Plaintext CBR: the Wi-Fi frame PMF doesn't protect

Not because the mechanism does not matter. It absolutely does. But engineers who read that beamforming improves throughput and move on are missing what is actually leaving their AP every three seconds.

What is actually in the frame

Your AP needs to know the channel. To steer its signal toward a client, it sends a training packet — a Null Data Packet with no payload, just training symbols. The client measures how it arrived and sends back a compressed summary. That summary is the Compressed Beamforming Report. It contains quantized Givens rotation angles encoding the spatial relationship between the client antenna and the AP across every subcarrier. The AP uses it to compute a steering matrix. Then it repeats this every few seconds for every associated client.

That measurement encodes the geometry of the room. Including you.

What the research found

Researchers at the Karlsruhe Institute of Technology demonstrated that these frames alone are sufficient to identify individuals with 99.5% accuracy across 197 subjects, across walking styles, across angles. No camera. No wearable. No device on the person being identified. Other people's phones generate the frames. Your body perturbs the channel. The perturbation is encoded in every report.

The frame is transmitted unencrypted by design. PMF does not protect it. WPA3 does not encrypt it. Any adapter in monitor mode on the same channel captures every report from every client simultaneously — no association, no password, no permission required.

What the capture shows

Captured from a Wiz smart bulb. WPA3-SAE, PMF Required, Wi-Fi 7 AP. The bulb sent an EHT Compressed Beamforming Report — Category 36, 53 bytes — in plaintext.

One detail worth knowing before you open the PCAP. IEEE 802.11 defines these as Action No Ack frames — subtype 14. Some firmware ships that way. On the GL-BE9300 running Qualcomm firmware, every EHT CBR came back as subtype 13 — Action with ACK. The filter everyone uses found nothing. The spec describes the intent. The firmware decides what ships.

The filter

This is what the spec says. On this capture it returns zero results.

This is what works. Find frame 2765.

What you can do today

There is no patch for this. The frame has to be unencrypted — the AP needs it before the encryption context exists. A differential-privacy quantizer has been proposed in research (December 2025) that adds calibrated noise to the Givens angles while preserving the same bit-width output. Less than 1 dB beamforming gain loss in simulation. No commercial AP firmware has shipped it as of this month.

Disable explicit beamforming on the AP if the deployment is sensitive. Throughput at range will drop. That is the current trade-off.