berkus
/
wifi-densepose
mirror of https://github.com/ruvnet/wifi-densepose.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
wifi-densepose/docs/research/BFLD/01-sota-survey.md

15 KiB
Raw Blame History

BFLD SOTA Survey — Beamforming Feedback: State of the Art

1. BFI vs CSI: Physical-Layer Differences and Leakage Profiles

1.1 Channel State Information (CSI)

CSI is the raw complex channel frequency response (CFR) measured at the receiver across all subcarriers and antenna pairs. Extracting CSI requires either (a) firmware modifications on the receiving NIC (Atheros CSI Tool, Nexmon CSI patch for BCM43455c0 on Raspberry Pi 4/5) or (b) a specialized radio (software-defined radio with 802.11 decoders). The resulting matrix is typically Ntx × Nrx × Nsubcarrier complex floats — dense, high-dimensional, and not transmitted over the air in standard operation.

This project's existing rvCSI runtime (vendor/rvcsi/) captures CSI via the Nexmon firmware patch on Raspberry Pi hardware (ADR-095/096). The ESP32-S3 on COM9 cannot produce CSI in the format needed for the full pipeline — it lacks the antenna count and the firmware support for per-subcarrier phase extraction at the fidelity rvcsi expects.

1.2 Beamforming Feedback Information (BFI)

BFI is fundamentally different: it is the compressed representation of the channel that a STA (station/client) sends back to an AP (access point) so the AP can steer its beam toward the client. The standard (IEEE 802.11ac/ax, section 9.4.1.52) defines the compressed beamforming format as:

  1. The AP transmits a Null Data Packet (NDP) sounding frame.
  2. The STA measures the channel from the NDP, computes the singular-value decomposition V = U Sigma V^H, then compresses the right singular vectors using a series of Givens rotations.
  3. The Givens rotation produces a set of angles: Phi (φ) angles in [0, 2π) and Psi (ψ) angles in [0, π/2). In 802.11ac these are quantized to 7 and 5 bits respectively; in 802.11ax the default is 4 bits for φ and 2 bits for ψ.
  4. The STA transmits a VHT/HE Compressed Beamforming frame (CBFR) containing those quantized angles, one set per active subcarrier (or per compressed subcarrier group), plus an SNR field per stream.

The CBFR is a management-plane 802.11 frame, not an 802.3 data frame. It is transmitted before association encryption is negotiated; in WPA2/WPA3 deployments, the beamforming sounding and feedback exchange happens in the clear because WPA2/WPA3 encrypt data frames only. Even 802.11ax (Wi-Fi 6/6E) with Protected Management Frames (PMF) enabled does NOT encrypt action frames in the beamforming exchange by default on commodity APs as of 2025 (NDSS 2025 finding, "Lend Me Your Beam", https://www.ndss-symposium.org/ndss-paper/lend-me-your-beam-privacy-implications-of-plaintext-beamforming-feedback-in-wifi/).

Key asymmetry: extracting CSI requires physical access to a device and firmware modification; extracting BFI requires only a WiFi adapter in monitor mode and a parser for the CBFR frame format. Wi-BFI (Haque, Meneghello, Restuccia; ACM WiNTECH 2023, https://arxiv.org/abs/2309.04408) is an open-source pip-installable tool that does exactly this.

1.3 Why BFI Is Uniquely Dangerous

CSI is a research instrument — accessing it requires deliberate effort. BFI is a production protocol artifact that any 802.11ac/ax STA broadcasts periodically as a matter of course. The attack-surface implications:

  • No firmware modification needed on the target device or AP.
  • Passive capture is sufficient. Frames are broadcast in all directions, not beamformed, so a nearby attacker receives them at essentially the same SNR as the AP.
  • Structured leakage: the Phi/Psi angle matrices encode a compressed but non-trivially-invertible representation of the spatial channel, which includes multipath geometry that is body-shaped — the human body is a dielectric obstacle whose shape and movement modulate the channel.
  • Regularity: sounding happens at the AP's request, typically at 540 Hz in modern 802.11ax deployments. A 60-second capture at 10 Hz produces 600 CBFR frames — sufficient for the BFId classifier to achieve >90% re-identification accuracy (ACM CCS 2025, https://dl.acm.org/doi/10.1145/3719027.3765062).

2. Compressed Angle Matrices: The Identity Surface

2.1 Givens Rotation Reconstruction

The Phi/Psi angles encode a unitary matrix via the Givens rotation decomposition:

V = G(N, N-1, φ_{N,N-1}, ψ_{N,N-1}) · G(N, N-2, ...) · ... · G(2,1, φ_{2,1}, ψ_{2,1}) · D

where D is a diagonal phase matrix. For a 2×2 MIMO system this is two angles; for a 4×4 system this is 12 angles. Each "column" in the BFI payload corresponds to one subcarrier group (or every 4th subcarrier in 802.11ax, every 2nd in 802.11ac).

The resulting per-subcarrier angle sequence is a time-varying signature of the spatial channel. Because the human body modulates the multipath channel, this sequence encodes body-specific geometry. The BFId paper (https://dl.acm.org/doi/10.1145/3719027.3765062) demonstrates that a supervised classifier trained on these sequences achieves identity recognition on a 197-person dataset.

2.2 The AI/ML Compression Feedback Loop

IEEE 802.11 standardization is actively exploring AI/ML-based compression for beamforming feedback (IEEE 802.11bn / Wi-Fi 8 study group, "Toward AIML Enabled WiFi Beamforming CSI Feedback Compression", https://arxiv.org/html/2503.00412v1). This work proposes neural codebooks that reduce feedback overhead. An important side effect: the learned latent space of a neural BFI compressor may be more identity-discriminative than the raw angles, because neural compression tends to preserve class-discriminative variance. BFLD must be designed to handle compressed BFI encodings, not just the raw Phi/Psi format.

3. Tooling Landscape

3.1 Wi-BFI

3.2 PicoScenes

  • Source: https://www.semanticscholar.org/paper/Eliminating-the-Barriers-Demystifying-Wi-Fi-Baseband-Jiang-Zhou/...
  • Capabilities: cross-NIC CSI and CBFR measurement platform; supports Intel AX200, AX210, Atheros AR9300, QCA6174; runs on Linux with custom kernel modules.
  • Relevance to BFLD: PicoScenes can simultaneously capture CSI and BFI from the same frame sequence, enabling the CSI+BFI fusion path described in the BFLD spec (csi_matrix optional input). The rvcsi adapter layer (vendor/rvcsi/) already handles the Nexmon PCap format; a PicoScenes adapter is a future extension.

3.3 Nexmon CSI (BCM43455c0)

  • Source: https://github.com/seemoo-lab/nexmon_csi
  • Hardware: Raspberry Pi 4/5 with BCM43455c0 chip — the same hardware used in cognitum-v0 (Pi 5 appliance in this fleet, see CLAUDE.local.md).
  • Capabilities: per-subcarrier complex CSI in monitor mode; 4×4 MIMO on Pi 5 with BCM43456.
  • Relevance to BFLD: the rvcsi nexmon adapter already routes PCap frames from this hardware into the wifi-densepose pipeline. BFI extraction on the same hardware requires an additional sniffer for CBFR frames alongside the CSI sniffer.

3.4 Atheros CSI Tool / iwlwifi CSI

  • Legacy tools for Intel and Atheros NICs; require kernel module injection. Not relevant to the current hardware fleet (ESP32-S3 + Raspberry Pi 5), but documented here for completeness and for future Intel AX210-based deployments.

4. Identity Inference Attacks

4.1 BFId (ACM CCS 2025)

Reference: Todt, Morsbach, Strufe; KIT. ACM CCS 2025. https://dl.acm.org/doi/10.1145/3719027.3765062 https://publikationen.bibliothek.kit.edu/1000185756 Dataset: https://ps.tm.kit.edu/english/bfid-dataset/index.php

BFId is the first published identity-inference attack that uses BFI exclusively (no CSI). The methodology:

  1. Dataset: 197 individuals, multiple sessions, multiple AP angles. Each subject walked a defined path while their STA continuously triggered BFI exchanges. CSI was also recorded simultaneously for comparison.
  2. Feature extraction: temporal sequences of Phi/Psi angle matrices, windowed at varying lengths. Basic statistical features (mean, variance, cross-subcarrier correlation) fed a shallow classifier.
  3. Results: re-identification accuracy >90% with as little as 5 seconds of BFI. Performance was robust to different walking styles and viewing angles — consistent with the hypothesis that anthropometric body shape (torso width, stride, limb geometry) rather than gait phase is the primary discriminator.
  4. Comparison to CSI: BFI-only accuracy was comparable to CSI-only accuracy for identity tasks, despite BFI being a compressed representation. This confirms that the Givens angle compression preserves identity-discriminative variance.

4.2 LeakyBeam (NDSS 2025)

Reference: Xiao, Chen, He, Han, Han; Zhejiang U., NTU, KAIST. NDSS 2025. https://www.ndss-symposium.org/ndss-paper/lend-me-your-beam-privacy-implications-of-plaintext-beamforming-feedback-in-wifi/

LeakyBeam targets occupancy detection (is a person present?) rather than identity. Key findings:

  • BFI is detectable through walls at 20 m range with commodity hardware.
  • True positive rate 82.7%, true negative rate 96.7% in real-world evaluation.
  • The attack works because BFI encodes motion-induced channel perturbations even through obstacles — the Phi/Psi angle variance changes measurably when a body enters the room.
  • The defense (obfuscating BFI before transmission) requires minimal hardware changes.

Implication for BFLD: if a passive attacker with no relationship to the AP can detect occupancy, then the BFLD node is implicitly broadcasting presence information unless active obfuscation is deployed at the STA firmware level. BFLD cannot prevent this passive attack — it can only ensure the node's own output does not additionally leak identity.

4.3 Prior RF-Based Gait and Biometric Inference

Before BFI-specific attacks, the threat landscape was already established through CSI-based attacks:

  • Gait from CSI: WiGait (2017), Wi-Gait (ScienceDirect 2023, https://www.sciencedirect.com/science/article/abs/pii/S1389128623001962), Gait+Respiration ID (IEEE Xplore 2021, https://ieeexplore.ieee.org/document/9488277) all demonstrate >90% gait-based re-identification from standard WiFi.
  • Breathing biometrics: Respiration rate and depth are person-specific at a population level. IEEE 802.11 CSI captures breathing as amplitude oscillations at 0.10.5 Hz.
  • Anthropometric inference: Hand size, torso width, and limb geometry modulate the channel; classifiers trained on activity data have been shown to leak anthropometrics as a side effect.

The BFId finding that BFI achieves comparable accuracy to CSI for identity is consistent with this prior body of work — it simply demonstrates the attack is achievable with a lower barrier to entry.

5. Privacy-Preserving Sensing: Current State of the Art

5.1 Differential Privacy on RF Embeddings

"Differentially Private Feature Release for Wireless Sensing: Adaptive Privacy Budget Allocation on CSI Spectrograms" (https://arxiv.org/pdf/2512.20323) applies Laplace/ Gaussian mechanisms to CSI spectrograms, calibrating epsilon per subcarrier based on empirical sensitivity. Results show meaningful reduction in identity-inference accuracy while preserving activity-recognition utility at epsilon = 1.04.0.

BFLD's identity_risk_score could be used as an adaptive epsilon selector: high-risk frames receive a tighter privacy budget (more noise), low-risk frames pass unmodified. This is a forward-looking integration not in the current spec.

5.2 Federated / Local-Only Inference

The consensus across 20242025 literature on wireless federated learning (https://arxiv.org/pdf/2603.19040, https://arxiv.org/pdf/2109.09142) is that local differential privacy (LDP) with gradient perturbation is achievable on resource- constrained edge devices. For BFLD's use case the critical property is simpler: the identity embedding never needs to leave the node. There is no federated learning step for identity. The risk score is a local computation whose output is published; the embedding that produced it is not.

5.3 ZK Attestation for Sensing

ZK-SenseLM (https://arxiv.org/pdf/2510.25677) proposes zero-knowledge proofs that a sensing model's output derives from legitimate data. This is architecturally close to ADR-028's witness-bundle approach. Future BFLD work could use ZK proofs to attest that the identity_risk_score was computed from the claimed input without revealing the input.

5.4 "Protecting Human Activity Signatures in Compressed IEEE 802.11 CSI Feedback"

(https://arxiv.org/pdf/2512.18529) — This 2024 paper directly addresses activity- signature leakage in CBFR frames and proposes perturbation of Phi/Psi angles at the STA before transmission. The defense is the dual of BFLD's approach: BFLD detects leakage at the receiver; this paper proposes suppression at the transmitter. Both approaches are complementary.

6. Relationship to Existing Project ADRs

ADR-027 (MERIDIAN cross-environment generalization): BFLD's cross-room hash rotation directly instantiates the "no cross-site correlation" invariant that MERIDIAN assumes for privacy-safe multi-room deployment.

ADR-028 (ESP32 capability audit + witness verification): The deterministic-proof pattern (verify.py + SHA-256 expected hash) is the template for BFLD's own acceptance test. BFLD must produce a deterministic frame hash given the same input — acceptance criterion 6 in the spec.

ADR-024 (AETHER contrastive CSI embedding): BFLD reuses the AETHER embedding infrastructure for its identity_risk measurement. The risk score is a function of how separable the current embedding is from the population of known embeddings.

ADR-029/030 (RuvSense multistatic + field model): BFLD's cross_perspective_ consistency component of the risk formula requires correlation across multiple sensor viewpoints — the multistatic infrastructure from ADR-029 provides this.

ADR-032 (multistatic mesh security hardening): The BFLD threat model is a superset of the security model in ADR-032. ADR-032 covers mesh compromise; BFLD adds the passive sniffing threat at the management-plane layer.

7. Open Technical Questions

  1. BFI capture on ESP32-S3: The ESP32-S3's esp_wifi_csi_set_config API provides CSI via the vendor-specific Espressif HT20 format. It does not expose VHT/HE CBFR frames. BFI capture on this hardware likely requires host-side sniffing (Pi 5 + Nexmon in monitor mode, already available on cognitum-v0).

  2. Quantization resolution degradation: At 4 bits for φ and 2 bits for ψ (802.11ax defaults), the angle resolution is coarser than in 802.11ac (7/5 bits). The BFId paper used 802.11ac hardware. BFLD must validate that the identity_risk_score calibration remains valid at lower quantization.

  3. WiFi 7 (802.11be) changes: 802.11be introduces multi-link operation (MLO) and may change the sounding/feedback cadence. BFLD's frame format (magic 0xBF1D_0001, version byte) is designed to accommodate future protocol versions.