Demonstrating that WPA2/WPA3 provides zero protection against physical-layer Wi-Fi sensing.
CSI — the channel measurement every Wi-Fi device already computes — leaks human presence and movement direction through closed walls, with no network credentials, no camera, and no cooperating device on the target.
Encryption protects what your Wi-Fi says. It does nothing to protect what your Wi-Fi reveals.
Every modern Wi-Fi link constantly measures Channel State Information (CSI) — a fine-grained, per-subcarrier picture of how the radio signal is distorted as it travels through a room. It exists so devices can correct for multipath and transmit reliably.
The problem: a human body absorbs, reflects, and diffracts those same signals in a measurable, characteristic way. CSI is extracted at the physical layer, before any decryption happens — so WPA2 or WPA3, a strong password, and encrypted traffic offer no defense against it. Walls attenuate the 2.4 GHz signal but do not block the sensing.
WISPR makes this concrete. A passive observer — needing no access to the network at all — can determine not just whether someone is in a space, but which direction they are moving across it. That turns occupancy into behavioral intelligence: routine mapping, presence profiling, and knowing the moment a room empties.
A dual-node design turns a binary "someone is here" detector into a spatial one. Two independent ESP32 nodes watch opposite ends of a zone and stream raw channel measurements to a Python workstation that compares their disturbance signatures to reason about position and direction.
Two battery-powered ESP32 nodes passively capture CSI from ambient 802.11n frames at 40–60 Hz, extracting per-subcarrier amplitude from the signal preamble.
Each node packs measurements into compact binary packets and streams them over UDP on the local network — low-latency, loss-tolerant, ~211 Kbps combined.
The workstation decodes both streams, conditions each into a scalar disturbance signal, applies hysteresis presence logic, and fuses the two into a direction estimate.
A live dashboard renders dual CSI heatmaps, RSSI trends, and a stickman animation that makes position and travel direction human-readable in real time.
Each node is a self-contained, battery-powered device assembled entirely from off-the-shelf components — no proprietary radios, no lab equipment. That accessibility is the finding as much as the software: the barrier to this capability is now trivially low.
Xtensa LX7 dual-core @ 240 MHz with external-antenna capability. Captures CSI from ambient 802.11n frames at 40–60 Hz and streams it out.
128×64 I²C display showing live RSSI, packet rate, and detection state directly on each node.
3000 mAh at 3.7 V — delivering 8.5 hours+ of untethered operation per node.
USB-C Li-Ion charge controller — 1 A charge current, 4.2 V termination, dual-path input so the node runs while charging.
Steps the 3.7 V cell up to a clean 5 V rail at ~93% efficiency to drive the ESP32 reliably.
Custom case with an antenna window and USB-C charging access — deployable as a single discreet unit.
Raw CSI is high-dimensional and drifts constantly with the environment. The pipeline distills it into one robust, self-calibrating signal per node, then reasons over the timing of how those two signals change. Described here at a conceptual level.
An EMA filter suppresses frame-to-frame radio jitter while staying responsive to a real body entering the field — the first line of defense against noise-driven false alarms.
A sliding-window percentile normalization continuously re-references each node to its own recent baseline, collapsing the stream to a single disturbance value and removing the need for manual, per-room calibration as conditions drift.
Presence is confirmed only after a sustained streak below an enter threshold, and cleared only after a streak above a separate, higher exit threshold. This hysteresis gap eliminates the boundary "flickering" of single-threshold detectors — cutting false positives by an estimated 60%.
By comparing when and how each node's disturbance rises and falls, a sequenced set of inference strategies resolves travel as A→B or B→A and holds the result through the mid-zone gap. (Algorithm details are intentionally summarized — see responsible-research note.)
Evaluated over repeated walk-throughs in a controlled indoor environment, against the single-node prototype it extends. The dual-node design both adds a brand-new capability — direction — and makes plain presence detection markedly more reliable.
The uncomfortable conclusion of this research is that the defenses people rely on to feel private at home operate at the wrong layer entirely.
CSI is measured at the physical layer, before decryption. WPA2/WPA3 and strong passwords protect packet contents — they provide zero protection against this class of sensing.
At a 2.4 GHz wavelength (~12.5 cm), the signal passes through typical building materials. Walls attenuate; they do not stop the observer from sensing what’s behind them.
The attack is fully passive — no association, no injected traffic, no malware. Intrusion-detection systems see nothing, because from the network’s view nothing happened.
WISPR was built as a defensive privacy-vulnerability study, not a surveillance product. Its purpose is to demonstrate — with hard numbers — a physical-layer gap that current standards and regulations do not address, so that device makers, standards bodies, and policymakers can act on it.
All testing was conducted with the informed written consent of every participant. No personal data was retained beyond a single session, and the system persists no data by default. This page presents the architecture, methodology, and results at a level that shows technical depth while deliberately withholding firmware, complete detection code, and step-by-step build instructions — the finding is the contribution, not a turnkey capability.
If encryption, walls, and intrusion detection don’t help, what does? The honest answer is that meaningful defense can’t come from the end user alone — it has to be built into the wireless standards and the rules around them.
Randomized beamforming and deliberate channel perturbation, specified at the 802.11 level, would keep CSI from reading as a clean, stable fingerprint of the room.
Treating channel-estimation data as sensitive — obfuscating or access-gating it in the standard — would close a gap that exists only because CSI is unprotected by design.
Labeling CSI-capable devices, requiring informed consent for commercial deployments, and extending surveillance regulation to passive RF sensing — which today has no clear legal precedent.
Consumer-side options are thin: Faraday shielding runs $10,000+ and disables your own Wi-Fi. That imbalance is precisely why this work is framed as technical evidence for standards bodies and regulators — not as a consumer product.
A two-person final-year research project, supervised within the Department of Cyber Security at the National Centre for Cyber Security.