Beamforming Feedback as a Novel Attack Surface for Wi-Fi Physical-Layer Security

TL;DR

This paper introduces BFIAttack, a new method exploiting beamforming feedback to reconstruct CSI and compromise Wi-Fi physical-layer security, demonstrating high success rates in various scenarios.

Contribution

The work presents a novel attack exploiting beamforming feedback to reconstruct CSI, revealing vulnerabilities in Wi-Fi physical-layer security mechanisms.

Findings

Achieves 73% success rate with five attempts in multi-antenna scenarios.

Achieves over 93% success rate with a single attempt in single-antenna scenarios.

Reveals critical security vulnerabilities in existing Wi-Fi CSI-based protections.

Abstract

With the rapid evolution of wireless technologies, Wi-Fi has expanded beyond its original role in data transmission to support various emerging applications, particularly in physical-layer security, including device authentication, user authentication, and secret key generation. Despite extensive research on Wi-Fi Channel State Information (CSI)-based physical-layer security, its vulnerabilities remain largely unexplored. In this work, we propose BFIAttack, a novel attack that exploits Beamforming Feedback Information (BFI) to reconstruct the CSI of a legitimate user or device, thereby compromising Wi-Fi-based physical-layer security. We realize the attack by leveraging a closed-form CSI reconstruction method for the single-antenna station scenario and a maximum likelihood estimation-based CSI reconstruction for the multi-antenna station scenario. Moreover, we exploit spatial similarities among antenna pairs to refine the reconstructed CSI and enhance attack effectiveness. Experimental results show that BFIAttack achieves an average attack success rate of $73\%$ in multi-antenna station scenarios with no more than five attack attempts, and over $93\%$ in single-antenna station scenarios with only a single attempt. BFIAttack reveals critical vulnerabilities in existing Wi-Fi-based physical-layer security.