Violating Privacy Through Walls by Passive Monitoring ofRadio Windows

Arijit BanerjeeUniversity of Utah

Salt Lake City, UT, USAarijit@cs.utah.edu

Dustin MaasXandem Technology

Salt Lake City, UT, USAdustin@xandem.com

Maurizio BoccaPolitecnico di Milano

Milano, Italymaurizio.bocca@polimi.it

Neal PatwariUniversity of Utah & Xandem

TechnologySalt Lake City, UT, USA

npatwari@ece.utah.edu

Sneha KaseraUniversity of Utah

Salt Lake City, UT, USAkasera@cs.utah.edu

ABSTRACTWe investigate the ability of an attacker to passively use anotherwise secure wireless network to detect moving peoplethrough walls. We call this attack on privacy of people a“monitoring radio windows” (MRW) attack. We design andimplement the MRW attack methodology to reliably detectwhen a person crosses the link lines between the legitimatetransmitters and the attack receivers, by using physical layermeasurements. We also develop a method to estimate thedirection of movement of a person from the sequence of linklines crossed during a short time interval. Additionally, wedescribe how an attacker may estimate any artificial changesin transmit power (used as a countermeasure), compensatefor these power changes using measurements from sufficientnumber of links, and still detect line crossings. We imple-ment our methodology onWiFi and ZigBee nodes and exper-imentally evaluate the MRW attack by passively monitoringhuman movements through external walls in two real-worldsettings. We find that achieve close to 100% accuracy in de-tecting line crossings and determining direction of motion,even through reinforced concrete walls.

Categories and Subject DescriptorsC.2 [Computer-Communication Networks]: Miscella-neous

KeywordsRadio Window; WiFi; Signal strength; Line Crossing

1. INTRODUCTIONWe investigate an attack to the privacy of the people mov-

ing in an area covered by a wireless network. People moving

Permission to make digital or hard copies of all or part of this work for personal orclassroom use is granted without fee provided that copies are not made or distributedfor prof t or commercial advantage and that copies bear this notice and the full cita-tion on the f rst page. Copyrights for components of this work owned by others thanACMmust be honored. Abstracting with credit is permitted. To copy otherwise, or re-publish, to post on servers or to redistribute to lists, requires prior specif c permissionand/or a fee. Request permissions from permissions@acm.org.WiSec’14, July 23–25, 2014, Oxford, UK.Copyright 2014 ACM 978-1-4503-2972-9/14/07 ...$15.00.http://dx.doi.org/10.1145/2627393.2627418.

Figure 1: Monitoring Radio Windows (MRW) attack exam-ple.

in an area covered by one or more wireless networks affectthe way radio signals propagate. We demonstrate that thepresence, location and direction of movement of people notcarrying any wireless device can be “eavesdropped”by usingthe channel information of wireless links artificially createdby an attacker by deploying sensing devices or receivers thatcan passively “hear” transmitters such as WiFi access points(APs), composing the legitimate wireless network. Radiosignals from transmitters passing through non-metal exter-nal walls are analogous to light from light bulbs passingthrough glass windows in that either can be used to “see”where building occupants are moving from outside of thebuilding. Hence, we call this attack on privacy of people an“monitoring radio windows” (MRW) attack.

Consider a building where security is important (e.g., anembassy) with a concrete exterior wall. One or more wirelessnetworks may have been set up in this building to transferdifferent types of data, including voice and video. We canexpect these networks to implement advanced data securityprotocols to prevent eavesdropping of data. However, an at-tacker can still deploy receivers outside the wall of the build-ing to passively measure different parameters of the received

69

radio signals. By measuring the channel state information(CSI) or received signal strength (RSS), for example, of thelinks from the transmitters inside the building to the re-ceivers deployed, the attacker can monitor the movementsof people and objects inside the building in the area be-hind the wall in Figure 1. The information about people’smovements can be put to malicious use including planninga physical attack on the personnel inside the building.

In this paper, we design and implement the MRW at-tack methodology for through wall people localization. Ourmethodology relies on reliably detecting when people crossthe link lines between the legitimate transmitters and theattack receivers. We first develop a majority-vote based de-tection algorithm that reliably detects line of sight (LOS)crossing between the legitimate transmitter and the attackreceivers by comparing short-term variances in link channelinformation with their long-term counterparts. We also de-velop a method to estimate the direction of movement of aperson from the sequence of link lines crossed during a shorttime interval. Next, we implement our methodology onWiFiand ZigBee nodes and experimentally evaluate the MRW at-tack by monitoring people’s movements through walls in tworeal-world settings – a hallway of a university building sepa-rated from the outside by a one-foot thick concrete wall, anda residential house. When we use two WiFi 802.11n nodeswith normal antenna separation, or two groups of ZigBeenodes as attack receivers, we find that our methods achieveclose to 100% accuracy in detecting line crossings and the di-rection of movement. We also find that our methods achieve90− 100% accuracy when we use a single 802.11n attack re-ceiver. We note that our goal in this paper is not to preciselyestimate the location of a moving person but rather, only de-tect line crossings and determine the direction of movementthrough walls. This coarse-granular location information vi-olates the person’s privacy and can be used by an attacker.

To protect the privacy of the location information fromthe MRW attack, the owner of the legitimate network maychoose to implement a countermeasure in which the trans-mitters vary their transmit power during successive trans-missions. The artificial transmit power changes can be ei-ther random or follow a pre-defined profile replicating thetypical channel variations introduced when a person crossesa link line. This countermeasure is expected to introduceadditional variability in the received signal measured by theattack receivers, which can be wrongly interpreted by theattacker as caused by moving people or objects crossing thelink lines. In this paper, we demonstrate that an attackerwho can measure a sufficient number of links can accuratelyestimate the artificial transmit power change, compensatefor it, and ultimately locate people and monitor their move-ments. We base our compensation strategy on the followingintuition: an artificial transmit power change at a trans-mitter will impact the measurements at all attack receiverswith approximately the same magnitude of change, whereasgenuine power changes due to human movement are likelyto impact receivers each with a different magnitude. Thisintuition also suggests that protecting against radio windowattacks is a very hard problem because any change at thesource of transmission can be possibly compensated for bycorrelating measurements across multiple attack receivers.

The idea of using radio signals through walls for obtaininglocation information is not new and has been used in exist-ing efforts including Radio Tomographic Imaging (RTI) [25],

WiVi [2], and WiTrack [1], among others. However, the ex-isting literature does not demonstrate that an attacker canobtain location information 1) without transmitting (andthus not subject to jamming or source localization); and 2)through thick external walls (such as reinforced concrete)and in large buildings. Wilson et al. developed RTI [25] totrack human movement through walls by deploying dozensof transceivers throughout or on many sides of a room in aresidential home. However, RTI requires active transmissionfrom all the deployed nodes, and, hence it can be detectedby source localization and/or countered by jamming. Notethat for solid external walls, penetration loss can be veryhigh, e.g., about 20 dB/ft through concrete at 2.4 GHz [21].Since the signal must penetrate external walls twice, onceto enter and once to exit the building, transmit power mustbe very high in order to achieve useful range.

Adib et al. [2] developed WiVi to track moving humansthrough walls inside a closed room using WiFi signals. Ina follow up work, Adib et al. [1] developed a 3-D through-wall motion tracking system, WiTrack, that can be used totrack the 3D location of a moving person inside a room,and to detect falls and simple gestures. Though efficient,these methods also depend on active probing requiring cus-tom hardware to send WiFi signals through a barrier (e.g.,a wall) and measure the way it reflects back from objectson the other side. Like RTI, these methods are vulnera-ble to detection and jamming, and must penetrate an ex-ternal wall twice. Note that WiTrack was demonstratedthrough drywall [1], which has a 0.5 dB penetration loss at2.4 GHz [26]. Our work is stealthier in that purely passivereceivers are deployed by an attacker to measure signals fromthe transmitters already deployed in existing infrastructure.The attack receivers do not transmit any signal or interferewith the existing transmissions in any way - hence they cannot be detected using source localization and are immuneto jamming. Furthermore, the active signal transmissionfrom outside the wall, forces WiVi and WiTrack to performa costly “nulling” procedure to counteract the flash effect- the strong reflection from the wall that overshadows sig-nals reflected back from inside the room. We rely only onthe transmitted signal from the existing infrastructure in-side the facility to detect a person’s movement, hence theflash effect does not apply. We can perform our location de-tection with simpler algorithms and off the shelf hardware.Unlike WiVi and WiTrack, our method enables the attackerto see through dense wall material, including 12 inch thickreinforced concrete walls. In a related work that is not di-rectly concerned with location privacy [18], Pu et al. showedthat Doppler shifts resulting from multipath distortions, dueto reflections of wireless signals from a human body, can beused to identify human gestures. However, their work re-lies on classification of gestures based on extensive learning.One must actively perform a startup sequence of gestures inthe direction of the wireless receiver(s) to get into the con-trol system before sending the real gesture commands. Ourresearch does not consider human gestures and hence doesnot require an extensive learning phase.

The remainder of the paper is organized as follows. Sec-tion 2 describes the adversary model, while in Section 3we introduce the methods developed. Experimental setupand results are presented in Sections 4 and 5, respectively.Additional existing research in the area of location privacy

70

attacks is discussed in Section 6. Conclusions are given inSection 7.

2. ADVERSARYMODELWe make the following assumptions about the attacker

(In this paper, we use the term attacker for anyone, whethermalicious or genuine, who is trying to detect human move-ment):

• The attacker is able to deploy multiple wireless sens-ing devices within the transmission range of the legiti-mate transmitter(s) outside the area being monitored.The attacker is able to measure the physical layer in-formation (RSS and/or CSI) of the links between thetransmitter(s) and the attack receivers.

• The attacker does not have access to the content of thepackets transmitted by the legitimate network nodes.

• The attacker does not deploy any transmitters, nordoes it have any control over the legitimate transmit-ters. However, it requires the legitimate transmittersto transmit packets frequently to allow it perform theline crossing detections.

• The attacker does not make any assumption regardingthe transmit power profile of the transmitters.

• The attacker nodes do not associate or interfere in anymanner with the transmissions of the legitimate trans-mitter(s).

• The attacker may not know the precise location of thetransmitters, however, we do assume that the trans-mitter is located well inside the perimeters of buildingsfor network coverage.

• The attacker may deploy the MRW attack when it isdark to minimize the chance of getting detected.

3. METHODOLOGYIn this section, we first develop a methodology to detect

line crossings of a single person based on a majority votefor WiFi 802.11n receivers. We also develop a method thatuses a sequence of line crossings to determine the directionof the movement. Next, we present our approaches for esti-mating transmit power change and its compensation, whenthe transmit power is artificially changed by the owner of thewireless transmitters, inside a secure building, with the hopeof preserving location privacy. Last, we show how we adaptour methodology for IEEE 802.15.4 ZigBee attack receivers.

3.1 Line Crossing DetectionMany modern WiFi networks use the 802.11n standard, in

which transceivers are equipped with multiple antennas inorder to leverage the spatial diversity of the wireless chan-nel. While these multiple-input multiple-output (MIMO)systems provide high data rates, they also provide a richsource of channel information to an adversary interested inlocalizing people inside a building.

The 802.11n wireless standard uses the well-known or-thogonal frequency-division multiplexing (OFDM) modula-tion scheme, which encodes and transmits data across mul-tiple subcarriers for each transmitter-receiver antenna pair.

When an 802.11n receiver receives a packet, it estimates theeffect of the wireless channel on each MIMO OFDM sub-carrier for the purpose of channel equalization. Since thischannel state information (CSI), represented as a complexgain for each subcarrier, is measured during the unencryptedpreamble of each WiFi packet, an adversary without legit-imate access to data on the network can still measure theCSI for every packet.

We apply a windowed variance method for detecting abruptchanges in the CSI for a WiFi link. Let Hj,k(n) be themagnitude of the signal strength for the jth transmitter-receiver antenna pair and the kth OFDM subcarrier for thenth packet. We define the windowed variance measurementat packet n as follows. Let

vwj,k(n) =

1

w − 1

n∑

i=n−w+1

(Hj,k(i)− Hwj,k)

2, (1)

where, w is the number of previous CSI samples in the win-dow and Hw

j,k(n) is the average signal strength for the jthtransmitter-receiver antenna pair computed over w.

We define the subcarrier-average variance and standarddeviation for packet n for a given antenna pair j as

Vwj (n) =

1

N

∑

k

vwj,k(n), S

wj (n) =

1

N

∑

k

√

vwj,k(n). (2)

where N is the number of subcarriers. We track both V wj (n)

and Swj (n) over a short-term time window ws, and a long-

term time window wl, and detect a line crossing when∑

n∈D

Vws

j (n) − Vwl

j (n) > γ(n), (3)

where D is the most recent contiguous set of packets forwhich V ws

j (n)−V wl

j (n) > 0 and the threshold γ(n) is definedas

γ(n) = Vwl

j (n) + CSwl

j (n). (4)

γ(n) determines the sensitivity of the detection system, smallervalues of γ(n) will ensure low missed detection rate but willincrease the probability of false alarms. On the other hand,larger values of γ(n) will lower false alarm rates at the ex-pense of higher missed detection rates. The constant C isincluded to allow the user to adjust the trade-off betweenfalse alarms and missed detections.

To improve robustness, in the case where there are morethan two antenna pairs, we take the majority vote betweenantenna pairs over the short-term window to decide if a linecrossing has occurred. More specifically, when a receiverantenna detects a line crossing, we count the line crossingdetections for all the receiver antennas over the short-termwindow, ws. For a 3×3 MIMO transmitter and receiver, thiswould mean computing a majority vote over nine measure-ments. When the majority of the receiver antennas detect aline crossing within ws, we infer that a person has crossed thelink line between the transmitter and the receiver. We willshow that this majority vote method improves the perfor-mance of our detector by decreasing false alarms and misseddetections.

We note that our window-based variance method differsfrom the method presented in [19,28]. In [19,28], Youssef etal. compare recent window-based variance measurements ofRSSI at multiple WiFi links to measurements made during astatic calibration period when nobody is moving in the area

71

of interest. If a certain number of WiFi links within thearea of interest detect motion within a certain time inter-val, a motion event is detected in the area of interest. Ourattacker does not know if and/or when people are moving in-side of the building, and therefore cannot create calibrationmeasurements based on a static environment. Instead, wecompare a short-term window variance to a long-term win-dowed variance. The long-term window allows us to capturethe behavior of the wireless links when the majority of mea-surements are likely made while there is nobody crossing thelink line. Additionally, in the case of 802.11n, we exploit theeffect that line crossings have on each OFDM subcarrier andMIMO antenna pair.

3.2 Determining Direction of MotionIf the adversary measures the CSI at multiple receivers,

or if a single receiver includes multiple antennas as is thecase with 802.11n, it is also possible to infer the directionthat a person is walking when line crossings are detected.The direction of motion is inferred from the time differencesbetween the line crossing detections at each receiver, in thecase of multiple receivers, or at each transmitter-receiverantenna pair, when the receivers include multiple antennas.

Consider the scenario where the attacker arranges theMIMO antenna array of an 802.11n receiver such that theantennas are roughly parallel to a hallway as shown in Fig-ure 2(a). The spatial order of the antennas with referenceto the hallway is known, and each transmitter-receiver an-tenna is given an index according to its spatial order. Basedon the adversary model assumption that a transmitter islocated well inside the perimeter, the attacker, even with-out knowing the precise location of the transmitter or thearrangement of its antennas, may treat the antennas of thewireless transmitter as if they are co-located and still achievereliable results.

In the single WiFi receiver case, if a link crossing is de-tected by majority vote for a given short-term window, wefind the line that best fits the set of points {(dj , nj) : j ∈ P},where dj is the spatial index of antenna pair j representingit’s location relative to the other links, nj is the packet in-dex indicating when a detection occurred at antenna pair jaccording to (3), and P is the set of antenna pairs endingat the WiFi receiver which detected a line crossing duringthe short-term window. The sign of the slope of this lineindicates the direction of motion. Figure 2 shows an exam-ple which uses CSI measurements from three antennas atthe WiFi transmitter and three antennas at WiFi RX1 (9antenna pairs). In the case of two single-input single-output(SISO) WiFi receivers, a similar method may be applied,but the two spatial and packet indexes directly determinethe line and its slope.

3.3 Compensation of Transmit Power ChangeIn this subsection, we propose a methodology to detect

artificial transmit power changes (if any) and compensatefor the same. The signal strength for the jth transmitter-receiver antenna pair and the kth OFDM subcarrier forpacket n is given by

Hj,k(n) = Tx(n) +Gt +Gr − Lj,k(n) + Ψj,k(n), (5)

where Tx(n) is the transmit power of the transmitter forpacket n, Gt and Gr are the transmitter and receiver an-

tenna gains, respectively, Lj,k(n) is the path loss, and Ψj,k(i)is a noise term.

The attacker does not know the transmit power or an-tenna gains, so she relies on the difference between the signalstrength for the packet n and the reference packet (n = 0)as follows.

hj,k(n) , Hj,k(n)−Hj,k(0). (6)

From (5), we see that

hj,k(n) = tx(n)− lj,k(n) + ψj,k(n), (7)

where tx(n) = Tx(n) − Tx(0), lj,k(n) = Lj,k(n) − Lj,k(0),and ψj,k(n) = Ψj,k(n)−Ψj,k(0).

In absense of any transmit power changes, hj,k(n) is domi-nated by path loss changes caused when a person crosses thelink and abrupt variation in hj,k(n) can be used to detect linecrossings. However, any transmit power change (introducedartificially) at the transmitter dominates the hj,k(n) termand masks the effect of channel variation caused by humanmovement. A transmitter could thus presumably preservelocation privacy by changing its transmit power frequentlyto introduce artifical signal strength variations.

We now propose a method that a smart attacker can useto estimate and remove the artificial power changes and ac-curately detect line crossings. In our method, the attackerestimates the artificial transmit power change amplitudeby correlating measurements across all antenna pairs andall subcarriers, and removes the effect of transmit powerchanges from the received signal strength measurements.We propose to use the median of hk,j(n) for all availabletransmitter-receiver antenna pairs and corresponding sub-carriers, as an estimator of the artificial transmit powerchange, as shown in the equation below:

tx(n) = median {hj,k(n)∀j, k} . (8)

Our choice of this estimator is based on the following obser-vations. First, we observe that tx(n) appears in the equationfor hk,j(n) for all j and k. This is because, any change intransmit power affects measurements across all transmitter-receiver antenna pairs and corresponding subcarriers simul-taneously. We also know that the change in the path losslj,k is just as likely to be positive as negative. Furthermore,any change due to human movement will not affect all thelinks simultaneously.

In the absence of an artificial transmit power change, tx(n)is likely to be close to zero, i.e., our estimator does not re-quire us to detect whether or not there is an artificial trans-mit power change for packet n.

The compensated signal strength for packet n, which wedenote Hj,k(n), is given by

Hj,k(n) = Hj,k(n)− tx(n). (9)

Although the reference packet was sent with unknown trans-mit power Tx(0), for n > 0, we consider Tx(n) to be the rela-

tive dB shift in transmit power compared to Tx(0). Hj,k(n)essentially, is an estimate of the subcarrier signal strength ifthere were no transmit power changes between the referencepacket and packet n.

It is clear that, any error in the estimation of the transmitpower changes amplitude will introduce additional noise inthe measurements. However, the dynamics of the signal arestill preserved and an attacker can use any variation in the

72

Exterior Wall

TX

RX1

0 1 2

RX2

0 1 2

(a)

−1.0 −0.5 0.0 0.5 1.0 1.5 2.0 2.5 3.0

d (spatial index)−20

−10

0

10

20

30

40

50

n (

pack

et

index)

01

2

least-squares fit

RX1 antennas

(b)

Figure 2: (a) The MIMO antenna array used for line crossing detection.(b) Direction of motion is determined by slope of theline fitted to the points created by the spatial indexes of the antennas and the packet indexes.

signal over a short time period in order to notice motion ofa person near the link line.

3.4 ZigBee NetworksThe methodologies described above are also applicable for

IEEE 802.15.4 ZigBee nodes. However, the ZigBee nodesare generally equipped with a single antenna, so the MIMOsetup is not available. Moreover, ZigBee nodes do not useOFDM for communication, so we use channel informationfrom a single frequency channel (instead of averaging acrossall subcarriers as in the case of OFDM) to evaluate ourmethodologies. Furthermore, there is no tool to get the com-plete CSI at the receiver. Instead, we rely on the RSS valueobtained from the receiver hardware. Thus, in the case ofZigBee we set Hj,k(n) to the RSS value measured in deci-bel units for the jth transmitter-receiver antenna pair forpacket n, also k = 1,∀j as we have measurements from asingle channel only.

In order to create spatial diversity we use three closely lo-cated ZigBee receivers together to form a group as describedin Section 4. We detect line crossings by applying our ma-jority vote approach on the three links formed between thetransmitter and the three receivers in the group. We detectdirection of motion using two groups of receivers and observ-ing sequence of groups crossed over a short time window.We estimate and compensate for artificial transmit powerchanges (if any) by applying the methods described in Sec-tion 3.3, and utilizing the fact that any change in transmitpower affects all receivers simultaneously across all groups.

4. EXPERIMENTSIn this section, we describe the experimental setup. Sec-

tion 4.1 describes the tools we use to measure the wirelesschannel, Section 4.2 describes the transmit power changeswe apply, and Section 4.3 describes two real-world experi-mental deployments.

4.1 Tool DescriptionWe use the following tools to measure the wireless channel

and detect line crossings.WiFi: We use laptops with Intel 5300 NICs that have

three-antenna MIMO 802.11n radios. We use the CSI Tool[9], that has been built for these radios, to get channel stateinformation from the WiFi transmitter. The CSI tool ex-tracts 802.11n channel state information for 30 subcarrierat each antenna pair. Since we use three antennas at eachnode for communication, for each transmitter-receiver pair,we have 3× 3 = 9 links each with 30 subcarrier groups. Weuse two kinds of antenna separations - in the normal case(WiFi NORM), we place the antennas 6 cm apart, in theother case (WiFi SEP), we use a larger antenna separationof 30 cm. The increased separation is accomplished by con-necting the antennas to the Intel 5300 NIC with standardRF cables that are long enough to provide up to 30 cm sep-aration. We program the transmitter to transmit packets ata rate of 10 Hz which is similar to beacon frame rates of astandard wireless access point. The attack receivers use theCSI Tool to obtain channel state information from the re-ceived packets which in turn is used to detect line crossingsas described in Section 3.1.

ZigBee: For the ZigBee experiments, we use Texas Instru-ment CC2531 USB dongles [22], which are equipped withlow-power, IEEE 802.15.4-compliant radios operating in the2.4 GHz ISM band. The transmission frequency in this caseis 12 Hz. A laptop is used to process the measured dataat the attack receivers. There is no tool to obtain the CSIinformation in the case of ZigBee nodes. Therefore, we usethe RSS value (in dBm) measured by the receiver hardwarefor our analysis, as described in Section 3.4.

4.2 Transmit Power VariationsWe consider three different settings of transmit power

variations for our experiments:

73

(a) University hallway. (b) Residential.

Figure 3: Network layouts. We show maps of the University Hallway and the Residential House and mark the location of thelegitimate transmitter(s) and the attack receivers. We also highlight the route(s) followed by the walking person.

TX NORMAL: In this case, the transmitters transmit withfixed transmit power and variations in RSS are due to per-son movement and noise only.TX LINECROSS: For finer control, we simulate the effectof transmit power change (for both WiFi and ZigBee) bymodifying received data according to a power profile thatreplicates typical signal attenuation introduced by a personcrossing the link line. We randomly select different timepoints in the measurements to introduce effect of transmitpower change.TX RANDOM: Here, we experimentally implement or sim-ulate the scenario where the transmitter may use a differentpower level for each transmission by randomly selecting froma predefined set of power levels supported by the hardware.For ZigBee nodes, we program the transmitter(s) to changeits transmit power at each transmission by randomly select-ing one among four pre-defined transmit power levels, i.e.,+4.5 dBm, −1.5 dBm, −6 dBm, and−10 dBm. However, weare unable to program the random power changes in WiFinodes and hence, we simulate these power changes.

While simulating effects of transmit power change we relyon the fact that any change in the transmit power at a timeinstant is observed across all subcarriers for all transmitter-receiver antenna pairs in case of WiFi and across all receiversin case of ZigBee at the same instant and we change thereceived signal parameters accordingly. We also add a zeromean Gaussian random variable (with standard deviation0.67) to each Hj,k(n) measurement, in addition to the thetransmit power change tx(n), to account for errors due toenvironmental noise.

4.3 Experimental DeploymentsWe evaluate our methodologies in two different real world

settings.

4.3.1 University HallwayWe choose a hallway inside a university building as the

area being monitored (Figure 3(a)). The hallway is adja-cent to a 30 cm thick and 3.5 m tall rebar-reinforced con-crete boundary wall. We note that this type of a wall causes

significant RF attenuation at WiFi frequencies and repre-sents a worst-case scenario among typical exterior walls forour purposes [20]. We place the attack receivers outside theboundary wall parallel to the hallway approximately 1 maway from the wall, at a height of 1.2m.

For theWiFi experiment, we deploy one transmitter insidethe building across the hallway, and two attack receiversseparated by 3 m outside the concrete wall (Figure 3(a)).Similarly, for the ZigBee network, we deploy one transmitteracross the hallway and six receivers outside the boundarywall. The attack receivers are placed in two groups of threenodes each, with the distance between the groups being 3m (Figure 3(a)). Nodes in the same group are almost 30cm apart. We perform both TX NORMAL and TX RANDexperiments with the same ZigBee setup.

During the experiment, a person is walking back and forthalong a predefined path (shown as route in Figure 3(a))along the corridor between the transmitter and the attackreceivers. With the help of a metronome, the person walksat a constant speed of 0.5 m/s. We collect over 12, 000 datasamples for WiFi and over 20, 000 data samples for ZigBeein this experiment. In our evaluation, we use ws = 4 s (shorttime window), and wl = 40 s (long term window) (Section3.1). Note that, ws must be chosen such that it effectivelycaptures the effect of short term variation in signal strengthdue to human movement in the vicinity of the link. We ob-serve that, for typical movements these variations last forabout 2-6 seconds (Figure 5). We use the mean value forour evaluation (our results do not change significantly if weother values in the 2-6 seconds range). On the other hand,wl must be large enough to capture the long term behaviorof the link, and should not get affected by short term move-ments. We select a moderately large value for wl that effec-tively captures the long term link behavior, and keeps thecomputation complexity under reasonable bounds so thatthe detection can be performed in real time.

4.3.2 Residential HouseIn this experiment, we monitor two sides of a residential

house (Figure 3(b)) to detect people movement. We perform

74

two sets of experiment with the WiFi nodes. In the firstexperiment (House 1), we place the WiFi transmitter in acorridor centrally located inside the house and two WiFireceivers with normal antenna separation (WiFi NORM) inthe backyard of the house outside the external wall as shownin the Figure 3(b). The receivers are placed approximately1 m away from each other, both at a height of 1.2m. Forthe second experiment (House 2), we use two WiFi receiverswith larger antenna separation (WiFi SEP) and place oneof them in the backyard and the other outside the frontentrance. The transmitter is placed in the same position asin experiment House 1.

For the ZigBee network, we place two groups of receivers,each group with three nodes, on either side of the house out-side the external walls. As shown in Figure 3(b), the ZigBeegroups 1 & 2 are placed outside the front entrance, andgroups 3 and 4 are placed in the backyard, approximately 1m away from the walls. Nodes in the same group are almost30 cm apart while the inter-group distance on either sidebeing at least 1 m. The ZigBee transmitter is placed insidethe house co-located with the WiFi transmitter.

During these residential experiments, a person walks in-side the house back and forth first near the front entranceof the house (route 1 in the Figure 3(b)), and then in theliving room which is near the rear end of the house (shownas route 2 in the Figure 3(b)). Finally, the person makesa few rounds inside the house as shown in route 3 in theFigure 3(b). We collect over 10, 000 data samples for eachset of ZigBee and WiFi experiments. We video record theline crossings to test the accuracy of our detection methodagainst ground truth. For the residential experiments, weuse ws = 2 s (short time window), wl = 20 s (long termwindow) and ∆ = 4 s (Section 3.1). We use smaller windowsizes for detection of line crossings as the person walks at afaster speed as compared to the University Hallway experi-ments.

In our experiments, we place the transmitter on a standthat is approximately 1.2 m high. We understand that trans-mitters are sometimes placed on a ceiling. However, giventhat transmitters are typically placed well inside boundarywalls for coverage reasons, we can assume that movementbehind boundary walls will still result in line of sight cross-ings between the transmitter and receivers that an attackerdeploys at low heights. Furthermore, even if transmitter andreceiver are both at ceiling height, there should be changesin CSI observed, as shown by [29]. An attacker may also useexisting works on source localization [16, 17] to determinethe location of the wireless transmitter, and plan the targetarea of detection accordingly.

We end this section by noting that while our experimentsconsider only one wireless transmitter, it is very likely thatmultiple transmitters will be present in a common home/uni-versity setting. However, WiFi transmitters actively avoidinterfering with each other due to the 802.11 MAC protocol.Wireless devices, such as WiFi access points, also attemptto operate on different channels for minimizing transmissionoverlap. Therefore, signals from wireless transmitters canstill be received at the attack receivers. Additionally, we canidentify the transmitter a packet is coming from using RSS-based or other signatures. We will thoroughly investigatethe impact of multiple transmitters on detection accuracyin our future work.

5. RESULTSWe evaluate the performance of the MRW attack in terms

of false alarm and missed detection rates. False alarm (FA)rates are calculated as the number of line crossings wronglydetected by the system over the number of sample points.Missed detection (MD) rates are calculated as the numberof actual line crossings not detected by the system over thetotal number of actual line crossings.

5.1 Detection of Line CrossingIn this section, we present the accuracy of detection of

line crossings using the methodology as described in Section3.1.

5.1.1 University HallwayTable 1 lists the results obtained in the University Hallway

experiment using our majority vote detection. We achievealmost 100% detection rate with few false alarms and misseddetections. Using a WiFi 802.11n receiver with normal an-tenna separation, we get zero false alarms and only 1.92%missed detections. We compare the detected crossing timeswith those in the recorded video footage of the experimentand find that we can detect the crossing times with an av-erage error of 0.79 s, with minimum and maximum errors of0.03 s and 2.73 s respectively.

We obtain zero false alarms and missed detections whenusing a 802.11n WiFi receiver with a large spatial separationbetween antennas, the mean error in this case being 1.22 s.For ZigBee, using a group of three closely located receivers,we get a 2.66% false alarm rate and a 1.67% missed detectionrate in line crossing detection with an average error of 1.22seconds. We use two groups of receivers and experiment withthree different transmitter locations in case of ZigBee. Weobtain the above results by averaging over all transmitterlocation and receiver group pairs.

Note that, while computing the errors as compared to theground truth, we consider the line connecting the centroidof transmitter antenna locations (or the transmitter locationin case of ZigBee) and the centroid of the receiver antennalocations (or the centroid of the receiver locations in thegroup in case of ZigBee) as the representative link line.

5.1.2 Residential HouseWe present the detection accuracy of the Residential House

experiment in Table 2. We achieve greater than 94% de-tection accuracy with a 0.043% false alarm rate while usingWiFi receivers with normal antenna separation (WiFi NOR-M). With larger antenna separation (WiFi SEP) the accu-racy is greater than 95% with a 0.005% false alarm rate.The mean error in detection of line crossings is 1.06s in caseof WiFi NORM, the same being 0.56s for WiFi SEP.

For ZigBee, we achieve greater than 99% accuracy in de-tection with a false alarm rate of 0.004% only. The averageerror in time-of-crossing estimation in this case is 1.63 s.Note that during this experiment, we placed one group ofZigBee nodes (group 2) directly in front of the metal-platedentrance door. The packet reception rates for receivers inthis group are much lower than the receivers in the othergroups. Also, perhaps due to attenuation through the door,the RSS measurements made by this group are more noisythan those made by the other groups, leading to furtherdegradation in performance. The missed detection rate forthis group is almost 30%, about 60 times more than the

75

Table 1: Detection Accuracy (Hallway).

Hallway Accuracy Error (sec)Experiment: FA% MD% Min Max MeanWiFi NORM 0 1.92 0.03 2.73 0.79WiFi SEP 0 0 0.27 2.37 1.22ZigBee 0 1.02 0.27 2.37 1.22

Table 2: Detection Accuracy (House).

House Accuracy Error (sec)Experiment: FA% MD% Min Max MeanWiFi NORM 0.043 5.70 0.29 2.78 1.06WiFi SEP 0.005 4.35 0.03 1.82 0.56ZigBee 0.004 0.49 0.10 3.55 1.63

average missed detection rate of other groups (results pre-sented in Table 2 are averaged over the other three groups).Thus, we conclude that, although an MRW attack can pen-etrate concrete and brick walls, metallic structures in theline of sight path of the radio signals degrades the detectionaccuracy significantly.

5.2 Determining Direction of MotionIn this section, we present the accuracy we achieve in de-

tecting the direction of motion for each experiment.

5.2.1 University HallwayIn the university hallway experiment, the corridor was

crossed by a moving person an equal number of times ineither direction. We achieve 100% accuracy in detectingdirection of movement on either side of the corridor whileusing twoWiFi receivers or two groups of ZigBee nodes usingthe method described in Section 3.2.

We also achieve an accuracy as high as 90.38% in detectingdirection of motion with only a single WiFi 802.11n receiverby increasing the spatial separation of the MIMO antennas.The accuracy with a single WiFi receiver with standard an-tenna separation is 59.62%, which is slightly better thanguessing the direction of motion.

5.2.2 Residential HouseFor the experiment performed in the residential house we

again achieve 100% accuracy in detection while using twoWiFi receivers with standard antenna separation (experi-ment House 1) or two groups of ZigBee nodes on either sideof the house. Individual detection accuracy of the two WiFireceivers (with standard antenna separation placed on thesame side of the house as in experiment House 1) used are100% (RX1) and 68% (RX2) respectively. Detection accu-racy with spatially separated antennas for these receivers(when they are placed on opposite sides of the house asin experiment House 2) are 96% (RX1) and 52.6% (RX2)respectively. These results differ from the University Hall-way experiment where we get better accuracy in detectingdirection of movement while using large spatial separationbetween antennas as compared to using normal antenna sep-aration. The degradation in accuracy with antenna separa-tion in Residential House experiment may be due to the factthat during the House 2 experiment, walking speed of theperson was about 20% faster as compared to the House 1experiment with normal antenna separation, hence crossing

Windowed

Variance

time (s)

Vote

40 60 80 100 120 140 160 180 200 220 240

actual V w s

j V w l

j detected

(a)

(b)

(c)

(d)

Figure 4: The majority vote over transmitter-receiver an-tenna pairs reduces false alarms and missed detections.(a),(b), and (c) show the results of the windowed variancebased line crossing detection for three antenna pairs usingWifi. In (d), we see that the majority vote eliminates falsealarms and missed detections.

times for individual antennas overlapped with each other insome cases.

To summarize, a MRW adversary should use two WiFireceivers or two groups of ZigBee nodes to detect directionof motion accurately. It is possible to achieve high accuracyeven with a single WiFi receiver in some cases (e.g. RX1in experiments House 1 and House 2), however the resultsdepend on the environment and need further investigation.

5.3 Advantages of Majority VoteIn this section, we show how our majority vote approach

helps overcome inherent uncertainties in wireless links. Allwireless links are not equally sensitive to motion occurringin their vicinity and the sensitivity varies with link fade levelalong with other factors. Since it is not possible for an ad-versary to know beforehand whether a link is good or badfor detecting LOS crossings, he relies on correlation amongmultiple closely located links and infers a line crossing onlywhen majority of these closely located links indicates a cross-ing. In our experiments, 3× 3 = 9 links between the MIMOtransmitter-receiver antenna pairs are considered for major-ity vote in the WiFi case, and groups of 3 single-antennareceivers in the ZigBee case. Figure 4 shows one scenariowhere our majority vote algorithm helps get rid of some falsealarms and missed detections due to one bad WiFi link (forclarity we show three out of the nine links) from the Univer-sity Hallway experiment. As can be seen the link in Figure4(b), fails to detect a line crossing that occurs around 100s, however the other two links (Figure 4(a) & Figure 4(c))detect the crossing and a majority vote among these threelinks detects the crossing at that time (Figure 4(d)). Simi-larly, we see that the link in Figure 4(b) flags a false alarm at180 s but the other two links do not indicate any crossing.Hence again the majority vote gets rid of the false alarmat time 180 s (Figure 4(d)), thereby improving the overallaccuracy of the system.

76

110 120 130 140−10

01020

RS

S (

dBm

)

110 120 130 140−10

01020

RS

S (

dBm

)

110 120 130 140−10

01020

RS

S (

dBm

)

Time (s)

Original

TX Power Change

Compensated

(a) TX RANDOM (WiFi)

835 840 845 850 855 860 865−90

−80

−70

RS

S (

dBm

)

835 840 845 850 855 860 865−90

−80

−70

RS

S (

dBm

)

835 840 845 850 855 860 865−90

−80

−70

RS

S (

dBm

)

Time (s)

Original

TX Power Change

Compensated

Simulated

(b) TX LINECROSS (ZigBee)

Figure 5: Measured CSI and RSS (top) without and (middle) with TX power change; and (bottom) after compensation.

NORMAL CRS CRS_CMP RND RND_CMP0

10

20

30

40

50

60

70

Mis

sed

Det

ectio

ns [%

]

1.92

32.69

1.92

46.15

3.850.00

65.38

0.00

48.08

1.921.02

58.16

0.68

32.65

0.34

WiFi_NORMWiFi_SEPZigBee

(a) Missed Detections

NORMAL CRS CRS_CMP RND RND_CMP0

0.05

0.1

0.15

0.2

0.25

0.3

Fal

se A

larm

s [%

]

0

0.199

0

0.232

00

0.242

0

0.255

00

0.219

0.002

0.254

0.010

WiFi_NORMWiFi_SEPZigBee

(b) False Alarms

Figure 6: Compensation accuracy in the University Hallway Experiment.

NORMAL CRS CRS_CMP RND RND_CMP0

10

20

30

40

50

60

Mis

sed

Det

ectio

ns [%

]

5.70

15.17

7.62

34.19

7.62

4.35

27.71

8.69

46.01

7.18

0.49

39.42

2.34

31.37

0.94

WiFi_NORMWiFi_SEPZigBee

NORMAL CRS CRS_CMP RND RND_CMP0

0.1

0.2

0.3

0.4

0.5

Fal

se A

larm

s [%

]

0.043

0.259

0.043

0.231

0.0210.005

0.219

0.020

0.377

0.0050.004

0.202

0.008

0.430

0.006

WiFi_NORMWiFi_SEPZigBee

Figure 7: Compensation accuracy in the Residential House Experiment.

77

To summarize - a single wireless link suffices in some casesin detection of line crossings between a transmitter and a re-ceiver, however the results are not always reliable due to in-herent uncertainties in link sensitivity to object movements.We can improve accuracy and reliability by correlating de-tections across multiple co-located links using a majorityvote approach.

5.4 Compensation for Transmit Power ChangeIn this section, we show how transmit power changes (ran-

dom or strategic) affect line crossing detection accuracy andhow our compensation method nullifies the effect of suchpower changes. Figure 5(a) shows the effect of random trans-mit power changes on line crossing detection for a WiFi linkbetween a single transmitter-receiver antenna pair that iscrossed three times by a moving person. The top figure cor-responds to the case when there is no transmit power change.This figure clearly shows distinct short time periods of highvariance in the CSI corresponding to the times when the per-son crosses the link. However, transmit power change masksthese distinct short term variance regions and renders linecrossing detection ineffective as can be seen in the figure inthe middle. The bottom figure plots the CSI for the samelink after compensating for the transmit power changes asdescribed in Section 3.3. Clearly, our compensation methodalmost nullifies the masking effect of transmit power changesand the attacker can detect three line crossings (high shortterm variance region) from the compensated signal. Simi-larly, Figure 5(b) shows how strategic power changes can beused to simulate link line crossings, and how our compensa-tion method eliminates these artificial variations. The topfigure plots the RSS in dBm for a ZigBee link that is crossedduring the time interval 856-860 s. The figure in the mid-dle shows one additional line crossing (high variance region)introduced in the link by strategic transmit power changesduring time interval 838-841 s. However, as seen from thebottom figure, our compensation method gets rid of the falsealarm introduced by strategic power change and we can de-tect the original line crossing from the compensated signal.

In the Figure 6 we show false alarms and missed detec-tions induced by transmit power changes and the accuracy ofour compensation method in the University Hallway experi-ment. In the figure, NORMAL corresponds to the case whenthe transmitter transmits with fixed transmit power, CRSis when strategic power changes are introduced in the datausing TX LINECROSS simulation, CRS CMP correspondsto the results when we apply our compensation method onTX CRS. Similarly, RND shows results when the transmit-ter is changing its transmit power randomly with each trans-mission, while RND CMP is the corresponding compensa-tion results.

As an example, in the University Hallway experiment, astrategic transmit power change at the WiFi transmitter in-creases the missed detections rate from 1.92% to 32.69% andthe false alarms rate from 0% to 0.199% when using a WiFireceiver with normal antenna separation. However, our com-pensation method gets rid of all the additional false alarmsand missed detections. Similarly, random power changes forthe ZigBee experiment increases the false alarms rate from0% to 0.254%, but our compensation method brings it backto only 0.010%. We obtain similar results in the Residen-tial House experiment (Figure 7). For example, for randompower changes at the ZigBee transmitter, the missed de-

tections rate increases to 31.37% from 0.94% and the falsealarms rate increases to 0.429% from 0.003% but our com-pensation method brings down the missed detection andfalse alarm rates to only 0.94% and 0.006%, respectively.

To summarize our findings, transmit power changes (strate-gic or random) increase the false alarm and missed detec-tion rates significantly. However, using our compensationmethod, an attacker can accurately estimate the transmitpower change amplitude and compensate for the same toget rid of the adverse effect caused by such changes and,still sense people location and motion with high accuracy.

5.5 Detection with Varying TransmissionRateZigBee applications in modern facilities use different trans-

mission rates for communication. To understand the effect oflower transmission rates on detection accuracy, we use thedata from TX NORMAL for both the University Hallwayand Residential House experiment to simulate lower trans-mission rates. Note that the original transmission rate isapproximately 12 Hz. We simulate three additional trans-mission rates - 6 Hz, 4 Hz and 2 Hz respectively from theoriginal data. Figure 8 shows the results of our simulation.We find that the overall detection rates decrease with lowertransmission rates. For the transmission rate of 6 transmis-sions/second, accuracy of the detector is over 98% for theUniversity Hallway experiment and over 96% for the Resi-dential House experiment. These results are similar to whatwe observe for original transmission frequency of 12 Hz. Theaccuracy is worst for transmission frequency of 2 Hz with thedetection rate being as low as 71% for the Residential Houseexperiment. For the transmission rate of 4Hz, the detectionrate degrades to 87% in the University Hallway experiment,although it remains greater than 96% for the ResidentialHouse experiment. We do not see any noticeable change inthe false alarm rates with varying transmission rate.

6. ADDITIONAL RELATED WORKIn recent years, device-free localization (DFL), in which

people who are not carrying any radio transmitters are lo-cated by a static deployed network, has been the subject ofintense research. Our MRW attack is significantly differentfrom traditional DFL work in that the MRW attack is prac-tical for large buildings, is stealthy because no transmittersare deployed by the attacker, and is immune from jamming.DFL systems such as the ones in [4, 11–13, 15, 24, 24, 25, 30]require dozens of radio transceivers deployed throughout oron many sides of the target area. Further, through-buildingDFL systems such as [25,31] assume the transmitted signalpenetrates through two external walls and any internal wallsin between, and as such have been tested only in buildings ofsmall (18 - 42 m2) size. In this paper, we show access to oneside is sufficient for an MRW attack, and it requires a signalfrom inside a building to penetrate only one external wall.Other fingerprint-based DFL systems [14, 19, 23, 27] requirecollection of training data with a person in each possiblelocation in the environment. In our MRW attack, we donot assume that an attacker has prior access to the insideof the building to be able to perform such data collection.Further, to perform DFL, an attacker must deploy somenodes which transmit, exposing them to being detected andlocated by RF source localization, while an MRW attack isstealthier in that purely passive receivers are deployed by anattacker. Finally, DFL systems’ signals could be interfered

78

University House0

5

10

15

20

25

30

35

40

45M

isse

d D

etec

tions

[%]

1.533.24

12.25

3.24

14.80

29.02

6 Hz4 Hz2 Hz

University House0

0.005

0.01

0.015

0.02

0.025

0.03

0.035

0.04

Fal

se A

larm

s [%

]

0.015

0.010

0.007

0.022

0.026

0.015

6 Hz4 Hz2 Hz

Figure 8: Detection accuracy with varying transmission rates (ZigBee).

with by a powerful jammer. In the method in this paper,any transmitter in the building, including a jammer, couldbe used as a source for MRW. The work in [5] presents athrough-walls passive WiFi radar system. In it, a receiver issituated outside the target building and a Wi-Fi AP placedinside the building and having a narrow-beamwidth direc-tional antenna is used as transmitter. The signal receivedby the passive radar detector is then used to create a range-Doppler surface and detect a moving target. Our work iscomplementary to [5], first, because we use different mea-surements. Doppler information in [5] is used to estimaterelative velocity; in our work, received power or CSI is usedto infer presence (even when stationary) on the link line. Intheory, both could be used to improve localization accuracy.For example, while a person is crossing perpendicular to thelink line, the cause no Doppler shift, but our system woulddetect their direction of motion. Second, we note that thereceiver in [5] is a specialized radar receiver with a PC forintensive offline processing. In comparison, our system usesstandard transceivers and requires little processing, and thusis suitable for real time monitoring by an adversary withonly standard hardware. We demonstrate that, random orpre-defined transmit power change, used as a possible coun-termeasure, can not protect the privacy of the location ofpeople inside the target area. To the best of our knowledge,no previous work on location privacy can function accuratelyin presence of purposeful transmit power changes.

Several existing works focusing on location privacy typi-cally assume that the victims of the attack are carrying anactively communicating wireless device [3, 6–8, 10]. We fo-cus on obtaining location information where the person be-ing monitored does not actively participate in the detectionprocess.

7. CONCLUSIONWe investigated the ability of an attacker to surrepti-

tiously use an otherwise secure wireless network to detect amoving person through walls. We designed and implementedan attack methodology, to passively obtain through wall per-son movement information, that reliably detects when a per-

son crosses the link lines between the legitimate transmittersand the attack receivers by using physical layer measure-ments. We also developed a method to determine the direc-tion of movement of a person from the sequence of link linescrossed during a short time interval. Additionally, we de-scribed how an attacker may estimate any artificial changesin transmit power (used as a countermeasure), compensatefor these power changes using measurements from sufficientnumber of links, and still detect line crossings. We imple-mented our methodology on WiFi and ZigBee nodes andexperimentally evaluated the MRW attack by monitoringpeople movements through walls in two real-world settings.We found that our methods achieve close to 100% accuracyin detecting line crossings and the direction of movement.The limitation of our proposed methodology is that it worksfor detecting movement of only a single person at a time.Future work must develop methodology for passively locat-ing multiple people through walls in more dynamic environ-ments.

AcknowledgmentsThis material is based upon work supported by the NationalScience Foundation under Grant Nos. #0748206, #0855261,#1035565, and by the ARL MURI Grant #W911NF-07-0318. The many comments from our shepherd Dr. Di Maand anonymous reviewers greatly improved the final versionof the paper.

8. REFERENCES[1] F. Adib, Z. Kabelac, D. Katabi, and R. C. Miller. 3d

tracking via body radio reflections. In Presented aspart of the 11th USENIX Symposium on NetworkedSystems Design and Implementation (NSDI 14),Seattle, WA, 2014. USENIX.

[2] F. Adib and D. Katabi. See through walls with wifi!In Proceedings of the ACM SIGCOMM 2013conference on SIGCOMM, pages 75–86. ACM, 2013.

[3] P. Bahl, V. N. Padmanabhan, and A. Balachandran.Enhancements to the radar user location and trackingsystem. Technical report, 2000.

79

[4] X. Chen, A. Edelstein, Y. Li, M. Coates, M. Rabbat,and M. Aidong. Sequential Monte Carlo forsimultaneous passive device-free tracking and sensorlocalization using received signal strengthmeasurements. In ACM/IEEE Information Processingin Sensor Networks (IPSN), April 2011.

[5] K. Chetty, G. Smith, and K. Woodbridge.Through-the-wall sensing of personnel using passivebistatic wifi radar at standoff distances. Geoscienceand Remote Sensing, IEEE Transactions on,50(4):1218 –1226, april 2012.

[6] B. Danev, D. Zanetti, and S. Capkun. Onphysical-layer identification of wireless devices. ACMComputer Survey, 45(1):6:1–6:29, 2012.

[7] B. Greenstein, R. Gummadi, J. Pang, M. Y. Chen,T. Kohno, S. Seshan, and D. Wetherall. Can ferrisbueller still have his day off? protecting privacy in thewireless era. In Proceedings of the 11th USENIXworkshop on Hot topics in operating systems,HOTOS’07, pages 10:1–10:6, Berkeley, CA, USA,2007. USENIX Association.

[8] M. Gruteser and D. Grunwald. Enhancing locationprivacy in wireless lan through disposable interfaceidentifiers: a quantitative analysis. Mob. Netw. Appl.,10(3):315–325, June 2005.

[9] D. Halperin, W. Hu, A. Sheth, and D. Wetherall. Toolrelease: gathering 802.11n traces with channel stateinformation. SIGCOMM Comput. Commun. Rev.,41(1):53–53, Jan. 2011.

[10] T. Jiang, H. J. Wang, and Y.-C. Hu. Preservinglocation privacy in wireless LANs. In In Proceedings of5th International Conference on Mobile Systems,Applications, and Services (MobiSys 2007, pages246–257. ACM Press, 2007.

[11] O. Kaltiokallio and M. Bocca. Real-time intrusiondetection and tracking in indoor environment throughdistributed rssi processing. In 2011 IEEE 17th Intl.Conf. Embedded and Real-Time Computing Systemsand Applications (RTCSA), volume 1, pages 61 –70,Aug. 2011.

[12] O. Kaltiokallio, M. Bocca, and N. Patwari. Follow@grandma: Long-term device-free localization forresidential monitoring. In Local Computer NetworksWorkshops (LCN Workshops), 2012 IEEE 37thConference on, pages 991 –998, oct. 2012.

[13] M. A. Kanso and M. G. Rabbat. Compressed RFtomography for wireless sensor networks: Centralizedand decentralized approaches. In 5th IEEE Intl. Conf.on Distributed Computing in Sensor Systems(DCOSS-09), Marina Del Rey, CA, June 2009.

[14] A. E. Kosba, A. Saeed, and M. Youssef. Rasid: Arobust WLAN device-free passive motion detectionsystem. In 2012 IEEE International Conference onPervasive Computing and Communications (PerCom),pages 180–189, 2012.

[15] R. K. Martin, C. Anderson, R. W. Thomas, and A. S.King. Modelling and analysis of radio tomography. InCAMSAP, pages 377–380, 2011.

[16] D. Niculescu and B. Nath. Ad hoc positioning system(aps) using aoa. In INFOCOM, volume 3, pages1734–1743. IEEE, 2003.

[17] N. B. Priyantha, A. Chakraborty, andH. Balakrishnan. The cricket location-support system.In Proceedings of the 6th annual internationalconference on Mobile computing and networking, pages32–43. ACM, 2000.

[18] Q. Pu, S. Gupta, S. Gollakota, and S. Patel.Whole-home gesture recognition using wireless signals.In Proceedings of the 19th annual internationalconference on Mobile computing & networking, pages27–38. ACM, 2013.

[19] M. Seifeldin, A. Saeed, A. Kosba, A. El-Keyi, andM. Youssef. Nuzzer: A large-scale device-free passivelocalization system for wireless environments. MobileComputing, IEEE Transactions on, PP(99):1, 2012.

[20] W. C. Stone. Nist construction automation programreport no. 3: Electromagnetic signal attenuation inconstruction materials. Building Fire Res. Lab., Nat.Inst. Standards Technol., Gaithersburg, MD, Tech.Rep. NISTIR, 6055, 1997.

[21] C. D. Taylor, S. J. Gutierrez, S. L. Langdon, K. L.Murphy, and W. A. Walton III. Measurement of RFpropagation into concrete structures over thefrequency range 100 MHz to 3 GHz. In WirelessPersonal Communications, pages 131–144. Springer,1997.

[22] Texas Instruments. A USB-enabled system-on-chipsolution for 2.4 GHz IEEE 802.15.4 and ZigBeeapplications.

[23] F. Viani, P. Rocca, M. Benedetti, G. Oliveri, andA. Massa. Electromagnetic passive localization andtracking of moving targets in a WSN-infrastructuredenvironment. Inverse Problems, 26:1–15, March 2010.

[24] J. Wilson and N. Patwari. Radio tomographic imagingwith wireless networks. IEEE Transactions on MobileComputing, 9(5):621–632, May 2010.

[25] J. Wilson and N. Patwari. See Through Walls: MotionTracking Using Variance-Based Radio TomographyNetworks. IEEE TMC, 2010.

[26] R. Wilson. Propagation losses through commonbuilding materials 2.4 GHz vs 5 GHz. TechnicalReport E10589, Magis Networks, Inc., August 2002.

[27] C. Xu, B. Firner, Y. Zhang, R. Howard, J. Li, andX. Lin. Improving RF-based device-free passivelocalization in cluttered indoor environments throughprobabilistic classification methods. In IPSN, pages209–220, 2012.

[28] M. Youssef, M. Mah, and A. K. Agrawala. Challenges:device-free passive localization for wirelessenvironments. In MOBICOM, pages 222–229, 2007.

[29] D. Zhang, J. Ma, Q. Chen, and L. M. Ni. Dynamicclustering for tracking multiple transceiver-freeobjects. In IEEE PerCom’09.

[30] D. Zhang, J. Ma, Q. Chen, and L. M. Ni. AnRF-based system for tracking transceiver-free objects.In Fifth Annual IEEE International Conference onPervasive Computing and Communications(PerCom-07), pages 135–144, 2007.

[31] Y. Zheng and A. Men. Through-wall tracking withradio tomography networks using foregrounddetection. In IEEE WCNC, pages 3278–3283, 2012.

80