Your body alone - no phone, no wearable, no connected device of any kind - may be enough to identify you with near-perfect accuracy, according to research from the Karlsruhe Institute of Technology in Germany. Researchers there have demonstrated that standard Wi-Fi infrastructure, the kind already installed in homes, offices, and public venues worldwide, can be repurposed to track and identify individuals based solely on how they move through a space. The method requires no modification to existing hardware and exploits a feature built into Wi-Fi standards that hundreds of millions of routers already support.
How an Everyday Wi-Fi Feature Becomes a Surveillance Tool
The vulnerability centers on a technical capability called Beamforming Feedback Information, or BFI - a feature introduced with Wi-Fi 5 and carried forward in subsequent generations. Beamforming was designed to improve wireless performance: routers use it to direct signal energy toward connected devices rather than broadcasting uniformly in all directions, which reduces interference and improves speeds. To do this, devices continuously exchange channel state data with access points, effectively describing how the wireless signal is behaving in the surrounding physical environment.
The critical problem is that these feedback signals are transmitted in the clear. They carry no encryption, no authentication requirement, and no access control. Any Wi-Fi-capable device within range can passively capture this data stream without alerting the router or any connected user. When a person moves through a room, their body absorbs and deflects radio waves, creating characteristic distortions in the BFI signal. Those distortions are not random - they encode information about the person's size, posture, and movement patterns.
The Karlsruhe researchers built machine learning models trained to interpret these distortions as what they called "radio images" - spatial representations of human movement reconstructed from signal interference rather than light. In tests involving 197 individuals, the system identified people based on their gait and body structure with an accuracy of 99.5 percent. That figure comes directly from the researchers' reported findings and represents a level of precision that rivals conventional optical recognition systems, without requiring any camera or visible sensor.
Why the Absence of Personal Data Offers No Real Protection
A natural first response is to note that BFI data contains no names, no account details, no obvious personal identifiers. That framing, while technically accurate, misses how modern surveillance actually functions. Raw radio data does not need to carry a name to become a privacy threat - it needs only to be linkable to other data sources that do.
In practice, an attacker or an institution with access to BFI streams from a given location could cross-reference movement signatures against historical smartphone location records, building access logs, retail loyalty data, or any dataset that places specific individuals at specific coordinates over time. Once a movement signature is matched to an identity even once - through a moment when a phone was present, or a payment was made - every future detection at that location becomes attributed. The person becomes trackable without carrying anything at all.
This threat model is particularly acute for individuals whose physical presence in certain locations already carries risk: journalists meeting confidential sources, political activists attending organizing meetings, whistleblowers visiting legal counsel. Existing surveillance countermeasures - leaving a phone at home, using cash, avoiding tracked transport - offer no protection against a technology that reads the body itself as an identifier.
A Standards Problem With No Quick Fix
What makes this research especially consequential is that the vulnerability is structural, not incidental. It exists because BFI was never designed with privacy in mind - it was engineered purely for performance, and the assumption that passive radio data was too noisy or too difficult to exploit has been overtaken by the capabilities of modern machine learning. The gap between what Wi-Fi standards assumed was safe and what AI-assisted signal processing can now extract is wide and growing.
The researchers have called on international standards bodies and technology regulators to require encryption of BFI signals in future Wi-Fi specifications. That is a reasonable long-term demand, but standards processes move slowly. The IEEE, which governs Wi-Fi standards, works on timelines measured in years, and any new requirement would apply only to hardware manufactured after the standard is adopted. The installed base of existing routers - numbering in the billions globally - would remain exposed indefinitely.
For individuals and organizations operating now, the options are limited. Router firmware updates may eventually address the most exposed configurations, but BFI is a feature of the wireless protocol itself, not a software bug in any single product. Disabling Wi-Fi in sensitive environments is technically effective but operationally impractical for most institutions. The more realistic near-term posture is heightened caution about the physical environments in which sensitive activities occur - and an honest acknowledgment that wireless infrastructure, long treated as a background utility, is a surveillance surface that has never been properly regulated as such.
The Broader Pattern This Research Exposes
This is not the first time researchers have demonstrated that ambient radio signals can be turned against privacy. Earlier work showed that standard Wi-Fi could be used to detect breathing patterns and count people in rooms. Cellular network signals have been used to infer location with building-level precision. Radar-based sensing has been embedded in consumer smart-home devices. Each of these developments followed the same arc: a signal designed for one purpose was found to leak information about human behavior that its designers never intended to expose.
What the Karlsruhe findings add is scale and specificity. Identifying a specific individual from 197 candidates by gait alone, using only unmodified off-the-shelf Wi-Fi hardware and machine learning, is a meaningful threshold. It means the technique is not confined to laboratory conditions or exotic equipment. The infrastructure required is already everywhere.
Privacy law and technology regulation have consistently struggled to keep pace with what sensing and inference technology can accomplish. Data protection frameworks in jurisdictions like the European Union focus heavily on data that is explicitly personal - names, identification numbers, biometric records under controlled conditions. The legal status of passively captured radio-frequency behavioral data, processed by an algorithm into an identity match, sits in a gray area that most existing frameworks were not written to address. Closing that gap will require regulators to think about inference and linkability, not just about the surface form of the data being collected.
