pith. sign in

arxiv: 2605.02553 · v1 · submitted 2026-05-04 · 💻 cs.CR

Noisy Networks, Nosy Neighbors: Simple Privacy Attacks Against Residential Wireless Traffic

Arne Roszeitis , Bartosz Burgiel , Victor J\"uttner , Erik Buchmann This is my paper

Pith reviewed 2026-05-08 19:00 UTC · model grok-4.3

classification 💻 cs.CR
keywords smart home privacywireless traffic analysispassive eavesdroppingRSSI triangulationcasual attackerIoT securityneighbor attacksdaily routine inference
0
0 comments X

The pith

A neighbor with three Raspberry Pis and basic scripts can identify smart devices and extract household routines including sleep patterns from wireless traffic.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper investigates whether ordinary people without machine-learning skills or special equipment can still extract private information from nearby smart-home wireless networks. It sets up a realistic test where an attacker in an adjacent apartment uses only off-the-shelf Raspberry Pis, Wireshark, and simple Python code to capture traffic and signal strengths over three weeks. The study shows this low-resource attacker can name specific devices, detect when people are active or asleep, track phone movements through walls, and map out daily schedules. These results indicate that smart-home privacy risks extend beyond sophisticated adversaries to everyday neighbors.

Core claim

Through a three-week study, we demonstrate that this casual attacker can manually identify devices, recognize user states, track smartphone movements through walls via RSSI triangulation, and successfully extract detailed daily routines, including sleep patterns of guests.

What carries the argument

Passive capture of wireless packets and RSSI signal-strength values, analyzed manually to match patterns to device types and user behaviors.

If this is right

  • Smart-home privacy leaks occur even when the attacker lacks labeled training data or machine-learning expertise.
  • RSSI measurements allow location tracking through walls without active probing or device compromise.
  • Daily routines such as sleep times become visible from traffic timing alone.
  • Low-resourced attackers in shared buildings can perform these attacks with equipment costing under a few hundred dollars.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Thin walls and shared electrical wiring in apartment buildings may amplify the effectiveness of such passive attacks compared to detached houses.
  • Simple traffic-padding defenses might fail if attackers can still observe signal-strength changes that reveal movement.
  • Residents could reduce risk by preferring wired connections for high-privacy devices or by monitoring for unexpected wireless signals from neighbors.
  • The same approach might extend to inferring occupancy in empty homes for physical-security implications.

Load-bearing premise

An attacker in an adjacent room can capture enough wireless traffic and signal-strength data to interpret device identities and activities without needing prior device-specific knowledge or facing major interference.

What would settle it

An experiment in a typical apartment building where the same basic tools and adjacent-room placement yield no identifiable device names, user states, movement tracks, or daily routines.

Figures

Figures reproduced from arXiv: 2605.02553 by Arne Roszeitis, Bartosz Burgiel, Erik Buchmann, Victor J\"uttner.

Figure 1
Figure 1. Figure 1: Floor plan of the experimental apartment: Office (1), Kitchen (2), view at source ↗
Figure 3
Figure 3. Figure 3: Network traffic thresholds of the interactive smartphone (a4:45). view at source ↗
Figure 2
Figure 2. Figure 2: Network activity over one day. As illustrated in view at source ↗
Figure 5
Figure 5. Figure 5: Weekly schedule over one week, showing network activity for the view at source ↗
Figure 6
Figure 6. Figure 6: Location estimates of Guest 1 (left) and the inhabitant (right) view at source ↗
read the original abstract

Smart devices, such as light bulbs, TVs, fridges, etc., equipped with computing capabilities and wireless communication, are part of everyday life in many households. Previous work has already shown that a passive eavesdropper can derive private information, household routines, etc., from the network traffic of smart devices. However, existing attacks rely on capable adversaries with specialized machine learning expertise, labeled training data and reference devices, leaving it unclear how vulnerable ordinary households are to less sophisticated attackers. In this paper, we investigate the extent to which a ,,casual attacker'' with straightforward IT skills and no specialized cybersecurity or ML tooling can reproduce such privacy attacks. Operating from an adjacent room in a real-world apartment building, we constrain our adversary to use only three off-the-shelf Raspberry Pis, Wireshark, and basic Python scripts. Through a three-week study, we demonstrate that this casual attacker can manually identify devices, recognize user states, track smartphone movements through walls via RSSI triangulation, and successfully extract detailed daily routines, including sleep patterns of guests. Our findings show that smart-home privacy leakage is a threat even from low-resourced, straightforward adversaries, e.g., neighbors.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The paper claims that a casual attacker with basic IT skills, using only three off-the-shelf Raspberry Pis, Wireshark, and simple Python scripts from an adjacent room, can perform privacy attacks on residential wireless traffic. Through a three-week real-world experiment in an apartment building, the authors report successful manual device identification, recognition of user states, RSSI-based triangulation to track smartphone movements through walls, and extraction of detailed daily routines including guest sleep patterns, showing that such leaks are feasible without ML expertise or labeled data.

Significance. If the empirical results hold, the work demonstrates that smart-home privacy vulnerabilities are accessible to low-resourced neighbors, extending prior ML-heavy attacks to more realistic casual-adversary settings. The real-world three-week deployment with commodity hardware is a strength, providing concrete evidence of feasibility in typical apartment environments and highlighting the need for traffic obfuscation in consumer IoT devices.

major comments (2)
  1. [three-week study description] The central claim of tracking smartphone movements through walls via RSSI triangulation (described in the three-week study) lacks any quantitative accuracy metrics, ground-truth validation, or reported failure cases. RSSI is known to suffer from multipath fading, wall attenuation, and orientation effects, with literature typically showing 3-8 m median errors in NLOS indoor settings; without these details it is unclear whether the reported tracking constitutes precise trajectories or only coarse room-level detection.
  2. [experimental setup] The assumption that an attacker in an adjacent room can reliably capture and interpret wireless traffic and RSSI without significant interference or detection in a typical apartment building is load-bearing for all claims but receives no quantitative characterization of signal quality, packet loss rates, or environmental confounds across the three weeks.
minor comments (2)
  1. [Abstract] The abstract and results sections would benefit from explicit comparison to prior RSSI localization error rates in the literature to contextualize the triangulation performance.
  2. [methods] Notation for RSSI values and triangulation method should be defined more clearly with a diagram or pseudocode for reproducibility.

Simulated Author's Rebuttal

2 responses · 0 unresolved

Thank you for the constructive feedback and positive assessment of our work's significance. We address each major comment below with explanations and planned revisions to improve the manuscript's rigor and clarity.

read point-by-point responses

  1. Referee: The central claim of tracking smartphone movements through walls via RSSI triangulation (described in the three-week study) lacks any quantitative accuracy metrics, ground-truth validation, or reported failure cases. RSSI is known to suffer from multipath fading, wall attenuation, and orientation effects, with literature typically showing 3-8 m median errors in NLOS indoor settings; without these details it is unclear whether the reported tracking constitutes precise trajectories or only coarse room-level detection.

    Authors: We agree that additional context on accuracy would strengthen the presentation. Our emphasis was on showing that a casual attacker using basic tools can manually observe RSSI variations to infer coarse movement patterns and activities, without claiming precise localization. Ground-truth validation was not performed for all cases to preserve the natural household setting and avoid invasive monitoring. In the revised manuscript, we will add a subsection on RSSI limitations in indoor NLOS environments (citing the 3-8 m error literature), clarify that results indicate room-level or trajectory-level inferences, and include examples of observed successes along with noted failure cases such as signal instability periods. revision: yes

  2. Referee: The assumption that an attacker in an adjacent room can reliably capture and interpret wireless traffic and RSSI without significant interference or detection in a typical apartment building is load-bearing for all claims but receives no quantitative characterization of signal quality, packet loss rates, or environmental confounds across the three weeks.

    Authors: We acknowledge the value of quantifying capture reliability. The Raspberry Pis were placed to intercept signals from the target apartment, with initial verification of reception, and the three-week collection proceeded without major disruptions preventing analysis. However, systematic logging of packet loss or signal metrics was not prioritized to maintain a simple, non-intrusive setup. In revision, we will augment the experimental setup section with available data from logs (e.g., observed signal strengths and interference notes), describe the apartment environment (distances, wall materials), and discuss potential confounds and the passive attack's low detection risk. revision: yes

Circularity Check

0 steps flagged

No circularity: purely empirical study with direct observations

full rationale

The paper reports results from a three-week physical experiment in a real apartment building using only off-the-shelf Raspberry Pis, Wireshark, and basic Python scripts. All claims (device identification, user state recognition, RSSI-based movement tracking, and routine extraction) are presented as direct outcomes of manual analysis of captured traffic and signal data. No equations, fitted parameters, derivations, or self-citations are used to generate predictions that reduce to the inputs by construction. The work is self-contained against external benchmarks because it relies on observable physical measurements rather than any closed-loop modeling or renamed prior results.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

The work is an empirical feasibility study. It relies on standard assumptions about wireless signal propagation and passive capture but introduces no new mathematical parameters, axioms, or postulated entities.

axioms (1)
  • domain assumption Wireless traffic from smart devices can be passively captured and analyzed using commodity hardware and standard tools in a typical apartment building environment.
    Invoked in the description of the three-week study setup and RSSI triangulation.

pith-pipeline@v0.9.0 · 5513 in / 1254 out tokens · 68911 ms · 2026-05-08T19:00:08.408710+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

16 extracted references · 16 canonical work pages

  1. [1]

    Spying on the smart home: Privacy attacks and defenses on encrypted IoT traffic,

    N. Apthorpe, D. Reisman, S. Sundaresan, A. Narayanan, and N. Feamster, “Spying on the smart home: Privacy attacks and defenses on encrypted IoT traffic,”ArXiv, 2017

    work page 2017

  2. [2]

    Poster: A smart home is no castle: Privacy vulnerabilities of encrypted iot traffic,

    N. Apthorpe, D. Reisman, and N. Feamster, “Poster: A smart home is no castle: Privacy vulnerabilities of encrypted iot traffic,”Proc. NDSS, 2016. [Online]. Available: https://api. semanticscholar.org/CorpusID:15706672

    work page 2016

  3. [3]

    Peek-a-Boo: I see your smart home activities, even encrypted!

    A. Acar et al., “Peek-a-Boo: I see your smart home activities, even encrypted!” InProceedings of the 13th ACM Conference on Security and Privacy in Wireless and Mobile Networks, ACM, 2020, pp. 207–218

    work page 2020

  4. [4]

    IoTBeholder: A privacy snooping attack on user habitual behaviors from smart home Wi-Fi traffic,

    Q. Zou et al., “IoTBeholder: A privacy snooping attack on user habitual behaviors from smart home Wi-Fi traffic,”Proc. ACM Interact. Mob. Wearable Ubiquitous Technol., vol. 7, no. 1, Mar. 2023

    work page 2023

  5. [5]

    WiFinger: Fin- gerprinting noisy ioT event traffic using packet-level sequence matching,

    R. Li, S. Liu, H. Hu, Q. Ye, and N. Feamster, “WiFinger: Fin- gerprinting noisy ioT event traffic using packet-level sequence matching,”ArXiv, vol. abs/2508.03151, 2025

    work page arXiv 2025

  6. [6]

    PingPong: Packet-level signatures for smart home device events,

    R. Trimananda, J. Varmarken, A. Markopoulou, and B. Dem- sky, “PingPong: Packet-level signatures for smart home device events,”Proc. NDSS, 2020.DOI: https://dx.doi.org/10.14722/ ndss.2020.24097

    work page arXiv 2020

  7. [7]

    I still see you: Why ex- isting IoT traffic reshaping fails,

    S. Wang, K. Yu, Q. Li, and D. Chen, “I still see you: Why ex- isting IoT traffic reshaping fails,”ArXiv, vol. abs/2406.10358,

    work page arXiv

  8. [8]

    Available: https : / / api

    [Online]. Available: https : / / api . semanticscholar. org / CorpusID:270560248

    work page

  9. [9]

    Noisy networks, nosy neighbors: Inferring privacy invasive information from encrypted wireless traffic,

    B. W. Burgiel, “Noisy networks, nosy neighbors: Inferring privacy invasive information from encrypted wireless traffic,” ArXiv, Bachelor’s Thesis, 2025

    work page 2025

  10. [10]

    Radar: An in-building rf- based user location and tracking system,

    P. Bahl and V . Padmanabhan, “Radar: An in-building rf- based user location and tracking system,” inProceedings IEEE INFOCOM 2000, vol. 2, 2000, 775–784 vol.2.DOI: 10.1109/ INFCOM.2000.832252

    work page arXiv 2000

  11. [11]

    Indoor person localization system through RSSI Bluetooth finger- printing,

    H. J. Pérez Iglesias, V . Barral, and C. J. Escudero, “Indoor person localization system through RSSI Bluetooth finger- printing,” in2012 19th International Conference on Systems, Signals and Image Processing (IWSSIP), 2012, pp. 40–43

    work page 2012

  12. [12]

    RSSI-based indoor distance estimation in Wi-Fi IoT application using ai ap- proaches,

    S. Mane, M. Kulkarni, and S. Gupta, “RSSI-based indoor distance estimation in Wi-Fi IoT application using ai ap- proaches,”International Journal of Communication Systems, vol. 38, no. 5, 2025

    work page 2025

  13. [13]

    Fingerprinting encrypted voice traffic on smart speakers with deep learning,

    C. Wang et al., “Fingerprinting encrypted voice traffic on smart speakers with deep learning,”Proceedings of the 13th ACM Conference on Security and Privacy in Wireless and Mobile Networks, 2020

    work page 2020

  14. [14]

    Foundation,Wireshark, Accessed: 2026-02-05

    W. Foundation,Wireshark, Accessed: 2026-02-05. [Online]. Available: https://www.wireshark.org/

    work page 2026

  15. [15]

    Harvey,Bluepy: Python interface to bluetooth LE on linux, Accessed: 2026-02-05

    I. Harvey,Bluepy: Python interface to bluetooth LE on linux, Accessed: 2026-02-05. [Online]. Available: https://github.com/ IanHarvey/bluepy

    work page 2026

  16. [16]

    tcpdump.org/, Accessed: 2025-03-26

    tcpdump.org,Tcpdump - packet analyzer, https : / / www . tcpdump.org/, Accessed: 2025-03-26. [16]MAC Address Vendor Lookup, https : / / macaddress . io/, Ac- cessed: 2026-02-23. [17]MA:CV:en:do:rs, https://macvendors.com/, Accessed: 2026- 02-23

    work page 2025