-unique.

Wireshark filter: wlan.fc.type == 0 && wlan.fc.subtype == 14
Supporting: WhoFi (La Sapienza University, arXiv 2507.12869, July 2025) demonstrated that the SNR magnitude field (Λ) in the CBR frame body -- independent of the Givens rotation angles -- also carries biometric identity information. The BFI frame contains at least two statistically sufficient biometric signals per transmission.
LeakyBeam Occupancy Detection NDSS 2025 · Privacy Implications of Plaintext BFI
WHAT IT DOES
Detects whether a room is occupied by monitoring BFI variation from a sniffer outside the building.
RANGE
Demonstrated at 20 metres from target residence through exterior walls.
ACCURACY
82.7% true positive rate, 96.7% true negative rate across eight APs and multiple deployment conditions.
REAL-WORLD RISK
Burglary planning, stalking, executive schedule inference, corporate facility monitoring.

LeakyBeam also proposes a defence: AP-based spatial-temporal obfuscation of BFI packets with minimal overhead. This is currently the only published hardware-light mitigation with a working implementation and measured performance data.

WiKI-Eve Keystroke Eavesdropping ACM CCS 2023 · DOI: 10.1145/3576915.3623088
WHAT IT DOES
Infers individual keystrokes on smartphones by observing BFI variation caused by finger movement near the antenna.
ACCURACY
88.9% per-keystroke accuracy. Up to 65.8% top-10 accuracy for full password inference on mobile applications.
MECHANISM
Typing on a smartphone moves fingers near the Wi-Fi antenna. Each keypress creates a distinctive BFI perturbation pattern that is broadcast in plaintext.
PRECONDITION
Target device must be connected to a beamforming-capable AP. Attacker needs a device on the same channel in monitor mode.

WiKI-Eve uses an adversarial learning scheme to generalise across unseen typing styles and devices. The attack targets the same unencrypted BFI stream as BFId and LeakyBeam -- no new access mechanism required.

// attack surface comparison
Attack What is inferred Requires target device? Attacker hardware Year
BFId Person identity (gait-based) No -- person need not carry device Any Wi-Fi adapter, monitor mode 2025
LeakyBeam Room occupancy (presence/absence) No -- any associated client generates signal Any Wi-Fi adapter, 20m range 2025
WiKI-Eve Keystrokes, passwords Yes -- target must be typing on associated device Any Wi-Fi adapter, same channel 2023
// enterprise exposure assessment

Whether your environment is exposed depends on three factors: whether beamforming is enabled, whether an adversary could position a passive monitor within range, and whether the information inferrable from your BFI stream has value to an adversary.

High exposure
  • ▸ Open office with Wi-Fi 5/6/7 APs and no physical perimeter control
  • ▸ Shared-building deployments (retail, co-working, hospitality)
  • ▸ Conference rooms with regular sensitive meetings and Wi-Fi-connected laptops
  • ▸ Facilities where personnel identity or schedule is sensitive (government, finance, healthcare)
  • ▸ Any environment where an adversary can park a vehicle or linger within 20-50m
  • ▸ 3 or more clients simultaneously sounding the same AP -- multi-perspective BFI aggregation outperforms single-client CSI (BFId §IV: independent spatial measurements of the same moving body)
Lower exposure
  • ▸ Beamforming disabled on AP (trades throughput for privacy)
  • ▸ Wired-only network segments for sensitive workstations
  • ▸ Physically secure perimeter preventing passive monitoring within range
  • ▸ Wi-Fi 4 (802.11n) -- does not use explicit compressed beamforming
  • ▸ Fewer than 3 simultaneously sounding clients -- multi-perspective aggregation requires ≥3 concurrent CBR reporters to exceed single-client CSI accuracy
// how to check your own environment
1. Confirm beamforming is active
wlan.fc.type == 0 && wlan.fc.subtype == 14
If you see large (1-4 KB) Action No Ack frames from clients, beamforming sounding is active. Count by source MAC to see which clients are reporting.
2. Identify EHT (Wi-Fi 7) vs HE (Wi-Fi 6) vs VHT (Wi-Fi 5)
wlan.action.category == 36
wlan.action.category == 30
wlan.action.category == 21
Category 36=EHT, 30=HE, 21=VHT. All three are equally privacy-relevant. BFId achieved 99.5% on Wi-Fi 5/6 (HE/VHT) hardware -- Shannon rate-distortion: quantization preserves a constant fraction of mutual information with person identity regardless of spatial stream count.
3. Measure sounding rate
tshark -r capture.pcap -Y "wlan.fc.subtype==14" -T fields -e frame.time_relative -e wlan.sa | sort
Typical: 2-10 Hz per client. Even 0.3 Hz over 30 seconds is sufficient for identification -- Nyquist-Shannon: gait identity signal is 0.8-1.2 Hz and pattern recognition (not reconstruction) works below Nyquist. Mutual information accumulates over time regardless of rate.
// mitigations -- current status (may 2026)
available now Disable beamforming

Disabling explicit beamforming on the AP stops CBR frames entirely. Cost: reduced throughput (typically 10-30% at range) and potential MU-MIMO degradation. Supported in most enterprise AP management consoles under MIMO / beamforming settings.

available now Wired isolation for sensitive workloads

Wired Ethernet generates no BFI. High-sensitivity workstations in secure areas should use wired connections. This eliminates the attack surface entirely for those devices.

research only Differential-privacy quantizer

arXiv 2512.18529 (Dec 2025) proposes adding calibrated noise to Givens angles at quantization time. Standards-compatible output (same bit-width), epsilon-DP guarantee, less than 1 dB beamforming gain loss in simulation. No firmware implementation as of May 2026.

research only LeakyBeam AP obfuscation

AP-based spatial-temporal obfuscation of BFI packet timing and content. Proposed in LeakyBeam (NDSS 2025) with working implementation and measured performance. Requires AP firmware support; not shipped in any commercial AP as of May 2026.

not in standard BFI encryption

CBR frames are Action No Ack management frames (type=0, subtype=14). PMF (802.11w) management frame encryption covers Deauthentication, Disassociation, and specific Action frame categories -- but not Action No Ack frames carrying CBR. Encrypting BFI requires a standards amendment explicitly adding CCMP protection to this frame type. No such amendment exists in 802.11be-2024 or 802.11bf-2025.

no response yet Vendor firmware mitigations

No major AP vendor (Cisco, Aruba, Juniper Mist, Ruckus, Ubiquiti) had shipped a BFI privacy mitigation as of May 2026. The BFId authors called for IEEE 802.11bf to include privacy safeguards; no standard amendment has been published.

// standards response
IEEE 802.11-2024 (Wi-Fi 7 base)

No BFI privacy provisions. CBR frames remain plaintext Action No Ack frames by design. The standard was ratified before BFId was published.

IEEE 802.11bf (sensing, Sept 2025)

Ratified September 2025. The BFId authors explicitly called for 802.11bf to include BFI privacy safeguards. The ratified standard does not include mandatory BFI obfuscation. 802.11bf defines Sensing Measurement Report frames as a separate mechanism; the beamforming BFI attack surface predates and is independent of 802.11bf sensing.

WFA certification

Wi-Fi CERTIFIED 7 requires beamforming support. No privacy test case for BFI content in the certification program as of May 2026.

// what to watch (may 2026 forward)
  • ▸ AP vendor firmware updates mentioning BFI privacy, sounding rate limiting, or beamforming obfuscation
  • ▸ IEEE 802.11 TGbi (Enhanced Privacy Protection) -- final SA ballot as of May 2026; scope broader than BFI but could address CBR frame protection
  • ▸ GDPR / ePrivacy enforcement actions in EU citing Wi-Fi sensing as personal data processing
  • ▸ Extension of BFId to EHT 320 MHz captures -- larger BFI payload = richer identity signal
  • ▸ BeamCraft (ACM MobiCom 2024) -- separate but related: BFI forgery to manipulate AP steering decisions (integrity attack, not just passive eavesdropping)
// references
BFId -- Todt, Morsbach, Strufe -- ACM CCS 2025 -- DOI: 10.1145/3719027.3765062
LeakyBeam -- Privacy Implications of Plaintext BFI -- NDSS 2025 -- ndss-symposium.org
WiKI-Eve -- Hu, Wang, Zheng et al. -- ACM CCS 2023 -- DOI: 10.1145/3576915.3623088
DP BFI Quantizer -- arXiv 2512.18529 -- Dec 2025 -- arxiv.org/abs/2512.18529
BeamCraft -- BFI Forgery Attack -- ACM MobiCom 2024 -- DOI: 10.1145/3636534.3690669
IEEE 802.11be-2024 -- Sec. 9.4.1.51 (EHT MIMO Control) -- standards.ieee.org
WhoFi -- Avola, Pannone, Montagnini, Emam -- La Sapienza -- arXiv 2507.12869 -- July 2025 -- arxiv.org/abs/2507.12869
// share this page
// also on this site
viz
Beamforming Sounding
ref
WIDS/WIPS
ref
Wi-Fi 7 (802.11be)
← previous
ref
WLAN Threats
next →
ref
PMF (802.11w)
SK
Shankar K., Wi-Fi engineer, Irving TX
Building WiFi Analyser V2 · CWNA-109 in progress · one post every two weeks
// leave a comment