How neighbors could spy on smart homes
Even with strong wireless encryption, privacy in connected homes may be thinner than expected. A new study from Leipzig University shows that someone in an adjacent apartment could learn personal details about a household without breaking any encryption. By monitoring the wireless traffic of nearby smart devices, the “nosy neighbor” can infer what people are doing, when they are home, and even which room they are in.
Listening through the wall
The researcher tested what information could be learned from encrypted WiFi and Bluetooth Low Energy (BLE) signals. The experiment simulated a neighbor who sets up three cheap antennas along a shared wall. These antennas collected wireless data from a mock smart home next door filled with connected light bulbs, sensors, plugs, and a few everyday devices such as smartphones.
The observer never decrypted any data. Instead, the analysis focused on what leaks through side channels, the parts of communication that remain visible even when payloads are protected. Every wireless packet exposes timing, size, and signal strength. By watching these details over time, the researcher could map out daily routines.
WiFi sniffer based on a Raspberry Pi with the TP-Link antenna. SD Card adapter for scale. (Source: Research paper)
Identifying devices by their patterns
Even encrypted devices leave distinct traces. Packet frequency, transmission bursts, and radio signal strength helped identify which devices were in use. Over days of monitoring, the study could classify smart plugs, lights, and air sensors with notable accuracy. The system also detected when devices changed state, such as a lamp being turned on or a vacuum starting its cleaning cycle.
Bartosz Wojciech Burgiel, penetration tester at DigiFors and the author of the study, told Help Net Security that better hardware could widen the attack surface. He said, “I think that more advanced antennas, i.e. the ones which allow for CSI monitoring, could create new possibilities for behavioral fingerprinting in this setting. I can’t tell you much on the accuracy of CSI in obstructed settings, i.e. when you’re listening through the wall. Given the black box nature of this passive monitoring, even if the CSI was accurate, you would have no ground truth to ‘decode’ the readings to assign them to human behavior. So technically it would be advantageous, but you would have a hard time in classifying this data.”
Once these patterns were established, a passive observer could tell when someone was awake, working, cooking, or relaxing. Activity peaks from a smart speaker or streaming box pointed to media consumption, while long quiet periods matched sleeping hours. None of this required access to the home’s WiFi network.
Locating people and rooms
The next part of the experiment used the signal strength of different devices to estimate their location. By comparing readings from multiple antennas, the researcher could perform trilateration, estimating where signals originated inside the apartment. While not precise enough to pinpoint exact positions, the results were accurate enough to divide the home into zones such as kitchen, office, and bedroom.
When residents moved around with smartphones or wearables, their approximate paths through the apartment could be tracked in near real time. Over multiple days, these traces made it possible to sketch the layout of rooms and identify which areas were used most often.
Learning about personal behavior
Beyond devices and locations, the study explored what this information reveals about people. Correlating traffic from multiple devices exposed behavioral patterns. A surge in kitchen device activity followed by a drop in motion sensors could suggest someone preparing dinner and leaving the room. Repeated evening peaks from a smart TV and game console indicated entertainment habits.
The research also captured probe requests, signals that WiFi devices send while looking for familiar networks. These requests sometimes included the names of previously connected networks, which can reveal places the user has visited, such as workplaces or cafés. During one case study, the appearance of a new smartphone pattern indicated that a guest had arrived, and their movements could be followed until the device left range.
A quiet but serious privacy problem
The findings show that privacy exposure in smart homes goes beyond traditional hacking. Even with WPA2 or WPA3 encryption, network traffic leaks enough side information for outsiders to make inferences about occupants. A determined observer could build profiles of daily schedules, detect absences, and learn which devices are in use.
For security professionals, this highlights an often overlooked threat category: passive data collection in physical proximity. Unlike network intrusions, these attacks require no access credentials, malware, or interaction with the target network. They depend only on being within radio range.
Limited defenses
The study noted few practical countermeasures for consumers. Randomizing device identifiers and reducing unnecessary broadcasting could help, but most off-the-shelf smart devices do not offer these options. Strong encryption remains essential but cannot hide metadata such as timing or signal strength. Shielding rooms or lowering transmission power may reduce exposure but are impractical for most homes.
Burgiel was blunt about the limits of realistic defenses. He said, “While there are some theoretical countermeasures, I don’t think that realistically anything can be done against such attacks. It is practically impossible to obscure or mask the wireless communication outside of the house. Theoretically someone could place all devices deep within the home, such that no signal leaks outside of the walls. But then effectively one room in your house could be smart.”
He offered caveats about partial options. “There are some ways to ‘hide’ BLE, however I can’t say how it would perform in a smart home setting. For WiFi, you can hide your BSSID, such that it’s not broadcasted, but as I explained in my methodology, it would not stop a motivated attacker.”
Burgiel also described a disruptive countermeasure that is possible in theory but hard in practice. “The only, albeit unrealistic, defense against such attacks is setting up dupes. You can easily spoof a device’s transmitter MAC address, either Bluetooth or Wi-Fi, and send random bytes such that in Wireshark their communication appears as if it came from the same device. By doing this, you could inject random patterns into the data stream making pattern recognition more challenging. But I do not know how the routers or hosts would react to such interference.”
He added a final practical warning about that trick. “This countermeasure has one weakness. An attacker with spatially separated antennas would be able to tell the dupes and the original devices apart by examining their RSSI fingerprint. So you would have to either locate them very close to the true devices and match their TX, or spread them throughout the apartment such that the attacker does not know which of the devices is the original.”
When the nosy neighbor becomes an insider threat
While the experiment used a domestic scenario, similar methods could apply in offices, labs, or corporate apartments where smart sensors are common.
Monitoring signal emissions and auditing device behavior could become part of security hygiene, especially in areas handling sensitive work. The “nosy neighbor” in this study might be an actual neighbor today, but the same techniques could be used by corporate spies or investigative actors tomorrow.