Your Router Is Watching You: The Dark Side of Wi-Fi Sensing Technology
4 September 2025 Reading time: 7 minutes
Have you ever wondered whether your humble Wi-Fi router could, by any chance, tell you who entered your living room, when they moved or even what they were doing? That question is no longer theoretical. It all becomes a reality thanks to the Wi-Fi Sensing technology. While the idea sounds like something out of science fiction, many of today’s routers are already capable of turning into motion detectors and more.
How does the magic work?
At its core, Wi-Fi Sensing relies on beamforming technology: a clever method employed by the majority of modern routers that enables them to focus their signals on specific devices while communicating with them. We are talking about routers equipped with multiple antennas and capable of supporting at least the 802.11ac version (also referred to as “Wi-Fi Five”). Beamforming generally results in faster and stronger signal quality, which we've all come to rely on when browsing the Internet, streaming our favourite movies or playing online games. But this is only a part of the story.
In our modern houses, every device - your smart speaker, TV or printer - is quietly and constantly emitting radio waves. When these signals bounce off objects and people, they change subtly. Modern routers equipped with beamforming focus their antennas to maximise signal strength towards each device, constantly measuring the Channel State Information (CSI) - the amplitude and phase of the transmitted radio waves.
When a person walks between the router and one of its connected devices, that human body introduces tiny changes in the pattern of radio waves. The router detects these deviations as shifts in CSI. By feeding those patterns to machine learning algorithms, it is possible to recognise movement, detect an intrusion, or even infer specific actions such as standing up or waving a hand. All this happens at the very edge of the network - inside the router itself - so no extra hardware is required beyond what most households already have. What begins with just detecting motion eventually becomes a highly accurate system that can tell where you are at different times of day, in which particular room, and how many people were with you. Wi-Fi Sensing is capable of detecting with high accuracy (and leaking!) users’ personal characteristics such as height, weight, or gender, thereby breaching privacy regulatory frameworks.
Implications
Many could welcome Wi-Fi sensing into their lives for its convenience, as “yet another smart home feature” like lights could be switched on when a user walks through the door and have them to automatically switch off once they leave. What's not to like: you have a home surveillance system for free.
However, as it stands now, users are unaware that these new innovations can easily introduce security threats to their very own homes. When used by malicious individuals or exploited, Wi-Fi sensing can be misused and pose as a serious threat to personal or corporate security and privacy, exposing even the most seemingly secure of living environments.
Not only can homeowners monitor who comes and goes. Vendors can easily share the collected motion or presence-related data with police or other “third parties” on demand. The collected information can also be sold or stolen, revealing the life patterns of thousands of homeowners.
We should not forget that home routers are already frequent targets for hackers who either eavesdrop on users or profit from the collected data in various ways. Nothing stops malicious actors from “mining” motion sensor data and, e.g. selling those insights to burglars or “whoever pays”.
Fun fact: it might be interesting to know that IEEE 802.11bf standard will be ready to formally standardise Wi Fi sensing in 2025. The amendment adds MAC and PHY layers features that enable robust sensing in both sub 7 GHz bands and frequencies above 45 GHz. When published, 802.11bf provides a unified framework for presence detection, recognition of human activities, and monitoring the environment by using existing Wi Fi infrastructure. So there will be more Wi-Fi Sensing everywhere, and we all have to understand well the security implications of this technology.
Can We Protect Ourselves?
Protecting yourself against these types of vulnerabilities is more crucial than you think. You have no influence on anything that happens on the vendor’s side, but you certainly have control over what happens in your home or office. Because Wi-Fi sensing relies on the standard wireless signals that already fill our environment, it’s nearly impossible to block it entirely. However, you can still reduce its potential dangers by shielding critical spaces from the wireless signals. In highly sensitive areas, such as research labs or conference rooms, take care to block Wi-Fi entirely. Proper signal shielding will neutralise attacks that depend on Wi Fi Sensing. If you want to go one step further, consider installing structural barriers such as Faraday cages or using materials that absorb or reflect radio waves, or otherwise preventing the signals from leaking into or out of those spaces.
Don’t forget about the elements of standard cyber hygiene. Make sure all Wi-Fi-enabled smart devices within your network are properly patched, their software up-to-date, and that a strict WPA2 or WPA3 security is in place. If possible, avoid sharing passwords with people outside of your “circle of trust” (personal or corporate) who, sometimes, have little understanding of security. Using guest Wi-Fi passwords with expiration time could be a good idea. One more thing that is worth remembering: think twice before introducing a new device to your home or corporate Wi-Fi network, especially if the vendor is, let’s call it “questionable”. I would also strongly recommend avoiding registrations with the vendor’s cloud services, unless it is absolutely necessary and you understand all the implications. If you have no choice and must register, use a disposable email address for registration and do not provide any of your personal details (yes, I am talking about security cameras, cleaning robots, etc.).
Finally, always stay proactive: monitor your network for anomalies, keep up to date with emerging risks, and remember that having even the simple measures in place, like regular updates, strong keys, and cautious onboarding, is better than doing nothing.
More Information
- A large collection of Wi-Fi Sensing Resources (https://www.wifisensing.io)
- ESPARGOS is a very large dataset (~120 GB https://espargos.net) available if you want to conduct your own research. The dataset was created with a phase-locked antenna array and allows studying spatial problems such as positioning, segmentation and phase effects.
The AI Hiring Bot Has Millions of Sensitive Data Records Exposed
10 July 2025 Reading time: 5 minutes
TL;DR: Multiple vulnerabilities found in McDonald's AI-powered hiring system exposed data of 64 million job applicants. Security issues, such as weak passwords and a lack of robust security design, leave sensitive information exposed in the wild. This exercise is (one more) wake-up call for companies to reassess their reliance on automated systems and take concrete steps to protect sensitive information. [Source].
Cybersecurity is never limited to just IT systems but extends to all corporate environments. This story is about hacking an automated AI-driven hiring mechanism. Imagine a scenario where you apply for a job online only to find your sensitive personal data - name, email address and phone number - being shared without your consent on the dark web. Sounds far-fetched? Unfortunately not. The recent exercise shows that 64 million applicants' personal data records in McDonald's AI hiring system, McHire, could have been easily compromised.
Not-So-Tasty Recruitment System
Security researchers Ian Carroll and Sam Curry found that the McDonald's McHire platform, developed by AI software company Paradox.ai, had numerous (basic!) security vulnerabilities, enabling hackers to breach the applicant database with a simple administrator password like "123456." After gaining access to the McHire system, security researchers uncovered an Insecure Direct Object Reference (IDOR) vulnerability within the applicant database. By enumerating the applicant ID, they were able to access all the database records. This flaw enabled access to a massive amount of sensitive personal information, including names, email addresses, phone numbers, and chat logs spanning several years. Needless to say, the accessed data in the wrong hands could be easily exploited for phishing, fraud, or other malicious activities. Both McDonald’s and Paradox.ai recognised the gravity of exposing sensitive applicant data and the critical nature of the incident. McDonald's expressed disappointment regarding the security lapses of its third-party vendor, but would it change much?
How on Earth is This Possible?
The answer lies in a well-known security flaw: a weak username and password combination as simple as the immortal "123456". The researchers discovered these vulnerabilities by using a trivial dictionary attack - a "traditional" and basic technique where an attacker uses words and common patterns to identify weak passwords. Success after 30 minutes - not bad!
Reading between the lines, the ease of this breach might suggest deeper issues in the platform’s development process, potentially stemming from an over-reliance on AI-driven code generation. It’s plausible to assume that the security flaws emerged due to automated programming tools producing insecure code. In an AI-driven development environment, algorithms may prioritise functionality and speed over security, inadvertently embedding multiple vulnerabilities if not rigorously checked. The lack of robust human control and supervision in the SDLC could have led to a failure to enforce the necessary secure coding standards.
Recommendations? Elementary, my dear Watson.
How do we protect ourselves from falling victim to such security threats? The answer lies in taking simple, very well-known, yet effective measures to safeguard our businesses.
To prevent cybersecurity issues, organisations should enforce strong password policies with complex, lengthy passwords and multi-factor authentication. It is important to secure access to all sensitive resources (especially databases) with role-based access control. It is important not to forget about running regular security audits: conducting penetration testing (PT), automated vulnerability scans (VA), and engaging third-party security firms - it will tremendously help to identify weaknesses at the early (development) stages. And please always remember about employee training on secure practices and phishing awareness. The training can work best if combined with an existing robust incident response plan that ensures quick action during breaches.
Separate words should be said about having a secure software development lifecycle (SDLC) in place, as it integrates security practices at every stage of software development: from design to deployment. By incorporating threat modelling, secure coding standards, and regular security testing, it is possible to substantially reduce the risk of exploitable flaws much earlier (and cheaper).
So we, humans, are still needed! To me, this all highlights the necessity of integrating human expertise into modern "AI-assisted software development". Otherwise, we will have more opportunities to log in with "123456" to mission-critical systems and see more catastrophic breaches that expose sensitive data.
Cyber Attacks Becoming a Nightmare for UK Businesses. Are CEOs And CISOs Playing a Cybersecurity Roulette?
30 June 2025 Reading time: 10 minutes
Each passing day brings a new wave of cyber threats that loom over the future of business, waiting to strike at the most unfortunate moment. I was scrolling through today’s article in The Guardian, thinking “Ah, same old, same old”. But let us all stop for a moment and try to think together about what is really happening and how to break the vicious circle.
According to the UK Cyber Crime Statistics in 2025, over 560000 new cyber threats are discovered daily. Do you want more numbers? Recent figures released by the Royal Institution of Chartered Surveyors (RICS) show that an alarming one in four UK companies have suffered at the hands of cyber-attacks within just the last year alone. The predominant majority (81%) of those UK businesses that suffer from a Cyber Security Attack are small and medium-sized businesses (SMBs/SMEs). It is essential to grasp the extent of these statistics and their potentially catastrophic implications on a business's survival and reputation.
(Source: www.twenty-four.it/services/cyber-security-services/cyber-crime-prevention/cyber-crime-statistics-uk)
What lies at the heart of this growing crisis? Complacency, lack of awareness and absence of a long-term security strategy among some CEOs and CISOs are major contributing factors. Despite being aware of the looming dangers, they appear to “underestimate the enemy” and rather think about the short-term, small “demonstrable wins” (because it looks good in reports, right?), but at the same time, putting their entire companies at risk. This was exemplified by a recent high-profile attack on Marks & Spencer, which suffered weeks of downtime due to a catastrophic cyber breach that, in turn, led to a colossal financial loss. This all looks like a perilous game of cybersecurity roulette, and I am not sure if businesses can afford to play.
There is an opinion that these days, traditional antivirus software is largely useless in preventing the newer agile forms of attacks. So, can we still protect our precious business? The answer lies in taking multiple proactive measures to safeguard against modern, rapidly changing cyber threats. By implementing a series of basic yet crucial measures, businesses can significantly reduce their risks. These include regular software updates and system checks, comprehensive training programs for employees to identify potential scams, educating staff about the benefits and risks of new technologies, and ensuring that every employee is equipped with the necessary knowledge and skills to navigate this complex digital world. Do not forget to employ multiple authentication methods for enhanced security, conduct routine system checks and do prompt software upgrades, and you will put your business in a much better position.
I think it's a good “wake-up call” for leaders across all sectors to reassess their security protocols and take swift action. We must take immediate action - the costs and potential brand damage could become too high a price to pay in future. Do not wait until your business's vulnerabilities are exposed by hackers. Instead, implement basic cybersecurity measures today (and don't forget to ask professionals to come and revalidate them!).
Cybersecurity: A Big Guide for Small Businesses
20 June 2025 Reading time: 12 minutes
Every day we see that the threat landscape continues to evolve at breakneck speed, but one could be surprised by discovering that not only large enterprises, but small and medium-sized organisations have become prime targets for cybercriminals. But why? In many cases, it is a simple case of a lack of awareness leading to underinvestment in cybersecurity measures. While large corporations may have the budget to invest in cutting-edge technology, SMEs often struggle to keep up.
So, how can small businesses protect themselves without breaking the bank? Ultimately, the key to surviving lies not in luck but in preparedness.
One of the most effective ways for small businesses to fortify their cyber defences is by empowering employees with essential cybersecurity knowledge. Equipping your staff with the right skills to identify and combat online threats can prove invaluable in the fight against “daily” cyber threats.
In addition to employee education, it is important to regularly check software updates and patches, as those can close known vulnerabilities before they can be exploited by malicious actors. This simple yet effective measure can significantly reduce the risk of falling prey to cyberattacks.
It's surprising that despite its importance, many organisations still forget about some basic cyber hygiene, such as password security. A staggering 81% of hacking-related breaches are attributed to weak or stolen passwords. Addressing this issue forthwith is crucial and, ideally, combined with two-factor authentication mechanisms (2FA) in place.
Another critical aspect of cybersecurity that cannot be overlooked is the establishment of reliable backup systems. Not only does this safeguard against accidental data loss in the event of a ransomware attack, but it also saves precious time and money that would have otherwise been spent on (very) costly recovery. By the way, do you have an Incident Response Plan? When was the last time you had it tested?
There are many cybersecurity tools and resources which could be used for free. Local chambers of commerce, small business associations, or online communities often provide various free workshops, mentorship, or networking events. Government programs or grants for small businesses can also offer financial relief for investment in cybersecurity. Your employees can learn how to use free tools and successfully maintain the cybersecurity baseline themselves.
Last but not least, you might be surprised, but hiring professional penetration testing teams also doesn’t have to be expensive. Some cybersecurity firms, such as Risk Crew, offer services tailored for small and medium-sized enterprises (SMEs), balancing quality and affordability. These solutions will test your systems for vulnerabilities, ensuring robust protection without the high costs typically associated with enterprise-level services.
So, what can you do to get started today? By incorporating one step each week into your cybersecurity routine and monitoring its progress, you'll be on your way to building a robust defence against modern cyber threats. Always remember that cybersecurity is not just an IT problem; it's a team effort that requires every employee to be engaged. By focusing on high-impact, low-cost strategies, small businesses can significantly reduce their risk of cyberattacks and become a tough nut to crack for hackers.
InfraSEC 2025
5 March 2025 Reading time: 2 minutes
Please find the presentation from my talk as a keynote speaker at the InfraSEC conference in Warsaw, Poland on 19/02/2025.
 |
Presentation from my talk at InfraSEC 2025 in Warsaw, Poland about insecurities of industrial systems (PDF). |
A week after the presentation I was positively surprised and honoured knowing that my talk was top-rated by the conference participants!
And THAT news surely made my day!
From free will to wild algorithms: how AI is shaping our lives
6 November 2024 Reading time: 8 minutes
Buckle your seatbelt Dorothy, because privacy is going bye-bye!
It’s not a secret that we all are permanently under observation. We became desensitized and used to it long ago so it is not bothering us too much any more. However, in recent years, the concept of monitoring the lives of humble citizens has evolved much beyond traditional notions of police and state-run agencies. AI has given life to new forms of digital surveillance and methods of collecting information about us. These methods are fast, effective, multidimensional, pervasive and much more intrusive than ever before. These emerging technologies have the power to monitor our every move, almost track our thoughts (so far: indirectly), and control our actions in ways that threaten the very essence of human freedom. Wild imagination? Oh please – read some recent news!
AI-driven surveillance is employed pretty much everywhere these days. It spans from analysis of our behaviour online up to voice and face recognition including monitoring of eye movements. It’s not so difficult really. By using modern high-speed and high-resolution video cameras and machine learning algorithms, computers can now analyse all kinds of behavioural patterns including how you walk, how you talk, and the slightest changes in pupil size and iris to determine everything from our attention span to our political preferences. This data then could be used to infer our personalities, interests, and preferences with alarming accuracy. Technology is progressing so quickly so these days everyone can build a simple surveillance system for fun, e.g. for monitoring your cat. So think about this: if you can build an AI-driven system with Raspberry Pi on one rainy Sunday, think about what governments and large businesses can do with their powerful technology and unlimited resources.
The implications are staggering. In a world where AI-powered algorithms know what we are thinking, feeling, and doing every moment of the day, the concept of privacy becomes an anachronism. Our every move could be tracked and recorded by cameras and sensors that watch us from above, below (and one day probably within). Every transaction, every conversation, and every thought becomes a document. The document can be traced, collected and analysed for clues about our behaviour, preferences, and values. Would I personally ever benefit from it? Doubt. But I am sure, it will be regularly explained to me that it is all happening for my safety, personalised marketing and, surely, for the good of all mankind.
Another prominent example is modern-day elections and voting. I am not referring to the most recent one but to any elections these days. It is totally unclear to me whether the outcome truly reflects voters' genuine desires or is instead influenced by sophisticated state-of-the-art "political engineering". With AI at their disposal, politicians can now create and disseminate tailored messages to millions of people, often without them even realising they're being manipulated. This raises deep concerns that citizens might become unwitting pawns in someone else’s larger agenda, rather than active participants in the democratic process.
Who controls the controller?
The widespread collection of personal data and processing by AI by governments and large corporations raises significant concerns about their accountability. The technology goes forward and these entities can now process and correlate unimaginable amounts of behavioural data on individuals without their knowledge or consent. This starts from browsing history, search queries, location information, biometric data and more. Even innocent metadata which is collected in such vast amounts and processed by AI can tell a lot about an individual. The problem I see is the omnipresent lack of transparency. It creates an opaque situation where individuals have limited or no control (and/or knowledge) over what data was collected, when and by whom. Governments and corporations often justify these practices under the guise of "national security" or "marketing efficiency,". The absence of clear regulations and, first of all, transparent accountability mechanisms means that people have no idea about what is happening with their data, leaving their privacy vulnerable. Let’s not forget that data later can be shared with unknown third parties, who have their own agendas. Data can also be leaked or stolen. Considering all this, probably the only recommendation we can give is: whatever you do online - share as little as possible because everything and anything can be used against you sooner or later. Not an easy task considering that these days we all pretty much never go offline, right?!
But this isn't just a matter of the state watching its citizens. Large businesses and social media platforms aggregate an incredible amount of data on our online activities and create detailed profiles that shape our experiences and interactions. Is there any way we might know what our data is used for? I guess, you know the answer to this question. However, do we truly grasp the implications of this step-by-step erosion of individual freedom? It's leading us towards a dystopian society where every aspect of our lives is constantly in an instant feedback loop with machines, and even the smallest decisions could be dictated by algorithmic manipulation. Probably the meaning of the word “spontaneous” under the circumstances should be redefined. I guess it might be described as “less influenced by the existing behaviour-optimising algorithms”.
By allowing this to happen, we create a society where the boundaries between public and private spaces are disappearing, leaving us all exposed and vulnerable to the whims of our digital masters who wield immense power over human lives. I think a good example of this is Iran's hijab laws. For me, it is a chilling illustration of what happens when AI-powered surveillance is used to enforce rigid conformity and punish dissent. By tracking women's headscarf-wearing habits through facial recognition technology, the authorities have created a system that can identify and penalise those who fail to comply with the regime's strict dress code. This has led to widespread arrests, fines, and even confiscation of property for those deemed to be non-conformists. What if the next decision of the government will be let’s say prohibit women from laughing in public? Could this "law" be enforced with the existing technical measures? Piece of cake.
Do we still have a chance?
In the face of the rapidly advancing proactive and aggressive AI-driven data collection and analysis, it's essential to fully understand the consequences that lie ahead. We're not just talking about a loss of privacy or a threat to civil liberties any more. We are facing a fundamental transformation of human society into a vast global experiment in modification and control of human behaviour. As usual, for the benefit of the chosen few. I can envisage that the AI-powered monitoring systems that are being deployed today have the potential to completely reshape who we are and what we are. Our shopping, working, travelling or dating will never be the same, knowing that not one but many AI Big Brothers are watching and influencing your every step 24/7. Our thoughts and behaviour define us as a species. If our behaviour becomes permanently changed due to the constant influence of technological factors – what does it mean? Are we evolving? Are we going to live in a sort of “symbiotic relationship” with machines? Or maybe degrading?
So, what can we do? First and foremost, we need to be aware of the technologies that surround us and how they're influencing our lives. We must always question the assumptions behind these systems (and their creators) and challenge their right to control our every move. In a world where the reigns of control are gradually given to AI, it's more important than ever to assert our humanity, defend our freedom, and resist the forces of newborn cyber-totalitarianism that might threaten to engulf us all.
We stand at a crossroads in history where the decisions of artificial intelligence systems could shape major historical processes and change the lives of billions. It’s the first time when the algorithms could, literally, make history. The stakes are high, but the battle for human dignity and freedom is not yet lost. The future is never predetermined, but the path ahead is shaped by the choices of all of us. Maybe it is time to learn from history lessons and strive to create AI systems that serve humanity, rather than the other way around.