// ref · indoor critical infrastructure

Wi-Fi for Indoor Critical Infrastructure

Wi-Fi is a real indoor connectivity layer and a genuine contributor to citizen emergency calling and indoor location. It is not, and under current fire and building code cannot be, the first-responder radio system. And the same ranging precision that makes Wi-Fi useful for emergency location is in direct tension with device privacy. Three things get conflated. This page separates them and names the governing body for each.

— Shankar K. · Last reviewed: June 2026 · See also: /bfi-privacy for the device-privacy attack surface and /governing-bodies for the standards-body map

// the claim, calibrated

"Wi-Fi for public safety" is three separate claims wearing one label. Carrying a 911 call indoors over Wi-Fi is a 3GPP and FCC matter, and Wi-Fi does contribute. Giving firefighters a working radio inside a concrete building is an NFPA 1225 and IFC 510 matter, and Wi-Fi is not eligible for it. Knowing where a device is to within a metre is an IEEE 802.11 ranging matter, and it is the same capability that lets a passive observer track that device. Keeping these straight is the whole job.

// the three things people conflate
Wi-Fi contributes Citizen emergency calling & indoor location
WHAT IT IS
A member of the public placing a 911/112 call indoors, and apps that need to know where a device is inside a building.
MECHANISM
VoWiFi / Wi-Fi Calling carries the voice call over IMS through an ePDG. For location, the FCC rules define the NEAD, which maps a Wi-Fi access point MAC address to a validated civic address; FTM ranging refines it.
GOVERNING BODY
VoWiFi is 3GPP (IMS/ePDG). The dispatchable-location obligation is FCC (47 CFR Part 9, with the NEAD and z-axis rules in § 9.10), not IEEE.
WI-FI ROLE
Genuine and complementary. Carrier- and device-dependent, and an access path plus a location source, not a replacement for the cellular core.

This is the leg where "Wi-Fi helps public safety" is true. A VoWiFi 911 call reaches the PSAP through the carrier IMS, and Wi-Fi infrastructure can supply the indoor location that the FCC mandate requires. None of this makes Wi-Fi the first-responder radio system, which is the next card.

code excludes Wi-Fi First-responder in-building radio (ERCES)
WHAT IT IS
An Emergency Responder Communication Enhancement System: a bi-directional amplifier plus distributed antenna system that keeps firefighter and police radios working inside a building.
BANDS
Public-safety land mobile radio: VHF, UHF, 700 MHz, 800 MHz. Optionally public-safety LTE (FirstNet Band 14) where the AHJ allows it.
GOVERNING BODY
NFPA 1225 (2022) and ICC IFC Section 510. Components must be UL 2524 listed; BDAs FCC-certified. Enforced by the AHJ.
WI-FI ROLE
None. Wi-Fi is not a code-eligible medium for this system and amplifying it would not satisfy any clause of NFPA 1225 or IFC 510.

NFPA 1225 is the current standard, published in 2022, consolidating and replacing NFPA 1221, NFPA 1061, and the emergency-communication portions of NFPA 72 Chapter 24. Many jurisdictions still say "ERRCS" because they adopt the IFC, which uses that term. The naming shift from ERRCS to ERCES was made to let an AHJ optionally fold in cellular and FirstNet frequencies, which only sharpens the point below.

the sharp version

Even the broadened ERCES definition, which now reaches toward LTE and FirstNet Band 14 under AHJ latitude, does not contemplate Wi-Fi. So "Wi-Fi DAS for first responders" sits outside the framework twice over: it is neither the licensed land mobile radio the code is built around, nor the public-safety LTE the code is starting to admit. A building can have flawless Wi-Fi and still fail its ERCES inspection, because they are answering different code sections.

partial / contested Priority & resilient comms for NS/EP
WHAT IT IS
Priority access for national security and emergency preparedness traffic, and resilient connectivity when other networks are down.
THE REGULATED FRAMEWORK
WPS and GETS, the recognised NS/EP priority programs, are run by CISA on cellular and wireline. Wi-Fi QoS, including WMM and 802.11 admission control, is not the same thing as regulated priority.
INDUSTRY POSITION
The WBA, an industry alliance rather than a standards body, positions OpenRoaming and Wi-Fi for mission-critical and emergency use in its 2025 reports.
WI-FI ROLE
Real as resilience and offload. Genuinely useful, but not a regulated priority mechanism, and worth not overstating.

Wi-Fi earns a legitimate place here as a resilience and offload layer, and the WBA work is worth reading. The honest framing is that it is industry positioning and engineering capability, not a regulated priority service of the kind WPS and GETS provide.

// what carries what -- governing-body map
Function Mechanism Governing body Wi-Fi does it?
Citizen 911 indoors VoWiFi (IMS / ePDG) 3GPP + FCC Yes, complementary
Dispatchable indoor location Location DB + FTM ranging FCC mandate; IEEE provides the tech Yes, real contribution
First-responder radio ERCES (BDA + DAS, LMR) NFPA 1225 / IFC 510 / UL 2524 / FCC No, not code-eligible
NS/EP priority comms WPS / GETS class CISA (WPS / GETS) No regulated equivalent
// indoor location -- the engine and its limits
FTM lineage 802.11mc → 802.11az → 802.11bk all IEEE; mc + az folded into 802.11-2024, bk-2025 is the later amendment
802.11mc (802.11-2016)
Fine Timing Measurement introduced. Round-trip-time ranging at roughly 1 to 2 metre accuracy. No protection of the ranging exchange.
802.11az-2022 NGP (publ. 2023)
Next Generation Positioning. Adds Secure LTF (AES-256-based PHY anti-spoofing) and optional Angle of Arrival. Sub-metre accuracy; centimetre-level only under ideal wide-bandwidth or mmWave conditions.
802.11bk-2025 (June 2025)
320 MHz Positioning. Extends FTM to 320 MHz channels to approach ultra-wideband accuracy, inheriting the 802.11az security mechanisms. Published after the 802.11-2024 roll-up.
ACCURACY LADDER
10 to 15 m (RSSI) → 1 to 2 m (mc FTM) → centimetre (az / bk, ideal). Each step buys precision; the privacy cost rises with it.
deployment reality (2026) The deployed thing is the insecure thing

802.11az is finalised, but commercial support for secure FTM remains limited and most mobile clients still do not implement it. So the ranging that is actually running in buildings today is mostly legacy 802.11mc, which is the unprotected, spoofable, and most trackable variant. The cm-accurate secure version exists on paper and on a handful of development platforms; the metre-accurate insecure version is what a capture will show. Plan around what is deployed, not what is ratified.

// the location / privacy tension

The capability that lets a building locate a 911 caller to within a metre is the same capability that lets a passive observer follow a device around. Worse, FTM exchanges expose features that fingerprint a client's hardware and firmware, so a randomized MAC address alone does not stop tracking. Two IEEE amendments exist specifically to address this, and they are the standards that matter most to anyone working on randomization in the field.

IEEE 802.11bh-2024

Published (Amendment 1, Operation with Randomized and Changing MAC Addresses, Sept 2024). Restores legitimate device continuity (onboarding, diagnostics, arrival detection) under a rotating MAC, via two methods: IRM, where the client tells the AP the MAC it will use next time, and Device ID, where the AP issues the client an identifier. This is the amendment that maps directly onto real-world randomization handling.

IEEE 802.11bi

Enhanced Data Privacy. Broader device-identity protection across the association lifecycle, including anti-fingerprinting. Still in development and at an early draft (around D1.0 in late 2025), so years from publication. Scope reaches beyond ranging into how much a passive observer can learn about a device over time.

802.11az Secure LTF

Protects the integrity of the ranging measurement against spoofing and man-in-the-middle distance manipulation. It hardens the measurement; it does not by itself make the act of being ranged private.

// the tradeoff, stated plainly

Accurate indoor location and strong device privacy pull against each other. Secure LTF protects the measurement, and 802.11bh and 802.11bi address identity, but in 2026 deployment this is a tradeoff to be managed, not a problem that is solved. The right answer is per-venue and per-use-case, and it starts with knowing which ranging variant is actually on the air.

// who this matters for
Mandate-driven -- ERCES applies regardless of Wi-Fi
  • ▸ High-rises and large commercial buildings
  • ▸ Hospitals and healthcare campuses
  • ▸ Hotels, schools, warehouses, large venues
  • ▸ Any structure that fails an in-building radio coverage survey under IFC 510
  • ▸ Driven by NFPA 1225 / IFC 510 and the AHJ, not by the Wi-Fi design
Where Wi-Fi is the right indoor layer
  • ▸ Citizen 911 access indoors via VoWiFi (carrier-dependent)
  • ▸ Dispatchable indoor location for the FCC obligation
  • ▸ Indoor wayfinding and asset / personnel location
  • ▸ Dense-venue connectivity and resilient offload
  • ▸ Privacy-sensitive deployments that must choose a ranging posture deliberately
// how to check a capture
1. Is ranging happening at all?
wlan.fixed.category_code == 4
FTM rides Public Action frames (Action management frame, category 4), not the Action No Ack subtype that carries beamforming feedback. This shows all Public Action traffic, ranging included.
2. Legacy mc FTM vs 802.11az
wlan.fixed.publicact == 0x20
wlan.fixed.publicact == 0x21
wlan.fixed.publicact == 0x2f
0x20 = FTM Request (initiation), 0x21 = FTM frame (legacy mc measurement), 0x2f = Location Measurement Report (the 802.11az mechanism carrying TOD/TOA). Seeing 0x2f indicates az-style ranging; 0x21 indicates the legacy variant.
3. List the ranging exchanges
tshark -r capture.pcap -Y "wlan.fixed.category_code==4 && wlan.fixed.publicact in {0x20 0x21 0x2f}" -T fields -e frame.time_relative -e wlan.sa -e wlan.da -e wlan.fixed.publicact
Pairs initiator and responder by address and timeline. Field availability depends on the dissector version; confirm against your Wireshark build.
// standards & regulatory map -- by body
IEEE

Ranging: 802.11mc (in 802.11-2016), 802.11az-2022 (in 802.11-2024), 802.11bk-2025 (320 MHz, later). Privacy: 802.11bh-2024 (published), 802.11bi (in development). Defines the location technology and the privacy mechanisms.

Wi-Fi Alliance (WFA)

Certification, including Passpoint, which underpins seamless venue connectivity. A certification body, not a standards-writing body.

WBA

Industry alliance. OpenRoaming, the Mission Critical / Emergency Services reports, and a forming Wi-Fi DAS project. Positioning and frameworks, not code or standards.

3GPP

VoWiFi / Wi-Fi Calling via IMS and the ePDG. The reason a 911 call can traverse Wi-Fi to the carrier core at all.

FCC

E911 dispatchable-location obligation (47 CFR Part 9), 6 GHz AFC, and BDA certification. The regulator behind both the location mandate and the public-safety amplifier rules.

NFPA / ICC / UL / FirstNet

NFPA 1225 and ICC IFC 510 set the ERCES requirement; UL 2524 lists the components; FirstNet Band 14 is the public-safety LTE an AHJ may admit. None of this is Wi-Fi.

// what to watch (june 2026 forward)
  • ▸ IEEE 802.11bi (Enhanced Data Privacy) -- progress from early draft toward ballot; how far it narrows passive trackability
  • ▸ 802.11az secure-FTM client adoption -- whether the secure variant displaces legacy mc in shipping devices
  • ▸ WBA Wi-Fi DAS project -- first deliverables, and whether they keep the citizen-vs-responder distinction clean
  • ▸ NFPA 1225 2027 edition -- any movement on cellular / FirstNet scope, still no Wi-Fi path expected
  • ▸ FCC PS Docket 07-114 -- the 2025 Sixth FNPRM on tightening wireless E911 location accuracy
  • ▸ International equivalents -- UK Emergency Services Network and EU in-building obligations as comparison points
// references
IEEE Std 802.11-2024 -- base standard (incorporates 802.11mc FTM and 802.11az-2022)
IEEE Std 802.11bh-2024 -- Operation with Randomized and Changing MAC Addresses (IEEE SA)
IEEE Std 802.11bk-2025 -- 320 MHz Positioning (June 2025)
FTM positioning survey -- Indoor Positioning with Wi-Fi Location -- arXiv 2509.03901 -- Sept 2025 -- arxiv.org/abs/2509.03901
Secure Wi-Fi Ranging Today (802.11az / bk) -- arXiv 2603.18687 -- Mar 2026 -- arxiv.org/abs/2603.18687
Wi-Fi: Twenty-Five Years and Counting (bh / bi / bk status) -- arXiv 2507.09613 -- Dec 2025 -- arxiv.org/abs/2507.09613
IETF RFC 9724 -- State of Affairs for Randomized and Changing MAC Addresses -- Mar 2025 -- datatracker.ietf.org/doc/rfc9724
IEEE SA -- 802.11az Next Generation Positioning announcement -- standards.ieee.org
NFPA 1225 -- Standard for Emergency Services Communications (2022; 2027 ed. forthcoming) -- nfpa.org
ICC IFC Section 510 -- Emergency Responder Communications Enhancement Systems -- up.codes
ANSI/CAN/UL 2524:2024 -- In-Building 2-Way Emergency Radio Communication Enhancement Systems (UL Solutions)
FCC -- E911 dispatchable location / NEAD, 47 CFR Part 9 § 9.10 (eCFR)
WBA -- Mission Critical & Emergency Services reports, 2025 -- wballiance.com
Qualcomm -- Wi-Fi Ranging white paper -- qualcomm.com
// share this page
// also on this site
ref
BFI Privacy Risk
ref
Wi-Fi Sensing (802.11bf)
ref
Governing Bodies
← previous
ref
WLAN Requirements
next →
ref
Vendor Feature Map
SK
Shankar K., Wi-Fi engineer, Irving TX
Building WiFi Analyser V2 · CWNA-109 in progress · one post every two weeks
// leave a comment