As Australia encounters a rapid proliferation of Internet of Things (IoT) devices, it is easy to see that we are becoming a more connected nation. According to Grandview Research, the IoT in retail sector has a current annual growth rate of 26 per cent, and brick and mortar shops are increasingly being transformed into digital stores with WiFi and internet interfaces to improve customer experience.
Unfortunately, services offered under the guise of customer satisfaction often have underlying motivations, such as the collection of user data for commercial gain.
Only recently has the public become privy to these malicious practices in the social media industry, with widespread coverage of the Cambridge Analytica scandal. Facebook had unethically harvested user data from millions of users, which was used by Cambridge Analytica to formulate political advertising strategies.
This event has created much-needed discourse in parliament around privacy rights and increased protection for consumer data, however, lawmakers are in a scramble to keep up with the rapid development of new, dangerous technologies.
With increased IoT penetration, public spaces will see the application of WiFi sensing, an emerging technology which has shown the ability to monitor and track people’s movement and behaviour using passive WiFi signals from commodity devices.
WiFi sensing works much like a flashlight which you can shine into a room. In the same way that light is blocked and reflected for our eyes to observe, WiFi signals are also blocked and impeded by people’s bodies.
Recent work has applied Artificial Intelligence (AI) to study these WiFi blockages and harvest information about people in the room. Information such as the number of people, their location, body size, heartrate and even their phone passwords has been harvested using AI on these WiFi signals.
This information could be used to gauge your needs as a consumer or as information for advertising agencies. Imagine if as soon as you walk into a store, the store could detect your body shape and gender and sell this information to data analytics companies.
Perhaps the most concerning part is that this data is extracted without the user knowing, since current WiFi sensing technologies are not regulated to require any cooperation from the sensing subjects.
Unlike other tracking technologies such as CCTV, the public is not aware that inconspicuous WiFi devices can be used to watch them.
Although WiFi sensing is possible using commodity devices, these devices represent a small subset of WiFi devices out in the wild.
As the IEEE 802.11bf WiFi standard is released in the coming years, the problem of WiFi sensing will become even more critical since the overwhelming majority of devices will now be equipped with these capabilities.
This means that any of those bricks and mortar stores equipped with IoT devices will now have access to your sensitive data, without your knowledge.
We are pioneering the Australian effort to understand the scope of these attacks, with research conducted at the University of New South Wales (UNSW) directly verifying that attackers can see who is inside a room and what they are doing!
With this impending privacy threat looming, we propose that the government promptly enact policy which requires an electronic handshake to confirm a patron’s consent to being tracked.
In the same way that policy has changed the way software companies inform users about data mining, we are calling on the government to remain a step-ahead by creating a requirement for informed consent in WiFi sensing systems.
Specifically, we propose a technological solution in the form of a smartphone app which can receive requests for consent from public sensing systems when a user wanders into the sensing zone.
Once aware of the sensing threat, the smartphone app could obfuscate WiFi signals in the region surrounding its owner using interference techniques or shielding methods.
Following the success of the COVIDSafe application throughout the pandemic, we implore the government to enlist similar resources in developing a WiFi sensing safety application.
Furthermore, we suggest that the government directly confront IoT infrastructure manufacturers, such as Cisco and Netgear, who would benefit most from the distribution of WiFi sensing capable devices to their already large customer bases.
We have seen already that tech companies will constantly push the envelope of consumer rights and data laws, so it is imperative that Australia is proactive in creating boundaries for IoT companies to protect the public interest.
WiFi sensing can be incredibly useful in mandated situations. However, this innovation creates a new security problem that must be addressed.
Aryan Sharma is a PhD Student at the University of New South Wales, having completed a Master of Electrical Engineering in 2020. His research interests include WiFi Sensing and Machine Learning for Cyber Security. This paper was co-authored by Junye Li, Eranga Perera, Deepak Mishra, Joseph Davis & Aruna Seneviratne
