LightGuard: Transparent WiFi Security via Physical-Layer LiFi Key Bootstrapping

TL;DR

LightGuard leverages the confined nature of LiFi to securely bootstrap WiFi encryption keys, reducing eavesdropping risks by offloading key exchange to an optical, line-of-sight channel.

Contribution

This work introduces a dual-link architecture that uses LiFi for secure key establishment, enhancing WiFi security by preventing key exposure over RF.

Findings

Prototype with off-the-shelf WiFi NICs and custom LiFi frontend validates the approach.

LiFi-based key bootstrapping effectively prevents key exposure over RF.

LightGuard demonstrates practical feasibility with existing hardware.

Abstract

WiFi is inherently vulnerable to eavesdropping because RF signals may penetrate many physical boundaries, such as walls and floors. LiFi, by contrast, is an optical method confined to line-of-sight and blocked by opaque surfaces. We present LightGuard, a dual-link architecture built on this insight: cryptographic key establishment can be offloaded from WiFi to a physically confined LiFi channel to mitigate the risk of key exposure over RF. LightGuard derives session keys over a LiFi link and installs them on the WiFi interface, ensuring cryptographic material never traverses the open RF medium. A prototype with off-the-shelf WiFi NICs and our LiFi transceiver frontend validates the design.