Researchers at the Karlsruhe Institute of Technology (KIT) in Germany have demonstrated that ordinary Wi-Fi routers can identify people by their walking patterns with 99.5% accuracy, even when those people carry no device at all. The research, presented at the ACM Conference on Computer and Communications Security in Taipei, introduces an attack called BFId that exploits an overlooked feature built into every modern Wi-Fi network.

No password. No physical access to the router. No special hardware. Just a laptop or a Raspberry Pi placed nearby.
What Is BFId and How Does It Work
Wi-Fi 5 and later versions use a technique called beamforming to improve signal strength and stability. When a device connects to a router, it regularly sends back Beamforming Feedback Information (BFI) packets. These packets tell the router how the signal traveled through the surrounding environment so the router can focus its transmission more efficiently.
The critical problem is that BFI packets travel through the air completely unencrypted. Any device with a standard Wi-Fi card can capture them without joining the network, without knowing the Wi-Fi password, and without any special equipment.
When a person walks through the Wi-Fi signal field, their body disrupts the radio waves. That disruption creates a distinct pattern tied to how the individual moves. The BFId attack captures these disruptions from BFI packets and feeds them into a machine learning model trained to recognize individual walking signatures.
Test Results: 99.5% Accuracy Across 197 People
The KIT team ran controlled tests with 197 participants. The BFId system identified individuals with 99.5% accuracy across different walking styles and observation angles. Once the model trains on a person’s movement pattern, identification takes only a few seconds per pass.
To connect a walking pattern to a real identity, an attacker needs one additional data point. A single ping from a phone previously associated with that person completes the match. After that initial link forms, the system recognizes the person even when they carry no device at all.
No Special Hardware Required
Earlier Wi-Fi sensing research relied on Channel State Information (CSI), which required specialized hardware most attackers could not easily obtain. BFId requires only a standard Wi-Fi card.
A laptop or a Raspberry Pi hidden inside an office, store, or public space can run this attack passively without drawing any attention. The monitoring device does not connect to the target network. It only needs to sit within physical range of the BFI signals flowing through the air.
As researcher Felix Morsbach notes, Wi-Fi networks exist in almost every home, office, restaurant, and public space today. Unlike CCTV cameras or video doorbells, a passive Wi-Fi listening device raises no visual suspicion and leaves no trace of its presence.
What the Researchers Warn
“This technology turns every router into a potential means for surveillance,” says Julian Todt from KIT’s KASTEL security research center. “If you regularly pass by a café that operates a Wi-Fi network, you could be identified there without noticing it and be recognized later, for example by public authorities or companies.”
Professor Thorsten Strufe draws the comparison directly: the system works like a camera, but uses radio waves instead of light. Switching off your own phone or tablet does not protect you. As long as other Wi-Fi devices in your surroundings remain active and connected, the attack continues to work.
The researchers flag a particularly serious concern for authoritarian states, where this technology could track protesters or dissidents without any visible surveillance infrastructure in place.
How BFId Fits Into the Broader Threat Landscape
BFId is not an isolated discovery. It joins a growing category of attacks that turn everyday, trusted technology into a weapon against the people who use it.
Ransomware attacks increasingly exploit built-in system features rather than deploying exotic tools. Threat actors have demonstrated how supply chain attacks compromise software that users already trust. Malware campaigns now target critical infrastructure through components that were never designed with adversarial use in mind.
BFId follows the same pattern. Beamforming feedback was designed to make Wi-Fi faster. The researchers found it also creates an invisible, passive surveillance channel that operates below the awareness of most users and administrators.
“The omnipresent wireless networks might become a nearly comprehensive surveillance infrastructure with one concerning property: they are invisible and raise no suspicion,” Morsbach warns.
What Needs to Change at the Standard Level
The KIT team calls for protective measures in the upcoming IEEE 802.11bf Wi-Fi standard, which specifically incorporates Wi-Fi sensing capabilities into the specification. Without encryption or access controls on BFI data, that standard could formalize and expand a privacy risk that already exists in every Wi-Fi 5 and later network worldwide.
The researchers propose that BFI packets receive the same encryption protections as other sensitive Wi-Fi communications. Without that change, the threat applies to the vast majority of modern routers already deployed in homes and businesses, requiring no action from attackers to reach their targets.
What You Can Do Right Now
No firmware patch currently blocks BFI packet interception. The vulnerability sits inside the Wi-Fi standard itself, not in any specific router model or manufacturer.
Until the IEEE 802.11bf standard addresses BFI privacy, these steps reduce your exposure:
- Disable beamforming on your router: Some router admin panels expose a beamforming toggle, particularly on enterprise-grade hardware. Turning it off stops your router from using BFI, though not all consumer routers offer this option.
- Use Wi-Fi 4 (802.11n) devices in sensitive spaces: Beamforming feedback applies to Wi-Fi 5 and later. Older 802.11n hardware does not generate BFI packets.
- Treat public Wi-Fi spaces as passive surveillance zones: Cafés, airports, retail stores, and office buildings running Wi-Fi 5 or Wi-Fi 6 networks can all serve as monitoring points for anyone running BFId nearby.
- Follow IEEE 802.11bf standard development: Privacy-focused amendments to the upcoming standard represent the most effective long-term fix. Supporting those efforts through industry and policy channels matters.
Understand that leaving your phone at home does not protect you. The BFId attack requires only the Wi-Fi infrastructure already present in the environment, not any device you carry.
Research Summary: BFId by the Numbers
| Detail | Information |
|---|---|
| Attack name | BFId (Beamforming Feedback Identity) |
| Research institution | Karlsruhe Institute of Technology (KIT), Germany |
| Accuracy | 99.5% across 197 participants |
| Hardware required | Standard Wi-Fi card (laptop or Raspberry Pi) |
| Network access required | None |
| Wi-Fi versions affected | Wi-Fi 5 (802.11ac) and later |
| Presented at | ACM CCS 2025, Taipei |
