Researchers at the Karlsruhe Institute of Technology (KIT) in Germany have demonstrated that ordinary Wi-Fi routers can identify people by their walking patterns with 99.5% accuracy, even when those people carry no phone or device at all. The attack, called BFId, requires no special hardware, no physical access to the router, and no Wi-Fi password. Any standard Wi-Fi device placed in the same physical space can execute it silently.

This is not a theoretical vulnerability. The research team ran tests on 197 volunteers and presented the results at the ACM Conference on Computer and Communications Security (CCS 2025) in Taipei.
What Is BFI and How Does It Turn Your Router Into a Spy
Wi-Fi 5 (802.11ac) introduced a feature called beamforming. Instead of broadcasting signals in every direction equally, the router focuses its radio waves toward connected devices for stronger, faster connections.
To make beamforming work, connected devices regularly send feedback back to the router. This feedback is called Beamforming Feedback Information, or BFI. It tells the router how the radio signal is traveling through the space so the router can adjust its beam direction and improve performance.
The critical problem: BFI packets travel through the air completely unencrypted. Any device with a standard Wi-Fi card can read them. No password, no authentication, no special access is needed. The packets are just there, open, flowing through walls and across rooms.
How the BFId Attack Tracks You Through Walls Without Touching Your Router
When a person walks through a space, their body disrupts the Wi-Fi radio waves traveling between connected devices and the router. Each disruption changes the BFI packets that devices send back. The shape of these changes forms a pattern tied to how a specific person walks, their body size, their movement style.
An attacker places a listening device in the target space. This can be a laptop or even a low-cost Raspberry Pi. The device passively records BFI packets without connecting to the network or triggering any alerts. A machine-learning model then analyzes the disruption patterns and matches them to known individuals.
Once the model is trained, identification takes only a few seconds per pass. Critically, the target does not need to carry any device. Their presence alone, walking through a room with active Wi-Fi, generates enough signal disruption to identify them.
“By observing the propagation of radio waves, we can create an image of the surroundings and of persons who are present,” said Professor Thorsten Strufe from KASTEL, KIT’s Institute of Information Security and Dependability. “This works similar to a normal camera, the difference being that in our case, radio waves instead of light waves are used for the recognition.”
99.5% Accuracy: What KIT Researchers Discovered About BFId
The research team recruited 197 volunteers and set up listening points along a path each participant walked. The BFId system identified individuals with 99.5% accuracy, across different walking styles and from different observation angles.
To link a BFI signature to a real name, an attacker needs one initial connection. For example, if a target’s phone has previously connected to a Wi-Fi network in the space, the attacker can match that device ping to the BFI walking pattern. After that initial match, the target can be tracked without ever carrying a device again.
Julian Todt, one of the researchers, described the real-world implication directly: “If you regularly pass by a café that operates a Wi-Fi network, you could be identified there without noticing it and be recognized later, for example by public authorities or companies.”
The full research paper is available at the KIT publication repository.
Why Every Wi-Fi Router Near You Is Now a Silent Surveillance Device
Previous Wi-Fi sensing attacks relied on channel state information (CSI), which required specialized hardware to capture. BFId uses only BFI packets, which any off-the-shelf Wi-Fi device can receive. That lowers the barrier for this attack dramatically.
Felix Morsbach, another researcher on the team, noted that easier surveillance methods already exist, such as CCTV cameras and video doorbells. But Wi-Fi networks carry a uniquely dangerous property: they are invisible and raise no suspicion. Nearly every home, office, restaurant, and public space operates a Wi-Fi network today. That ubiquity means the attack surface is essentially everywhere.
The researchers specifically flagged risks in authoritarian states, where governments could deploy this technology to identify and track protesters without installing visible cameras or requiring phone location data.
A hidden listening device in an office could tell an adversary exactly who came to work each day. A device placed near a political event could log every attendee. A corporate competitor could confirm who visited a rival’s headquarters. None of these scenarios require any cooperation from the router owner or the targets.
What You Can Do Right Now
No software patch can fix BFId today. The vulnerability sits in the Wi-Fi standard itself, not in any specific router firmware. That means router updates will not help.
Here is what you can do to reduce your exposure:
- Understand your environment: Public Wi-Fi spaces carry the highest risk. Cafes, airports, coworking spaces, and retail stores all operate Wi-Fi networks that BFId could exploit.
- Use a VPN for traffic protection: A VPN does not block BFI-based tracking directly, but using a VPN to protect yourself from hackers and scammers reduces your overall digital footprint in hostile environments. If you use VPNs regularly, understanding how to choose a no-logs VPN ensures you are not trading one privacy risk for another.
- Limit unnecessary device connections: Fewer devices connected to public networks means fewer BFI packets associated with your presence. Use mobile data in sensitive spaces when possible.
- Be aware of physical spaces: If you are in an environment where surveillance is a concern, knowing that Wi-Fi routers present in the space can act as passive tracking devices changes how you should think about your movements.
For people who rely on VPNs heavily, VPN split tunneling for online banking is a useful technique to keep sensitive traffic protected without disrupting other connections.
What Needs to Change in Wi-Fi Standards
The KIT research team calls for privacy protections in the upcoming IEEE 802.11bf Wi-Fi standard, which is specifically designed to formalize Wi-Fi sensing capabilities. Without built-in protections, 802.11bf could make BFId-style attacks easier to execute at scale.
The researchers propose encrypting or otherwise protecting BFI packets so that only the intended router can read them. This change at the protocol level would close the attack vector that BFId exploits.
The project received funding under the Helmholtz Engineering Secure Systems program. The full KIT press release covers the broader implications the team identified.
Until the Wi-Fi standard changes, every router running Wi-Fi 5 or later is a potential passive surveillance device. That covers most routers manufactured in the last several years. The BFId attack does not require a nation-state adversary or expensive equipment. It requires a laptop, the right software, and physical proximity to a Wi-Fi network.
Related Guides
