A dual-node ESP32 system that passively captures 802.11 Wi-Fi CSI fluctuations to detect human presence, infer motion direction, and visualise activity in real time, exposing a critical physical-layer privacy vulnerability in ubiquitous wireless infrastructure.
Even when 802.11 network traffic is fully encrypted, the physical layer continues to leak environmental data through Channel State Information (CSI). A passive attacker with only a commodity Wi-Fi receiver can capture these signal fluctuations to silently map human activity within the wireless coverage area, no network credentials, no active probing, no interaction with user devices required.
This data can be exploited to detect presence, infer movement patterns, and even reconstruct room layout, all from signals that are normally dismissed as "just noise."
Rather than proposing impractical countermeasures (such as Faraday cages, which block all wireless signals and are prohibitively expensive to retrofit), WISPR takes a research-first approach: build the attack ourselves on sub-$10 hardware to prove the vulnerability is real, accessible, and actionable.
The system uses two passively listening ESP32 nodes to capture CSI, processes it through a multi-stage Python pipeline, and visualises presence/direction in real time, making the invisible threat visible.
Detect human presence using only ambient Wi-Fi CSI signals, without any active probing or user device involvement.
Infer movement direction (left-to-right / right-to-left) using a dual-node architecture that correlates activation timestamps.
Develop a functional sensing system using ESP32 microcontrollers at under $10 per node, deployable by anyone.
Build a live Python dashboard with RSSI graphs, CSI heatmaps, and an animated stickman tracking presence and direction.
Demonstrate concretely that passive Wi-Fi-based surveillance is feasible, raising awareness about this underappreciated attack surface.
Document the full pipeline, firmware, signal processing, and GUI, so researchers can replicate, extend, or defend against the technique.
Each ESP32 node passively captures raw 802.11 CSI packets from ambient Wi-Fi traffic at 50 packets per second (20ms interval) via the esp_wifi_80211_tx hook. Per-subcarrier amplitude values and RSSI are packed into a compact binary UDP payload and streamed over the local network. An SH1106 OLED display shows real-time RSSI graphs and packet counts. Node configuration (IP, port) is persisted using NVS flash storage, surviving reflashes.
Python's BinaryCSIReceiver class runs a dedicated thread per node, parsing binary UDP packets and filtering out null-dominant frames (frames where >98% of subcarrier values are zero). Valid frames are expanded from their sparse representation to a fixed 64-column matrix via expand_to_64(). A 500-frame rolling history buffer feeds downstream analysis. Connection liveliness is tracked with a 2-second timeout watchdog.
DigitExtractor applies EMA smoothing (α = 0.04) to reduce per-subcarrier noise, then computes amplitude variance normalised against a rolling 200-frame baseline window. Values are trimmed at the 95th percentile to suppress outliers, then normalised between the 2nd and 98th percentile to produce a single scalar "digit" value, a dimensionless indicator of environmental motion activity. A user-selectable subcarrier mask allows specific subcarrier channels to be excluded.
PresenceDetector applies dual-threshold hysteresis to prevent flickering: a detection threshold of 4.0 triggers candidate presence, while re-entry after a confirmed-low state requires exceeding a higher threshold of 5.2. A 15-frame consecutive streak confirms presence, with graceful decay (−1 per NaN frame) to handle brief signal dropouts. Results are broadcast as a boolean confidence flag per node.
DirectionTracker correlates Node A/B activation timestamps to infer traversal direction. The StickmanWindow Tkinter GUI updates at ~30 fps, rendering an animated stickman that scales up by 1.55× on crossing events, directional arrows, and real-time RSSI/CSI heatmap panels for both nodes. The dashboard displays presence state, signal strength, and motion history in a single cohesive interface.
WISPR successfully detected human presence across varying distances and room configurations. The hysteresis-based confirmation scheme eliminated false positives caused by transient reflections and environmental movement.
The dual-node architecture significantly improved sensing reliability over single-node baselines and enabled reliable bi-directional motion tracking. Directional accuracy was consistent in open-plan spaces.
Sub-$10 ESP32 nodes performed covert environmental sensing on par with more expensive purpose-built CSI tools, validating that the attack surface is accessible to low-budget adversaries.
Performance degraded in high-multipath environments and under competing Wi-Fi traffic. Node placement and per-environment threshold calibration are necessary for consistent detection reliability.
Passive intrusion detection without cameras, privacy-preserving occupancy sensing for residential security applications.
Non-intrusive fall and non-movement alerts for elderly residents, monitoring without cameras or wearables.
Demonstrating physical-layer Wi-Fi vulnerabilities to enterprise clients and informing wireless infrastructure security audits.
Open-source security research advances academic understanding of wireless privacy vulnerabilities and provides hands-on learning resources.
Commodity-hardware approach democratises advanced sensing capabilities, enabling low-cost smart infrastructure sensing for developing regions.
Non-invasive occupancy sensing supports smart building management, energy optimisation, and urban infrastructure monitoring.
LSTM or CNN models for gesture recognition, precise occupancy counting, fall detection, and activity classification from CSI time series.
3+ node topology enabling 2D room mapping, through-wall sensing, and triangulated positioning of multiple simultaneous occupants.
TinyML inference directly on ESP32-S3 for standalone, server-free operation with sub-millisecond response times.
Fine-grained CSI analysis to detect micro-movements indicative of respiration and cardiac rhythms for passive health monitoring.
Designing and evaluating physical-layer countermeasures, randomised channel hopping, signal injection, to protect against CSI-based surveillance.
Browser-based real-time dashboard with REST API for integration into building management systems and SIEM platforms.
ESP32 firmware, Wi-Fi CSI capture, OLED display, hardware integration & testing.
Signal processing pipeline, Python dashboard, CSI feature extraction, live GUI.
Department of Cyber Security, National Centre for Cyber Security.
Cyber Security, NCSA
Phase 3
#25001
14th May 2026
ESP32 · Python · NumPy · Matplotlib · Tkinter