Security experts are warning that a new wifi standard scheduled for release in two years’ time could bring serious privacy risks for users.
Currently under development by an IEEE task force, the planned 802.11bf standard is based on SENS, a technique that effectively turns wireless devices into sensors.
As signals bounce off nearby objects, differences in interference patterns allow objects and their movements to be detected. Low frequencies can pass through walls and detect large objects such as human beings; higher frequencies will have a shorter range but could reveal smaller movements.
The technology is envisaged as a way of allowing remote monitoring, with applications in everything from home security to entertainment and energy management.
Privacy and security risks
However, in a new paper, Francesco Restuccia, assistant professor of electrical and computer engineering at Northeastern University, warns that the IEEE task force has so far failed to take into account the potential privacy issues involved.
“As yet, research and development efforts have been focused on improving the classification accuracy of the phenomena being monitored, with little regard to S&P [security and privacy] issues,” he writes.
“While this could be acceptable from a research perspective, we point out that to allow widespread adoption of 802.11bf, ordinary people need to trust its underlying technologies. Therefore, S&P guarantees must be provided to the end users.”
The problem is that sensing on this level allows unprecedented levels of monitoring – and this could be exploited by criminals or repressive governments.
“For an adversary who is eavesdropping, this could enable the recognition of hand gestures, typing on a keyboard and other activities, with end-users completely unaware that they are being tracked,” points out Natalie Page, threat intelligence analyst at Talion.
And, she adds, “While there are concerns surrounding attackers utilising the technology for malicious purposes, many have also aired concerns that by 2024, following the final release of this technology and the inevitable widespread adoption, that government agencies will also utilise 802.11bf standard as a physical object of mass surveillance.”
Restuccia suggests that users should be given the option to opt out of the sensing, but this might not be particularly effective – few people opt out of non-essential cookies on websites, for example, when given the chance.
Can safety be bolted in?
Andy Norton, European cyber risk officer at Armis, suggests that security and privacy issues could be addressed at a later stage.
“The predicted initial draft for 802.11bf is July 2022, so I think the task force are still thinking about use cases and have not put much thought into misuse cases, yet,” he says. “As they go through the process, I imagine they will.”
This, though, is hardly consistent with the principles of privacy by design, whereby security and privacy issues are central from the outset of the design process.
“As ever, it doesn’t look like security and privacy has been factored in, and it looks like it will be an afterthought that will have to be bolted on,” says Bharat Mistry, technical director at Trend Micro.
“For security and privacy to be effective in such devices it needs to be fabricated in from the foundations of the standard. Anything after-thought will leave it open to exploitation and abuse.”
Meanwhile, adds Norton: “The next suit I buy will essentially be a wearable Faraday cage.”