
Researchers “see” through walls using ambient Wi-Fi signals and a smartphone - prostoalex
https://www.technologyreview.com/s/612375/using-wi-fi-to-see-behind-closed-doors-is-easier-than-anyone-thought/
======
rl3
2016:
[https://www.schneier.com/blog/archives/2016/08/keystroke_rec...](https://www.schneier.com/blog/archives/2016/08/keystroke_recog.html)

It's not much of a stretch to imagine that intelligence agencies have been
heavily invested in this area and are far ahead of public research, given
signals intelligence has basically been their bread and butter since forever.
Moreover, Stuxnet was so advanced for the time that its existence stunned the
world.

Keystrokes can be captured indirectly via audio analysis, electromagnetic
emissions from wiring, and now RF imaging techniques looking at finger
movements. Wouldn't be surprised if they can create multi-modal composite
models to attain higher accuracy, or if RF imaging is able to capture lip/jaw
movements these days.

The really sexy part is probably what they're able to do with fixed wing
airborne platforms, where you can afford to pack ridiculously high-end sensors
and local computing power on board.

It still weirds me out to think that a gimmick from 2008's _The Dark Knight_
is more or less a reality now, or will be soon if it already isn't.

~~~
kopo
Who cares?

They were busy snoring when it came to 9/11\. Fake WMDs, never ending wars
against goat herders, snowden, not to mention 13 Russians who apparently swung
an election.

If someone is busy triggering mail bombers and lunatic shooters just by
targeting and upvoting their posts on social media what's all this sci-fi
stuff good for? The more complex the world gets the more pointless all this
superficial gimmickry looks.

Just look at the budgets thrown at these agencies. Its frankly sickening.

~~~
marcusjt
> They were busy snoring when it came to 9/11.

They weren't snoring of course, there's no shortage of evidence showing
foreknowledge about 9/11 that was consciously ignored by the Bush
administration and the intelligence services prior to the event and then (only
half-successfully) covered up afterwards.

~~~
99052882514569
Hindsight bias at its finest.

The real issue was identified in the first few years after 9/11 - disparate
patchwork of teams overzealously enforcing moats around their intel/data.

~~~
pharrington
[https://www.9-11commission.gov/report/911Report.pdf](https://www.9-11commission.gov/report/911Report.pdf)

Actually read the report, or at least skim it starting from page 254. What
you're saying is just not true.

~~~
whatshisface
Since we're speculating about spies, politics and secrecy to begin with, is it
really in the spirit of the game to just trust a report published by the
government that says the government was doing things right?

~~~
pharrington
I'm not playing a game.

Specifically, which part(s) of the report are you refuting? Please provide
pages and paragraphs #s or quotes.

~~~
omarchowdhury
How's he going to refute anything specific without himself being privy to
government knowledge?

------
marstr
My first job in tech as a teenager (2007 or so) was doing blueprint analysis
and WiFi Access Point placement for a US Defense contractor in the Midwest.

While working on one of the buildings with some missile guidance programs, I
found a small room in the center of the building that had twelve inch thick
concrete walls and a thick steel door. Determined to do my job, I experimented
with placing several access points near this room until I found a combination
that would force enough signal to connect through those walls. I had the
telecom team pull wires, a month later I threw some WAPs in my backpack and
installed them.

A week later I got an email marked urgent demanding that my team turn off
these access points immediately. I complied, but asked what exactly the
concern was. They mentioned that by bouncing WiFi signals, a van parked in the
parking lot could monitor the activity in any room they wanted.

At the time I thought they were crazy, and at times I've told this story to
demonstrate how paranoid that company was. Looks like there was some real
basis to their concern.

~~~
nickpsecurity
It's called an active emanation attack. Passive attacks interpret the
electromagnetic signals that electronic devices naturally emanate. They try to
reconstruct what the original information was. The active attacks work by
doing the equivalent how you see trees at night with a flashlight: they hit
the target with a signal, it is affected by what's there, it bounces back, and
you get a distorted version of whatever that was. EMSEC standards, esp TEMPEST
shielding, were invented to mitigate as much of that as possible. Although
it's classified, there's been a number of sites talking about public and some
declassified info.

I don't have the link to old site everyone in hacking community used. Here's
one provider that describes it nicely plus illustrates what the products look
like. They used to be way bulkier.

[http://sst.ws/what-is-tempest.php](http://sst.ws/what-is-tempest.php)

Some more links. Elovici's lab is at the forefront of new attacks.

[http://www.elastic.org/~fche/mirrors/www.cryptome.org/nsa-
te...](http://www.elastic.org/~fche/mirrors/www.cryptome.org/nsa-tempest.htm)

[http://tempest-inc.com/](http://tempest-inc.com/)

[https://en.wikipedia.org/wiki/Yuval_Elovici](https://en.wikipedia.org/wiki/Yuval_Elovici)

Here's the quote that first taught me about the risk you described:

"A STU-III is a highly sophisticated digital device; however, they suffer from
a particular nasty vulnerability to strong RF signals that if not properly
addressed can cause the accidental disclosure of classified information, and
recovery of the keys by an eavesdropper. While the unit itself is well
shielded, the power line feeding the unit may not have a clean ground (thus
negating the shielding)... The best way to deal with this is to never have a
cellular telephone or pager on your person when using a STU, or within a
radius of at least thirty feet (in any direction) from an operational STU
(even with a good ground). If the STU is being used in a SCIF or secure
facility a cell phone is supposed to be an excluded item, but it is simply
amazing how many government people (who know better) forget to turn off their
phone before entering controlled areas and thus cause classified materials to
be compromised."

These are also another piece of evidence for two claims I often make:
mainstream security folks don't produce devices that are actually secure;
NSA/DOD are opponents of securing American infrastructure. On the first, high-
assurance security and NSA certifications for TS/SCI demanded EMSEC since they
were known attacks, esp by US and Russia. Mainstream ignored them mostly for
"secure" products with only a handful trying to do something.

The second claim is from fact that security agencies misled U.S. companies and
individuals about these risks specifically so they could use the attacks on
them if needed. Although I don't recall if current, they also refused to sell
TEMPEST-certified systems outside Defense in the past. So, NSA and pals were
known to keep us vulnerable on purpose long before Snowden leaks. I've been
griping about and trying to raise awareness of it for some time. Examples:

[https://www.schneier.com/blog/archives/2011/08/business_week...](https://www.schneier.com/blog/archives/2011/08/business_week_o_1.html#c568363)

[https://www.schneier.com/blog/archives/2014/03/friday_squid_...](https://www.schneier.com/blog/archives/2014/03/friday_squid_bl_420.html#c5226750)

------
imhoguy
BTW you don't need rocket science to find out who is back home in your
neighborhood, or the other room etc. As most people carry phones in
pockets/bags so it is enough to just log clients' MAC addresses in WiFi
promiscuous mode and then correlate them.

~~~
doikor
At least with iPhones if they are not joining the networks but just scanning
the MAC addresses are random.

~~~
JustSomeNobody
Use a directional antenna and aim it at various houses looking for an uptick
random MAC addresses.

~~~
chupasaurus
Why not just ye old triangulation?

------
starbeast
Presumably, the techniques for lens-less cameras will still apply in the
microwave spectrum -
[https://arxiv.org/pdf/1710.02134.pdf](https://arxiv.org/pdf/1710.02134.pdf)

By moving a wifi adapter in a 2d scan pattern, you could presumably create a
virtual 2d sensor and then treat anything between you and where you are
wanting to image as the diffuser.

~~~
imhoguy
I guess SDR receiver dongle would do a better job.

~~~
starbeast
You just sent me down yet another rabbithole. Well done.

edit - [https://www.essexham.co.uk/news/realtek-sdr-
dongle-10-pounds...](https://www.essexham.co.uk/news/realtek-sdr-
dongle-10-pounds.html)

~~~
imhoguy
Then get even deeper, as we are at thru wall-stuff here is some research:
_Tan, B; Woodbridge, K. and Chetty, K. (2016) A wireless passive radar system
for real-time through-wall movement detection._
[https://pureportal.coventry.ac.uk/files/7646003/tancomb.pdf](https://pureportal.coventry.ac.uk/files/7646003/tancomb.pdf)

~~~
crankylinuxuser
It's a bit more expensive, and requires buying extra antennas.. But this is a
coherent SDR built on 4 realtek chips:

[https://www.indiegogo.com/projects/kerberossdr-4x-coherent-r...](https://www.indiegogo.com/projects/kerberossdr-4x-coherent-
rtl-sdr#/)

------
fulafel
This is new, the arxiv page says "Submitted on 23 Oct 2018".

(There has been previous research published from MIT on the same topic[1], so
this was not ovious)

[1] [https://www.technologyreview.com/s/415539/wireless-
network-m...](https://www.technologyreview.com/s/415539/wireless-network-
modded-to-see-through-walls/)

------
chopin
I was curious how they measure WiFi signals in Android. It seems surprisingly
easy with:

\-
[https://developer.android.com/reference/android/net/wifi/Wif...](https://developer.android.com/reference/android/net/wifi/WifiManager.html#getScanResults\(\))

and

[https://developer.android.com/reference/android/net/wifi/Sca...](https://developer.android.com/reference/android/net/wifi/ScanResult.html)

which seems to give very fine grained information about WiFi strength of any
network in the vicinity.

------
wjnc
Quite an awesome usecase would be to use this for perimeter security, like
securing your house and cars. In my locality camera's are in a legal grey
zone: the police applauds them for use in case of crime, but because of
privacy laws you're not supposed to film other peoples houses and whereabouts.
This would enable you to track movements without camera's. Software would make
it easy to only give you signals when somebody or something moves on your
property at night. All I would need is some machine learning to learn about
rabbits, cats and foxes. Or you could have cameras that only turn on in case
of movement on your property, hence triggering (I would hope) the legitimate
interest provision in the GDPR.

~~~
ThePhysicist
It doesn’t matter whether you track people using a camera, ultrasound, WiFi
signals or even manually by watching them from your window and keeping book
about their coming and goings, what matters is that you process “their” data.
So using a different technology to perform the surveillance doesn’t free you
from privacy laws.

~~~
ElBarto
"their data" has a special meaning. It means personal data, that is data
linked to an identified or identifiable individual.

Merely using wifi signals to sense the presence of human beings is therefore
not covered by GDPR.

Now, using the technology to track what's going on in your neighbour's house
probably is.

On the other hand, using CCTV on your property is legal (in the UK and
countries covered by GDPR).

~~~
ThePhysicist
OP asked about filming/watching other peoples houses and the area sourrounding
your own home though, hence my answer. You can film on your own property as
you like, but if your surveillance system captures the movement of your
neighbor it is possible to link the data to them as well (with high enough
probability) so it becomes personal data. If you somehow manage to only
capture potential trespassers and do that in a way that does not allow any
linking to a specific individual (e.g. by only recording metadata) you can
argue that it’s anonymous data, if you routinely capture all people moving
through a given area you can’t though as it’s possible to attribute the data
back to individuals using context information and statistics.

~~~
ElBarto
Minimal filming of foot paths and streets adjacent to your property happens
all the time, e.g. to film your front garden and/or your car.

To be perfectly legal there are a few steps to take, but in reality as long as
it's minimal and legitimate nothing is going to happen to you.

Of course, that's not the same as pointing your CCTV camera straight into your
neighbour's garden...

------
nakedrobot2
A whole article about seeing through walls, without a single photo?

~~~
turblety
Yeah definitely frustrating. It's always seemed more talk than reality for
years. Here is one photo I found of a claimed wifi spy:

[https://cdn0.tnwcdn.com/wp-
content/blogs.dir/1/files/2015/10...](https://cdn0.tnwcdn.com/wp-
content/blogs.dir/1/files/2015/10/Screen-Shot-2015-10-29-at-14.17.05.jpg)

In reality a thermal camera might give better results, maybe even from further
away too.

------
foreigner
This article implies that WiFi is a privacy concern, but wouldn't any other RF
signal work just as well? A bad actor could just create their own signal if
you somehow protect your WiFi. That would probably be more effective anyway
because they would know exactly where the signal was coming from and could
choose a frequency for this application.

~~~
TeMPOraL
Of course it would. And yes, "bring your own emitter" would make things
easier, but the point of using Wi-Fi is that it's already there, and you can
use it passively. Any RF in reasonable range would work too, including visible
light.

------
pasta
HF motion sensors are now used in a lot of lights. They are 5.8 Ghz radars
that detect motion even through walls.

So high frequency motion detection is already used in a wide range of
applications.

But I think 'seeing' should be taken with a grain of salt. Yes you can detect
motion behind a wall but creating an image is some steps away.

------
Tharkun
Cue military applications, where snipers can now kill you in the safety of
your own home with a wall piercing bullet and a scope with a wifi based image
overlay.

~~~
chopin
It's still difficult to identify persons with this technology. So, only
valuable if you don't care about collateral damage.

~~~
jobigoud
It might work in a hostage situation where they detect many people crouched /
staying still, and one individual pacing around.

~~~
jacobush
It will work even better in "silence dissident" situation. Collateral damage
is just a bonus, you want other people to fear being associated with your
target.

------
kuroguro
2015:
[https://www.youtube.com/watch?v=fGZzNZnYIHo](https://www.youtube.com/watch?v=fGZzNZnYIHo)

------
jonnycomputer
Time to put the wifi router on my kids' train set.

------
kragen
In
[https://news.ycombinator.com/reply?id=18398475&goto=item%3Fi...](https://news.ycombinator.com/reply?id=18398475&goto=item%3Fid%3D18397489%2318398475),
foreigner quite reasonably asks, "Won't any RF signal work just as well?"

Any RF signal will work, but some work better than others. Wi-Fi is awesome
for this for several reasons.

1\. Having a source inside the house instead of outside is better because you
lose, say, 15dB when you go through the wall; this is comparable to what a
two-way mirror does to visible light. If you have to illuminate the house from
outside using RF energy, you have to deal with much stronger reflections from
things outside the house.

2\. RF wavelengths that are too short will be badly attenuated by things like
walls and doors. You can already notice this with 5GHz 802.11a Wi-Fi; if you
have a few walls between you and the AP, the 2.4GHz signal usually works
better. The problem gets worse at higher frequencies. (You may have noticed
that many walls attenuate visible light, which is RF in the 500THz band,
rather strongly.)

3\. RF wavelengths that are too long provide much poorer spatial resolution.
Outside the near field, your imaging resolution is limited by diffraction to
about the wavelength. So you can see a person who's illuminated by the 99.5MHz
emissions from your favorite heavy metal station only if their diameter is on
the order of 3 m or more, and you can see their movements when they move on
the order of 3 m or more. By contrast, 2.4 GHz gives you 120-mm resolution,
and 5 GHz gives you 60-mm resolution. For typical humans, these are more
useful.

(However, my friend Florian has done good work on passively detecting
airplanes using radio illuminations from TV stations, which could be super
helpful the next time the US comes to bomb your country, even if he _does_ use
Lagrange interpolation instead of B-splines like any normal person would;
check it out:
[https://ieeexplore.ieee.org/document/8115293.](https://ieeexplore.ieee.org/document/8115293.))

Also! Having walls be super transparent, as they are at these longer
wavelengths, is not entirely an advantage. It makes it harder to distinguish
between signals from things in one building and signals from things in
another.

If you want to listen to Wi-Fi signal strength changes in real time —
including when someone moves around — try
[https://canonical.org/~kragen/sw/dev3/wifiscan.py](https://canonical.org/~kragen/sw/dev3/wifiscan.py).
It depends only on Python (3 or recent 2) and PulseAudio. (MacOS hackers,
consider upgrading to Linux. Apple's removal of your Esc key shows that they
hate you and want you to die.)

~~~
Crespyl
Your last link is behind an authorization prompt, and the site uses a self-
signed certificate, which throws an error in Firefox.

~~~
kragen
Oops, sorry, I meant
[http://canonical.org/~kragen/sw/dev3/wifiscan.py](http://canonical.org/~kragen/sw/dev3/wifiscan.py).
We should fix that.

------
ww520
I would imagine adding one or more friendly WiFi transmitters as illuminating
sources even on the outside would greatly help the accuracy.

------
module0000
Anyone know of a code sample or available project that implements this? Would
be a lot of fun to try at home and the office.

------
jobigoud
I wonder if using Bluetooth is messing with the detection rate. Or maybe
tracking the BT emitter makes things even easier.

------
dylanz
Modern day Van Eck phreaking!

------
equalunique
Does this mean I can finally have a studfinder that works?

~~~
vorpalhex
You already do, it's called your knuckles.

------
rydogg
didn't everyone see batman?

------
madeuptempacct
So, is "magnetic paint" actually a thing, or do we need drywall with Faraday
cages?

~~~
module0000
You'll stand out if you do that....don't stand out. Just add more noise to the
signal(more transmitters, that randomly beam shape and increase/decrease
gain). Better to appear neurotic than suspicious, IMHO.

~~~
Nasrudith
Standing out can do altruistic good if you really have nothing assailable
(everyone has something to hide but returns diminish rapidly with their
image). Surveying someone and finding heinous crimes makes them look
justified. Surveiling and finding minor lawn violations and jaywalking makes
them look like wasteful totalitarian bueracrats.

The more people using secure approaches the less suspicious it is to be
secure. Especially if there is a sensationalist justification - fight dirty in
turn and use their weapons of fear as a pretext against them.

Which reminds me of resistance to a minor driver tagging law in New Jersey.
Parents were outright defying it and refusing to pay for the stickers and just
covering the fine in full if it came up. Technically the risk of pedophiles
tracking them is negligible statistically but there are many valid civil
rights perspective complaints it helps get people on board when they would
otherwise roll their eyes at the complaints of teenagers a priori.

