Skip to main content

IEEE 802.11bf: Wi-Fi sensing as opportunity and threat

IEEE 802.11bf turns Wi-Fi into a sensing platform. The same capability that can detect an intruder can be used to case a building from across the street. Here is what it means for ISMS, DPIA, and procurement decisions.

IEEE 802.11bf, published on 26 September 2025, is an amendment to the 802.11 family that turns Wi-Fi into a sensing platform. By analysing how radio signals propagate between transmitter and receiver, the standard enables motion, presence, and gesture detection across the same wireless infrastructure you already use for connectivity.

It is a dual-use technology. The same capability that lets you detect an intruder in your warehouse after hours lets a third party detect occupancy patterns in your building from across the street. Both are real applications. Both are arriving in consumer-grade hardware over the next few hardware generations.

The IEEE scope document for 802.11bf contains no privacy or security provisions specific to sensing. The standard defines what the radio can do. What anyone does with that capability is left to the deployer, the regulator, and the courts.

Key takeaways

  • 802.11bf standardises Wi-Fi sensing across sub-7 GHz and above-45 GHz unlicensed bands. Active standard since 26 September 2025.
  • Legitimate defensive uses include intrusion detection, occupancy analytics, camera-free safety zones, and tailgating detection.
  • Adversarial uses include passive reconnaissance of buildings, pattern-of-life mapping, and confirming presence before physical intrusion. None of these require compromising your network.
  • Wi-Fi encryption does not protect against sensing. Channel State Information lives at the radio layer, below the encrypted payload.
  • Whether you deploy it or worry about it being used against you, the compliance work overlaps: DPIA, threat model, ISMS integration, supplier and procurement controls.

What 802.11bf actually enables

The mechanism is Channel State Information (CSI). When a Wi-Fi signal travels from a transmitter to a receiver, it reflects off walls, furniture, and people. The receiver can characterise those reflections. With enough samples and the right processing, you can detect:

  • Whether a room is occupied.
  • How many people are in a space.
  • Movement, gestures, and gait.
  • Breathing and heart rate (in research conditions).
  • Movement through walls within range and with sufficient signal-to-noise.

This is not new science. CSI-based sensing has existed in academic literature for over a decade, and commercial products such as Cognitive Systems Aware, Origin AI, and Linksys Aware have shipped sensing features in the consumer Wi-Fi market since 2020. What 802.11bf changes is standardisation. From this point on, chipset vendors can build native sensing capability into 802.11 hardware that interoperates across manufacturers. Sensing becomes a first-class Wi-Fi feature rather than a vendor-specific extension.

The defensive opportunity

For organisations evaluating this as a security or operations tool, the use cases are substantial.

Intrusion detection. Wi-Fi sensing can detect motion in spaces where access control alone is not enough. Out-of-hours alerting in offices, warehouses, and retail environments. Coverage of corridors, stairwells, and back-of-house areas without installing PIR sensors throughout the building. The infrastructure you have already paid for becomes the sensor network.

Tailgating and access control augmentation. Detecting more than one person passing through a single-person access point, or movement in a zone after badge-out, augments physical access control without adding cameras.

Occupancy analytics and smart building. Lighting, HVAC, and energy systems following real occupancy rather than fixed schedules. Workplace utilisation analytics for hybrid working policies. Fire safety occupancy compliance.

Camera-free safety zones. This is the most interesting privacy angle. There are spaces where cameras are inappropriate or unlawful: medical rooms, HR offices, toilets, changing areas, certain residential settings. Wi-Fi sensing provides motion and presence detection without capturing imagery, supporting data minimisation under Article 5(1)(c) GDPR.

Lone worker safety. Detecting falls, unusual stillness, or anomalous movement patterns in care facilities or remote work areas.

Asset and inventory monitoring. Movement in stockrooms or high-value storage areas during off-hours, without the privacy footprint of full video coverage.

These are real applications. Several are already deployed by enterprises and consumer Wi-Fi providers. 802.11bf accelerates them by lowering the cost of hardware and standardising the interface.

The threat side

The same physics works for the attacker.

Wi-Fi sensing transmitters and receivers emit and receive signals like any Wi-Fi device. Anyone in radio range can observe those signals. The question is how easy it is to extract sensing data from them, and there are several access paths with very different barriers to entry.

Access pathWhat it requiresThreat actorWi-Fi encryption blocks it?
Vendor cloud or admin panelAP credentials, vendor cloud account, or a compromise of eitherInsider, credential theft, vendor breachYes for unauthorised admin access, no for authorised actors
Passive RF captureA CSI-capable receiver in radio range. No network associationAnyone in range with suitable hardwareNo
Malicious client on shared Wi-FiNetwork association to a shared SSIDAdversary on public, guest, or shared corporate Wi-FiPartial. Encryption protects payloads but not radio-layer observation

The hardware for passive capture has existed for years in research and hobbyist contexts: Intel 5300 NICs with the Halperin tool, Atheros chipsets with the CSI tool, Broadcom chips with nexmon firmware, ESP32 in CSI mode. Today, the practical barrier is that not every laptop can do this. Once 802.11bf-capable hardware reaches consumer scale, that barrier drops.

For physical security, this matters. An adversary can:

  • Map building occupancy patterns over time. When is the executive corridor empty? When does the cleaning crew arrive? When are deliveries received?
  • Detect movement in high-value zones (server rooms, stockrooms, safes) without entering the premises.
  • Identify routines that indicate sensitive operations. Board meetings, after-hours work, security patrols.
  • Confirm or deny presence before a physical intrusion or social engineering attempt.

None of this requires being on your network. Wi-Fi encryption does not block it. Firewalls do not block it. VLAN segmentation does not block it. The defence has to operate at the RF and physical layers.

Defensive options and their limits

What you can do:

  • RF shielding on windows and sensitive walls (metallised film, conductive paint). Already standard practice in TEMPEST-sensitive environments for decades.
  • AP placement and transmit power tuning to minimise RF spill outside the perimeter.
  • Disable sensing features on your own APs where firmware allows. This prevents your own infrastructure being co-opted if compromised.
  • Procurement requirement: only purchase APs where sensing can be controlled and audited by the operator.
  • Faraday-style construction for boardrooms, server rooms, or research spaces if the threat justifies the cost.

What you cannot do:

  • Stop a passive receiver outside the perimeter from observing the signals your Wi-Fi already emits.
  • Jam or interfere with the unlicensed bands. Illegal in Ireland under ComReg rules and across the EU.
  • Reliably detect a passive sniffer. It receives but does not transmit.

The realistic defence is layered. Threat-model the sensing capability into your physical security risk assessment. Treat occupancy and pattern-of-life data as observable from the radio environment. Design physical security so that knowing the building is occupied does not help an attacker: turnstiles, mantraps, layered access control, and zones whose own controls hold up under reconnaissance.

Compliance implications

Whether you are deploying sensing or worried about it being used against you, the compliance work largely overlaps.

GDPR and DPIA

Wi-Fi sensing data is personal data when it can identify or single out an individual. Even where it cannot identify a specific person by name, occupancy patterns and movement data tied to a specific location and time often single out an identifiable individual. The only person in the office at 7pm. The executive on the top floor. The clinician in the side room.

Article 35 DPIA is almost certainly required for systematic deployment. Articles 13 and 14 transparency obligations apply. Your privacy notice needs to state that sensing is in use, on what lawful basis, for what purpose, and how long the data is retained.

ePrivacy

The ePrivacy Directive and the Irish ePrivacy Regulations 2011 cover the confidentiality of communications and information stored on or accessed from terminal equipment. The application to ambient RF sensing is not fully tested in case law, but the spirit of the regulation extends to surveillance of physical activity via electronic means. Treat it as in scope until clearer guidance emerges.

ISMS implications

If you are ISO 27001 certified, sensing capability touches several Annex A controls:

  • A.5.34 Privacy and protection of PII. DPIA outputs and lawful basis decisions sit here.
  • A.7.4 Physical security monitoring. Both as an opportunity (you can use sensing) and a threat (your premises can be sensed).
  • A.7.5 Securing offices, rooms and facilities. RF spill becomes part of the physical security analysis.
  • A.5.19 Information security in supplier relationships. APs with sensing firmware need supplier risk treatment.
  • A.8.1 User endpoint devices. Sensing-capable client devices in the estate.

This belongs in your risk register, not as a hypothetical, but as a present consideration. The standard is published. Hardware is shipping.

Supplier and procurement controls

Routers and access points purchased over the next several years will increasingly arrive with sensing firmware, often enabled by default. Your asset register, supplier assessments, and procurement standards should require:

  • Visibility into whether sensing is supported on the hardware.
  • A switch to disable sensing where the deployment does not require it.
  • Vendor disclosure of what sensing data is processed, where it is stored, who can access it, and what retention applies.
  • Contractual data protection terms covering sensing data, not just connection metadata.

Sectoral angle

Healthcare. Sensing offers genuine clinical and safety value (fall detection, patient monitoring, dementia care) but the data sensitivity ceiling is higher. Information that reveals health status is special category data under GDPR Article 9. Consent and research governance considerations apply under the Health Research Regulations 2018.

NIS2 essential entities. For organisations covered by NIS2 (energy, transport, healthcare, water, digital infrastructure, government), both the opportunity and the threat are elevated. Physical security of critical infrastructure must now account for RF-layer reconnaissance. Sensing capability deployed on operational infrastructure carries supply chain and dependency risk.

Regulated employers. Workplace monitoring is closely scrutinised by the Data Protection Commission and the Workplace Relations Commission. Sensing-based occupancy and movement monitoring sits inside the same legal frame as keystroke logging and CCTV. Lawful basis, proportionality, consultation with workers, transparency. Employee monitoring built on Wi-Fi sensing without these is a complaint waiting to happen.

Practical questions to ask now

For security and IT teams:

  • Do any APs in your estate already support sensing? If so, is it enabled? Who has access to the data?
  • What is your supplier register telling you about sensing capability in the next refresh cycle?
  • Has sensing been included in your physical security threat model and risk register?
  • What is your position on procurement standards for sensing-capable hardware?

For privacy and DPO teams:

  • Have you assessed whether existing or planned Wi-Fi deployments require a DPIA?
  • Is sensing addressed in your privacy notice?
  • What is the lawful basis for any sensing currently in use? Consent, legitimate interest, legal obligation, vital interest?
  • For employee-facing deployments, has the relevant works council, union, or employee representative body been consulted?

For executive and board:

  • Is the dual-use nature of this technology reflected in your risk reporting?
  • For high-value sites, has the physical security strategy been updated for RF-layer observation?
  • Are procurement standards being updated to include sensing-related contract terms?

The bigger picture

The pattern with 802.11bf is the same pattern we have seen with cameras, IoT sensors, and AI: technology arrives faster than the governance to manage it, and organisations that wait for clear regulatory guidance end up retrofitting compliance under pressure.

The work to do now is not large. A note in the risk register. A line in the procurement standard. A short addendum to the DPIA programme. A briefing for security and facilities teams. An updated supplier questionnaire. None of this is expensive. All of it is significantly cheaper than addressing the same questions after a deployment has gone live or an incident has occurred.

If you would like to discuss sensing as part of your physical security risk assessment, ISMS scope, or DPIA programme, get in touch. Our GDPR and privacy, ISO 27001, and risk and governance services cover the questions this technology raises.

Common questions

Does Wi-Fi encryption (WPA2 or WPA3) protect against Wi-Fi sensing?
No. Wi-Fi encryption protects the data payload travelling over the network. Wi-Fi sensing operates at the radio layer, analysing the physical characteristics of the signal as it propagates. A passive receiver in range can extract Channel State Information from your Wi-Fi traffic without associating to the network or breaking the encryption.
Do you need to be on the network to perform Wi-Fi sensing?
No. There are two access paths. Administrative access to the access point or its management cloud is the easy path. Passive RF capture from a receiver in range, with no network association, is the harder but real path. Both bypass standard Wi-Fi access controls. Wi-Fi encryption does not block either.
Is Wi-Fi sensing legal in Ireland?
The technology is not prohibited. Its use is governed by GDPR, the Data Protection Act 2018, the ePrivacy Regulations 2011, and employment law. Deploying sensing systematically without a DPIA, lawful basis, and transparency notice creates regulatory and reputational risk. Adversarial use for surveillance of premises or individuals would likely be unlawful on multiple grounds.
We are ISO 27001 certified. Do we need to update our ISMS for 802.11bf?
Yes, at least at the risk register and supplier control level. Sensing capability touches Annex A controls covering physical security monitoring, privacy and PII protection, supplier relationships, and endpoint devices. The risk treatment depends on your environment and threat model. Update your physical security risk assessment to account for RF-layer observation.
Can you disable Wi-Fi sensing on existing access points?
It depends on the vendor and firmware. Many consumer products with sensing features allow it to be turned off, although the default may be enabled. Enterprise-grade equipment generally exposes the control to the network administrator. For new procurement, require disclosure of sensing capability and the ability to disable it as a contract term.

Ready to discuss your requirements?

Let's have a conversation about how we can help your organisation.

Let's talk