SoK: Secure Human-centered Wireless Sensing

Human-centered wireless sensing (HCWS) aims to understand the fine-grained environment and activities of a human using the diverse wireless signals around him/her. While the sensed information about a human can be used for many good purposes such as enhancing life quality, an adversary can also abuse it to steal private information about the human (e.g., location and person's identity). However, the literature lacks a systematic understanding of the privacy vulnerabilities of wireless sensing and the defenses against them, resulting in the privacy-compromising HCWS design. In this work, we aim to bridge this gap to achieve the vision of secure human-centered wireless sensing. First, we propose a signal processing pipeline to identify private information leakage and further understand the benefits and tradeoffs of wireless sensing-based inference attacks and defenses. Based on this framework, we present the taxonomy of existing inference attacks and defenses. As a result, we can identify the open challenges and gaps in achieving privacy-preserving human-centered wireless sensing in the era of machine learning and further propose directions for future research in this field.


INTRODUCTION
Wireless sensing is an emerging enabling technology for many applications such as smart homes/cities, autonomous systems, and human-computer interactions.Given the advanced wireless communication techniques (e.g., WiFi, and 5G) and the proliferation of wireless devices (e.g., Internet-of-Things), wireless sensing is becoming more and more popular.Wireless signals in different forms, including radio frequency (RF) and light, interact with human bodies and other physical objects in the environment during transmission.As a result, the variation of the wireless signals around a human can be leveraged to understand the physical environment and human activities in it [9,134,142,178].For instance, Vasisht et al. [134] shows that wireless signals can be used to localize and identify occupants at home based on their walking patterns, thereby enabling a smart home that is aware of the occupants' locations and identities to personalize appliance settings.
Like nearly any advanced technology, wireless sensing is a doubleedged sword.On the one hand, wireless sensing enables many life-quality-improving applications such as health status monitoring [3,37,40], energy-efficient smart home [27,102,134], and friendly human-computer interaction [80,142] via understanding the physical environment and activities of human subjects.On the other hand, the same technology can be abused by an attacker to infer a human's private information such as location, living habits, and behavioral biometric characteristics (e.g., walking pattern, heart rate, and hand gesture) that can identify a person, therefore leading to privacy and security risks.For instance, inferring location leads to location privacy leakage [134,141]; inferring living habits may lead to well-planned burglary [121,178]; and inferring hand gesture used to unlock a smartphone leads to password compromise [11,66].
However, the literature lacks a systematic understanding of inference attacks via wireless sensing and defenses against them.In particular, existing literature surveys about wireless sensing [74,85,115,144] focus on wireless sensing techniques and their benign applications, leaving systematization of the privacy aspect of wireless sensing largely untouched.Such a gap makes it hard to comprehensively understand the privacy vulnerabilities of wireless sensing and design effective defenses against potential inference attacks in the future.Without comprehensive systematization of wireless sensing systems, it is difficult for engineers to design privacy-preserving wireless sensing systems.
In this paper, we aim to bridge this gap.To do so, we propose a signal processing pipeline to systematize the inference attacks and defenses in human-centered wireless sensing systems.More specifically, we make the following contributions: • Taxonomy of wireless signals processing in the inference attacks and defenses.Since wireless signal processing has been extensively used in human-centered wireless sensing systems for inference attacks and defenses, we propose a generalized signal processing pipeline-based framework for reasoning the existing and future inference attacks and defenses.• Open challenges.We use our proposed framework to identify significant challenges facing the existing human-centered wireless sensing systems, predict the potential inference attacks, and provide directions for potential defenses against these attacks.• Identifying the design space towards privacy-preserving wireless sensing.We identify the core design aspects that future wireless sensing systems should consider in their design to achieve privacy-preserving properties, and provide a design roadmap by discussing where and how human private information has been leaked based on our proposed framework.
• Inclusion Criteria.We mainly include papers from peer-reviewed journal articles as we presented in the Selected Source, which focus on how to infer human private information in human-centered wireless sensing.Specifically, we read the paper to understand if the paper's theme matches the human-centered wireless sensing topic.We find that some workshop or arXiv papers have the corresponding full papers published in the official conferences.So, we will simply select the full papers published in the official conferences.Moreover, we will eliminate the papers that do not discuss the physical-layer wireless sensing techniques for inference attacks or defenses, as human-centered wireless sensing mainly exploits the interaction between the wireless signals and the human body.
Search.Except for the well-known papers in this area based on our experience, we use the sources (e.g., ACM digital library) mentioned above to search for papers.Moreover, we investigate the references in the related work presented in these papers to further build on the collected knowledge.As a result, we have 184 papers as candidates for the analysis.
Select.We aim to select the papers in the search stage, which can satisfy the inclusion criteria.Specifically, we first read the abstract and introduction sections of each paper to obtain a high-level view of its main discussion and focal points.Then, we read the core design of the paper to ensure the inclusion criteria.At last, there are 169 papers left for our systematization.The other 15 papers cannot meet our inclusion criteria.For example, some papers discuss the differential data privacy of wireless communication traffic.
Analyze.After selecting the papers, we divide them into two categories based on their topics.The first category mainly focuses on designing wireless sensing-based inference attacks that can accurately infer a victim's various private information.The second category mainly focuses on defenses against such attacks.Present.We present our findings of formalizing the inference attacks and defenses to human-centered wireless sensing as follows.

THREAT MODEL 3.1 Attacker's Goal
We consider an attacker's goal to infer various private information about a victim human through sensing and analyzing the wireless signals around him/her.In particular, we summarize the private information considered in existing inference attacks as the following three categories: • Location.The location represents sensitive information about a victim.Knowing the location of a victim leaks sensitive places that the victim has been to, such as those in a hospital, and enables tracking of the victim [13,23,60].• Living habits.The living habits of a victim can leak other sensitive information about a victim.For instance, eating meals and going to the restroom frequently could be an indicator of diabetes disease.Moreover, knowing the living habits of a victim enables an attacker to commit well-informed severe crimes.For instance, an attacker may plan a burglary at a time when a victim is not at home [3,5,6].• Behavioral biometric characteristics.Behavioral biometric characteristics refer to a person's pattern of behavior, including walking patterns, heart rate, and hand gestures.
The leak of such behavioral biometric characteristics of a victim leads to severe privacy and security risks to the victim.For instance, heart rate may reveal that a victim has asthma or heart disease; hand gesture (e.g., touched locations and swiping patterns on the screen) of a victim to unlock a smartphone leads to compromise of the victim's password; and walking patterns enable an attacker to identify the victim's identity [11,33,54,75].

Attacker's Capability
Sensing the type of wireless signal.signals.The radio receiver should not be too far away from the transmitter around the victim, in order to receive wireless signals.
For instance, when an attacker targets a victim in a house, the attacker can deploy its radio receiver outside/around the house.

HCWS AND ITS PRIVACY IMPLICATIONS 4.1 Wireless Sensing Principle
A typical wireless sensing system consists of two devices: a transmitter (Tx) and a receiver (Rx), as shown in Fig. 1.A Tx or Rx may have one or multiple antennas.A Tx antenna emits wireless signals, which propagate and may be reflected by different objects (e.g., walls) and subjects (e.g., human) in the physical environment.An Rx antenna receives wireless signals.
To model the wireless communication between a Tx and an Rx, we start with a pair of Tx and Rx, each equipped with a single antenna.Specifically, the Tx transmits the wireless signals, denoted by  (), which is reflected by different types of objects (e.g., walls, desks, and couches) and subjects (e.g., human) in the physical environment, and then received by the Rx.Let ℎ() denote the multipath propagation characteristics of the physical environment, or the wireless channel.

Wireless Technologies
There are many different kinds of wireless technologies that can be used for interference attacks.Table 2 summarizes the cost, effectiveness, and deployability of different wireless technologies.More details about these wireless technologies can be found as follows: • WiFi.WiFi has been extensively explored for human-centered wireless sensing by harnessing the existing WiFi communication infrastructure [39,56,65].• VLC.Visible light communication usually works at high frequency which is supposed to be significantly attenuated over the air [28,67].Therefore, VLC-based wireless sensing has a short sensing range in comparison to WiFi.However, VLC employs a large bandwidth to measure the time of flight for accurate sensing with [67].To do VLC-based inference attacks, we need to deploy the low-cost LED sensors close to the subject of interest in a line-of-sight scenario and VLC suffers from the interference introduced by the ambient light signals, which makes this VLC-based inference attack impractical in real-world settings.• Cellular.Since the cellular communication infrastructure has been widely deployed in outdoor environments, we can use it for inference attacks such as outdoor localization [15,61,136].The cellular-based inference attacks in human-centered wireless sensing suffer from the multipath effect in the outdoor area resulting in coarse-grained sensing accuracy.For example, LTrack [61] can achieve 6m localization error in 90% cases.

Workflow of Inference Attack
1 ○ Deploying an sensing device.When the existing wireless sensing system has already been deployed in the environment for good purposes such as enhancing life quality, the attacker can abuse it by deploying a receiver to sniff the wireless signals for human private information inference.Since the wireless signal is transparent to the attacker, the attacker needs to ensure the type of wireless signals used in the environment and choose the corresponding sniffing device to receive the wireless signals.In particular, the attacker can perform spectrum scanning to obtain the type of wireless signals in the environment and their corresponding operating frequency.Spectrum scanning can be divided into two categories: (i) using dedicated spectrum analyzers, which have poor time resolution due to large sweeping time [90,108], and (ii) using low-cost radio receivers, which have small signal bandwidths due to the limited sampling rate [42,107,114].Recently, SweepSense [38] proposes to modify the software-defined radio receiver (i.e., USRP N210) to sweep the spectrum with high bandwidth and time resolution.When there are no existing wireless sensing systems deployed in the environment, passive attacks cannot sniff any wireless signals interacting with the human body for inference attacks.However, the active attacker can deploy the transmitter to emit the wireless signals toward the physical environment and receive the backscattered signals to infer human private information, as the emitted wireless signals interact with the human body.To eliminate the multipath effect, we can either leverage the beamforming technique or multipath resolving algorithms.For example, Spotfi [60] proposes a super-resolution algorithm to estimate the angle-of-arrival (AoA) by incorporating a filtering and estimation approach to accurately identify the AoA of the direct path.3 ○ Inferring human private information.After obtaining the wireless signals that are only affected by the subject of interest, the attacker can design a model to predict the human private information from the wireless channel measurements through mathematical analysis or learning-based approaches.

Privacy Implications
From wireless sensing to privacy inference.Wireless sensing aims to perceive the physical environment using the received wireless signals around a human.The intuition is that the received signals are affected by the wireless channel, which is affected by the variation of the wireless environment (e.g., human's movements) as the wireless signals interact with the human body.Therefore, a wireless sensing system usually analyzes the variation and extracts different properties (e.g., wireless channel) of the received signals to achieve the sensing purpose, which can reveal human private information such as human location and identity.Bridging the gap.However, the existing wireless communication standards and specifications fail to prevent the leakage of this information due to the nature of widespread wireless signals.Wireless sensing systems have been extensively studied in academia, which mainly focuses on improving sensing accuracy without considering privacy leakage.The fundamental reason for privacy leakage is the interaction between the human body and wireless signals.
Especially, with the proliferation of deep learning-based wireless sensing systems, even though deep learning has significantly improved the sensing accuracy of wireless sensing, it is vulnerable to adversarial attacks [19,52,53,177].Therefore, we provide an angle of understanding the vulnerability and privacy threat of machine learning-enabled wireless sensing systems from the whole system design point of view.Human private information is not communication data privacy but rather private information related to human movement that is sensed by the variation of the wireless signals.For example, keystrokes and gestures can reveal passwords.Human activity recognition can reveal the daily living style and human identities.The attacker can abuse the private information introduced by the human movement.For example, the attacker can detect if the house owner is at home or not for trespassing and theft.We bridge the gap between the privacy implications and wireless signal sensing parameters by connecting the physical parameters in the signal processing to the privacy inference that is targeted by the attackers.

A SIGNAL PROCESSING PIPELINE-BASED HCWS FRAMEWORK
We present a signal processing pipeline-based framework to categorize and systematize HCWS strategies as shown in Fig.  for human private information derivation.The wireless signal processing pipeline is modeled and framed to systematize the HCWS.

Wireless Channel Estimation
An attacker can reconstruct a wireless channel from the received wireless signals, which will be used to derive human private information.Let's first model the wireless channel.When a device transmits a signal, this signal is distorted by the wireless environment due to human movements.Specifically, the signal undergoes the attenuation  () due to path loss and absorption.Since the signal travels over a distance of  (), its phase and strength can be changed.In a multiple-antenna wireless sensing system, we can consider the extra distance that the signal travels to/from each antenna in comparison to the reference antenna.This is characterized by the angle of arrival (AoA)   () for -th signal path at the antenna array-enabled Rx and the angle of departure (AoD)   () for -th signal path at the antenna array-enabled Tx.
The wireless channel ℎ() can be obtained using signal preambles known to both the Tx and Rx and indicates the variation of the wireless environment.Let  () denote the preamble signal, the received preamble at the Rx is given by: With the known  () and white Gaussian noise  (), ℎ() can be obtained using the maximum likelihood estimator.Based on the assumption that the signals at the adjacent frequency will undergo the same multipath, ML-based channel estimation methods have also been proposed in [17,55,77,136].

Human Private Information Inference
To infer private information related to the victim, we need to find the relationship between the desired human private information and the extracted features from the received wireless signals.Prior works on human private information derivation mainly focus on the following methods.
Triangulation.The location of the victim can be obtained through triangulation, which can leverage the features from multiple receiving devices deployed by the attacker.Then, the wireless signals' features from these receiving devices deployed by the attacker can be used to reduce the ambiguity due to the noise.For example, the overlap of two features (e.g., AoAs) can pinpoint the location of the victim [142].The feature (e.g., ToF) from one receiving device deployed by the attacker can formulate an ellipse.The overlap of multiple ellipses can pinpoint the location of the victim [7,8,81].Filtering.To obtain the location of the victim, the attacker can use filters to filter out the extracted features that are not related to the victim.The widely used filtering methods for localization, tracking, and gesture/activity recognition include Kalman filtering and particle filtering.For example, TurboTrack [81] leverages particle filtering to achieve robot localization.Pantomime [111] uses extended Kalman filtering to achieve gesture recognition.Markov chain modeling.Since tracking, hand gestures and human activity recognition are time-series movements, it is intuitive to leverage Markov chain models to delineate these time-series events.Prior works mainly use the Markov chain model or hidden Markov model (HMM) for tracking, localization, and gesture recognition.For example, TurboTrack [81] uses HMM to track RFIDtagged drones.Lei et al. [159] use HMM to track moving objects through the wall.
Dynamic time warping (DTW).The main idea of DTW is to measure the similarity between the extracted and ground-truth features for human private information inference.For example, Mudra [170] uses DTW to recognize hand gestures, and Holt et al. [131] leverage the multi-dimensional DTW for hand gesture recognition.
Machine learning models.The machine learning model, especially the deep neural network, has been widely used to infer human private information due to its powerful data representation, resulting in highly accurate human private information derivation.Therefore, recent works on human-centered wireless sensing mainly design deep neural networks for highly accurate human private information derivation [13,40,62].However, these machinelearning models are suffering from cyber attacks, the large training dataset collection, and scalability.Especially, in the wireless sensing domain, as the wireless environment is dynamic and full of multipath, it is very challenging to have well-trained and trustworthy machine learning models for human-centered wireless sensing [78].Even though passive attackers are considered to be stealthier, there are always detection approaches that can disable the stealthiness property of these passive attacks as shown in Section 7. Since these academic papers from the wireless sensing domain try to push the limit of sensing accuracy, they evaluate the attack performance from the perspective of sensing accuracy or localization error.The sensing accuracy reported in the state-of-the-art techniques for human activity or gesture recognition is usually more than 0.95 [145,169] and the localization error is at the decimeter level [84,135].The attack time in the wireless sensing attack can be defined as the time spent from deploying the attacking devices to successfully steal private information, which is not reported in these academic papers.We see some papers reporting the computational complexity of the sensing algorithms [42], which are not the attack time measured in real-world settings.

Received Signals-based Inference Attacks
The received wireless signals at the attacker can be used for inference attacks.Specifically, the attacker can collect the received wireless signals and then use them as features for an inference attack.For example, Zhu et al. [178] measure the variation of signal strength with a passive radio outside of the house to predict if there are occupants at home.IRshield [121] proposes to use the smart surface to distort the signal strength such that the attacker cannot predict the variation of the signal strength for occupant detection.However, the signal strength measurements are suffering from background noise.Vital-Radio [10] and Wistress [40] (i.e., stress sensing) use the variation of the signal phase caused by the chest movement to achieve the inference attack, as the phase information is resilient to the noise but sensitive to the signal's traveling path.

Wireless Channel-based Inference Attacks
After obtaining the reconstructed wireless channel, the attacker can use it as the feature for an inference attack.Furthermore, the attacker can extract the features based on the reconstructed wireless channel for an inference attack.Specifically, the attacker can extract the following features based on the reconstructed wireless channel: • Wireless channel.The straightforward idea is to use the reconstructed features directly.Using the wireless channel as the features have been extensively studied to achieve gesture/activity recognition [66,96,137,139,146,148] and indoor localization or tracking [11,22,33,153].
• Signal attenuation.The signal attenuation can be directly derived from the signal's amplitude, which can characterize the wireless signal's power loss due to the over-the-air propagation.• Doppler shift.Doppler shift is caused by the victim's movements in the physical environment, which can be used as a feature to infer private information.A victim moving at a speed of  at an angle of  from the attacker in the physical environment experiences a Doppler frequency shift given by: The attacker can obtain the Doppler shift feature from the frequencydomain signals by applying the Fourier transform on the received signals.Prior works mainly leverage the Doppler shift for activity/gesture recognition and respiration/heart rate estimation using RF signals [25,36,64,69,82,105,106,129,138,171].
• Time of Flight (ToF).ToF, denoted by , denotes the time duration during which the wireless signal travels through the physical Home, multiple people Indoor, one person Indoor, one person Indoor, one person Indoor, one person Sleep stage Indoor, one person   environment for distance , and is given by: The estimation accuracy of the ToF information highly depends on the signal bandwidth : In radar-based wireless sensing systems, ToF can be derived from the multipath profile describing the signal over time in a round trip.To conduct the inference attack, the attacker can snoop the pulse or frequency-modulated continuous-wave (FMCW) signals transmitted from the radar and reflected by the victim to create a multipath profile, which can be leveraged to infer the private information of hand gestures and location [6-8, 72, 91].ML models have been employed in radar-based wireless sensing systems to analyze the collected 3D point clouds, which can achieve finedgrained sensing on emotion/gestures/activity/behavior recognition [32,68,133,172], gait velocity and strait length estimation [46], sleep sensing [44,166,176], human pose/mesh estimation [173,174], 3D body skeleton [175], human identification/authentication [31,45,58,134], and respiration/heart rate detection [165].
• Angle of Arrival (AoA) and Angle of Departure (AoD).AoA needs to be derived from the antenna array-enabled attacker.AoA of -th signal path, denoted by   (), can be derived from the following equation: where   denotes the extra distance the signal travels, and  denotes the antenna separation in the antenna array.Similarly, AoD can be derived at the Tx's antenna array.by human movements.To use the estimated wireless channel for the attack, the attacker needs to accurately estimate the wireless channel.The attacker can simply infer the human private information based on the estimated wireless channel with machine learning models.This usually requires well-trained machine learning models on large-scale datasets, as the estimated wireless channel may not only be affected by human movements [13].To this end, the signal path that is affected by the subject of interest should be extracted for attacking purposes, which requires the attacker to resolve the multipath over frequency, time, or space dimension.To do so, ToF can be leveraged to achieve high sensing accuracy by resolving the multipath in the frequency domain with a large bandwidth, and AoA/AoD can be leveraged to achieve sensing accuracy by resolving the multipath in the space domain with an antenna array.However, the attacker needs to be instrumented with a large antenna array or occupy a large frequency band, which will further burden the existing wireless spectrum usage.An attacker can use signal attenuation derived from the estimated wireless channel for the attack, which is straightforward.However, it suffers from the multipath effect resulting in inaccurate attenuation estimation.Doppler shift is another factor that can be leveraged for sensing attack, while it is related to the moving speed of the subject of the target.As a result, Doppler shift cannot achieve fine-grained sensing attacks, even though the speed of the human movement is slow in practice.

TAXONOMY OF EXISTING DEFENSES 7.1 Prevention Strategy
Fig. 3 summarizes and illustrates the prevention strategies against the inference attacks in HCWS.Table 4 (a) presents the taxonomy of prevention strategies against inference attacks.
7.1.1Shielding Wireless Signals.The root cause of the inference attack is due to the widespread propagation nature of wireless signals and the multipath effect in the physical environment, thereby any attacker residing in the coverage area of the Tx can sniff the wireless signals.To prevent the inference attack, we can shield the transmitted signals such that the attacker's Rx cannot receive them using the following two methods: • Geofencing.Geofencing is a way that can block the wireless signal so that it becomes inaccessible to the attacker.To do so, we can cover the walls with electromagnetic shielding paints, customize the wireless signal coverage with 3D fabricated reflectors [23,26,156] or backscatter arrays [70,167], as shown in Fig. 3(a).
• Nulling.To eliminate or mitigate the wireless signal propagation that is accessible to the attacker, the TX can also beamform the signal towards the desired Rx [29] to minimize the signals leaking in the direction that could be received by the attacker, as shown in Fig. 3(b).Furthermore, if the location of the attacker is known, the Tx can apply beamforming to generate a deep null towards the attacker.Abedi et al. [4] leverage the nulling capability of WiFi access points, and PushID [143] uses the blind beamforming to extend the coverage of the backscatter communication, which can be used to eliminate the eavesdropping in WiFi backscatter sensing systems.

Obfuscating Wireless Signals.
To prevent inference attacks, we can also obfuscate the transmitted signals, such that the attacker cannot extract useful features from the sniffed wireless signals.To do so, the Tx can either randomize the transmitted signals or jam the received signals at the attacker's Rx as follows.
• Randomizing the transmitted signals.To obfuscate the transmitted signals, one way is to randomize the transmitted signals such that the attacker cannot predict anything from the traffic analysis based on the received signals as shown in Fig. 3(c).For example, RF-Cloak [43] randomizes the illuminated signals transmitted from the RFID reader to disable the attacker.Wijewardena et al. [149] consider randomization of the signal strengths to disable the attacker.
• Jamming the signals received by the attacker.Another way to obfuscate the transmitted signals is to deploy a signal generator to jam the received signals at the attacker, such that the signalto-interference plus noise ratio (SINR) at the attacker is under the noise floor to disable the attacker, as shown in Fig. 3(d).For example, Jiao et al. [56] consider injecting artificial channels at the Tx to prevent inference attacks.Huang et al. [48] use programmable metasurface to jam the pilot of the signals, and Lyu et al. [83] use the programmable metasurface to jam the overthe-air signals.discrete phase shifters that can change the phase of the wireless signals, as shown in Fig. 3(e).For example, LAIA [70] uses a phased array to control the wireless channel in the desired way by changing the wireless signal's phase.We can also use the programmable metasurface to change the impinged signal's phase in the desired way.As such, the signals received by the attacker cannot help to extract the clean wireless channel that is only affected by the victim for private information inference.For example, IRShield [121] designs a metasurface that can change the wireless channel to disable eavesdropping.Hu et al. [47] use the reconfigurable metasurface to change the wireless channel coefficients.Staat et al. [120] use the metasurface to achieve the jamming purpose that could disable eavesdroppers.
• Full-duplex relay-based wireless channel obfuscation.Another way to obfuscate the wireless channel is to use full-duplex relays, as shown in Fig. 3(g).An amplify-and-forward (AF) relay amplifies and delays the impinging signal from the Tx and then forwards it to the attacker, during which the AF relay can change the amplitude and/or phase of the Tx signal.As such, the AF relay can change the wireless channel in the desired way such that the attacker cannot extract the desired and clean wireless signals affected by the victim for private information inference.For example, PhyCloak [104] uses the AF relay node to change the wireless channel that can prevent the attacker.
Channel Spoofer [103] further demonstrates the AF relay node can change the wireless channel as designed.Sun et al. [125,126] use the AF relay to achieve destructive signal addition at the attacker in RFID-based sensing systems.
When the attacker is performing the active inference attack, the feasible defenses are jamming and obfuscation techniques.This is because the active attacker does not rely on the legitimate transmitter's transmissions to infer the human private information.

Detection Strategy
Detection of inference attacks aims to detect an attacker's Rx, which is challenging because the passive inference attack only passively sniffs the wireless signals in the environment without transmitting any signals.Detecting an attacker's Rx can be viewed as a sensing problem, where the detector aims to sense the Rx used and deployed by the attacker.To this end, there are three methods for detecting an Table 4: Taxonomy of existing prevention (a) and detection (b) strategies for the defenses against the inference attacks.✓: used, ✗: not used, -:all possible cases, ↑: high, and ↓: low.
Rx (i.e., attacker), as illustrated in Fig. 4. We present the taxonomy of detection strategies against the inference attacks in Table 4(b).
• Stimulus.Although the attacker's passive Rx does not actively emit any signal, we can actively transmit a known stimulation signal that can trigger the attacker's Rx circuit to leak unintended signals, which can then be captured for detection purposes, as shown in Fig. 4(a).For example, many research papers [71,109,[122][123][124]132] show that by actively transmitting a known stimulation signal, the attacker's circuit can be triggered to reflect the unintended wireless signals, which could be further analyzed to detect the attacker.Recent works [49,50,76] also show that by emitting light signals, hidden cameras can be detected.
• Passive sensing.The passive devices deployed by the attacker can still leak the wireless signals, although it is inactive and just listening.So, we can sense these weak signal leakage from the attacker to detect the presence of the inference attack as shown in Fig. 4(b).For example, many research papers [21,24,86,93,97,98,112,150] demonstrate and analyze the signal leakage from the local oscillator of the radio that can be sensed to detect the attacker.Recent works [34,160] show the security issue of the leaky wave antennas in Terahertz communication and sensing, which can be detected to eliminate the attack.
• Sensing through side-channel.A passive device that does not actively transmit any signal can also leak the signals through side channels.Therefore, we can detect the presence of the attacker over these side channels, as shown in Fig. 4(c).For example, Cui et al. [28] use a wireless signal sniffer to detect the signal leakage of the visible light communication and sensing systems.
Since the active attacker needs to transmit the wireless signals and analyze the backscattered signals for inference attack, it is easy to detect them through passive sensing and sensing through side channels.

CHALLENGES FOR PRIVACY-PRESERVING HCWS
C1: Sniffing device deployment.The active attackers can always transmit known wireless signals to infer human private information, while the passive attackers need to rely on the existing wireless signals transmitted by the deployed wireless sensing systems for inference attacks.However, passive attacks are more covert than active attacks.As a result, passive attacks are difficult to detect.Active attacks are easy to detect and localized by analyzing the transmitted wireless signals from the active attackers.Note that the existing passive attacks usually assume the attacker knows the exact signal type and frequency band the wireless sensing systems have used, which is not realistic for deploying realworld inference attacks.From the defense perspective, the signal type and frequency band used by the wireless sensing systems are also private information.If we can protect this information from being leaked, we can fundamentally defend against passive attacks.C2: Compensating hardware imperfection and artifacts.The hardware imperfection of the transceiver introduces an extra phase shift  (), and the moving transceiver or reflectors will introduce phase shift  () due to the Doppler shift effect.All these changes are collectively referred to as the wireless channel.Therefore, for the signal transmitted at a carrier frequency of   (or with wavelength  =    where  is the speed of light), the single-path wireless channel ℎ() can be defined as: In a real-world wireless environment, the signal received at the Rx is a composition of multiple copies of the original signal due to the multipath effect, where each copy can experience different attenuation, delay, and/or phase change.We can represent the channel seen by the Rx as the combination of all the possible  single-path channels: We are only interested in   () or   (), which is related to the subject of interest.As a result, it is highly challenging to resolve the composited signals received at the receiver due to the multipath effect.The hardware imperfection introduced by the transmitter is hard to compensate for, as the attacker cannot obtain the transmitter's hardware artifacts.As this hardware imperfection is unique to the hardware itself, it's usually leveraged for hardware fingerprinting.
The attacker needs to eliminate the human-introduced artifacts that are hidden in the wireless signals.For example, different people could perform the same activity or gesture with different scales and/or orientations with respect to the attacker.To remove the human-introduced artifacts in the extracted features, the attacker can rescale the time-series features [87,94,170].To remove the orientation artifacts in the extracted features, the prior works mainly leverage the space diversity by using two antennas to receive the wireless signals based on the fact that the orientation artifact can be canceled out across different antennas [127,169].After the preprocessing, the attacker can use them as the input of private information inference components for indoor localization [51,161] and tracking [12].C3: Vulnerable machine learning-based private information inference.Recently, we find that deep learning has been extensively studied in human-centered wireless sensing for high sensing accuracy without considering privacy leakage.Therefore, it is important to build trustworthy deep-learning models and apply them to the existing signal-processing pipeline of human-centered wireless sensing.We identify the following gaps or challenges to achieve privacy-preserving ML-enabled human-centered wireless sensing systems.Under our signal processing pipeline-based framework, we find that the wireless sensing systems often leverage machine learning models for human private information inference, which are vulnerable to adversarial attacks [20,128].Specifically, the attacker can add small carefully crafted noises to wireless signals to turn them into adversarial examples, which can obfuscate the machine learning models employed by the legitimate transceiver, such that the legitimate wireless sensing systems would make random inferences about human's private information.Even though we can directly apply the existing defensive mechanisms from the trustworthy machine learning community to secure the machine learning models used in HCWS, it is challenging to integrate these defensive mechanisms from the end-to-end HCWS system design point of view.This is because the existing defensive mechanisms for machine learning models are only designed for machine learning models without considering the integration and role of these models in an end-to-end system.C5: Resolving multipath in a dynamic and multiple person environment.The prior works on human-centered wireless sensing mainly focus on one subject of interest in a quasi-static wireless environment.This is because wireless sensing mainly leverages the variation of the wireless environment affected by human movements to infer human private information.When there are multiple different reflectors (e.g., walls, chairs, furniture, etc.) or moving artifacts in the environment, the received wireless signals at the attacker will be distorted.So, it is important for the attacker to resolve the multipath and extract the signal path that is only affected by the subject of interest.We illustrate the pros and cons of the following multipath resolving approaches from the time, frequency, and space domains.
• Resolving multipath in the time domain.To eliminate the artifacts introduced by the wireless environment, the straightforward idea is to assume the wireless environment is only affected by the victim and all other objects are relatively static.Specifically, the signal cancellation approach can be employed to cancel out the effects from all the other non-victims (e.g., walls, desks), while this approach barely works in the dynamic environment.This is because we cannot assume the environment-introduced artifacts are not changing over time for our cancellation purpose.
• Resolving multipath in the frequency domain.The main idea of resolving multipath in the frequency domain is to leverage the characteristic of the frequency-selective wireless channel in which the wireless signals operating at different frequencies will be affected by the physical environment differently.To do so, we leverage wireless signals that occupy a wide frequency band to measure the time-of-flight for resolving the multipath, while the wide-band signals are barely available due to the limited wireless spectrum.
• Resolving multipath in the space domain.Resolving the multipath in the space domain is intuitive, as the different objects in the physical environment will be located in different places.Therefore, the signals reflected by these different objects will undergo different physical paths, resulting in different AoA values that can be measured to resolve the multipath signal propagation.However, using multiple arrays will introduce deployment costs.Given the receiving antenna array, the AoA resolution is limited by this array's aperture size.When two objects are close to each other, they will introduce similar signal propagation paths that cannot be resolved over the space domain.
C6: Obfuscating the attacker without affecting the legitimate receiver's sensing purposes.Wireless sensing can be leveraged for human-computer interaction, smart homes, and asset tracking.So, it is important to obfuscate the attacker without affecting the legitimate receiver's sensing purposes.However, this is very difficult and challenging, as the attacker and legitimate receiver share the same wireless environment.As a result, the legitimate receiver will also receive these distorted wireless signals.The distorted signal cancellation at the legitimate receiver will also introduce extra artifacts that are hard to eliminate.Since we do not know where the attacker is, it is not possible to shine the very narrow beam toward the attacker without affecting the legitimate receiver's sensing purposes.Shielding wireless signals and wireless channels will affect and even suspend normal wireless communication due to the weak received signal strength at the legitimate receiver, which will not be desirable for joint communication and sensing systems as wireless sensing is usually a byproduct of wireless communication.In comparison to the prevention methods, the detection methods (e.g., passive sensing and sensing through side channels) will not affect the existing wireless communication, while it is very difficult to detect the leaked side-channel information from the attacker that is weak and usually under noise floor.

DISCUSSIONS AND FUTURE DIRECTIONS
Applying trustworthy machine learning.The existing trustworthy machine learning models do not take into account privacy issues when they are integrated into human-centered wireless sensing systems [13,158].For example, we know that adversarial examples can be leveraged to obfuscate the machine-learning models, while we still do not know how to apply the adversarial examples to achieve privacy-preserving ML-enabled human-centered wireless sensing systems from the end-to-end system design point of view.One possible solution is to generate the adversarial examples at the input features of the attacker's machine learning models without considering the end-to-end HCWS design, which requires us to access the attacker's sensing system.Since the input features of the machine learning models are coming from the signal processing pipeline, we can introduce over-the-air adversarial examples with smart surface or full-duplex relay nodes.
• Adversarial examples added to the wireless channel.To defend against an inference attack conducted based on the wireless channel, we can turn it into adversarial examples via deploying the programmable smart surface or full-duplex radio in the physical environment, such that the adversarially perturbed wireless channel makes the attacker's machine learning models randomly and incorrectly predict a victim's private information as shown in Fig. 5.The recent paper presents WiADv [177], a system that uses the full-duplex radio to obfuscate the estimated wireless channel at the receiver of the wireless sensing-based gesture recognition systems.
• Adversarial examples added to the received signals.legitimate Rx's analysis is unaffected by the adversarially perturbed wireless signals while the attacker's machine learning models make random and even incorrect inferences based on the adversarially perturbed wireless signals.
Defenses with formal privacy guarantees.Existing defenses do not have formal privacy guarantees.For instance, the prevention strategies with wireless signal obfuscation simply add noise to the signals received by the attacker without considering the privacy guarantee.When the attacker employs machine learning models for human private information inference, this added noise can be mitigated through adversarial training or incoherent averaging over multiple received signals.The detection strategies mainly focus on detecting the signal leakage at the attacker's Rx.Therefore, the defenses may be broken by advanced and adaptive inference attacks that know these defenses.Therefore, it is important to generate the noise derived from the differential privacy mechanisms [30], which can provide a privacy guarantee.Moreover, we could also leverage differential privacy and analyze the tradeoff between the privacy guarantee and the utility of wireless sensing or communication to achieve joint sensing and communication or defenses without affecting the legitimate transceiver's sensing purpose.Multimodal sensor fusion-based inference attacks.Existing inference attacks only leverage wireless signals from a single Rx.
To be resilient and robust to the dynamic and multipath wireless environment, the attacker can leverage multimodal sensor fusion, in which multiple Rxs can be used to sense the variation of the physical environment.As such, this multimodal sensor fusion provides improved diversity for the attacker to infer private information about the victim.To mitigate the privacy leakage in human-centered wireless sensing, we can still leverage the above defensive mechanisms.This is because multimodal sensor fusion highly depends on trustworthy signal sources from different devices.The above defensive mechanisms can also defend against the inference attack on each individual device in multimodal sensor fusion-based inference attacks.However, how effective using the above defensive mechanisms against the multimodal sensor fusion-based inference attacks needs further exploration.Moreover, One great challenge of multimodal sensor fusion-based inference attacks is data stream synchronization, as these multimodal features are extracted from multiple devices.
Detecting inference attack based on the estimated wireless channel.We identify that existing detection methods haven't leveraged wireless channels.It is an interesting future research direction to explore wireless channel-based detection methods.For instance, we can detect an attacker's Rx by measuring the wireless channel wireless channel.One idea is that the existence of the attacker's Rx changes the multipath reflection profile of the wireless channel.This is because wireless signal propagation highly depends on the reflection of different objects in the physical environment.Therefore, by comparing the difference of the multipath profile of the physical environment, we can detect the attacker's Rx.However, this highly depends on the granularity of the multipath profile.We believe that advanced sensors (e.g., LiDAR or mmWave Radar) can be used to create the 3D point cloud of the environment and then leverage computer vision techniques to identify the attackers.

CONCLUSIONS
In this work, we systematized the literature on human-centered wireless sensing-based inference attacks and defenses through frameworks and insights.To do so, we propose a signal processing pipeline-based framework to bridge the gap between wireless sensing and privacy implications.Then, we instantiate the wireless sensing-based inference attacks and defenses.Based on this, we address the open challenges and identify the design space for privacy-preserving wireless sensing.

2 ○
Sniffing and processing wireless signals.The attacker can either actively emit the wireless signals and then receive the backscattered signals or passively receive the ambient wireless signals from the environment to infer human private information.As the received wireless signals are affected by the subject of interest in the physical environment, it is feasible to predict the human private information from these sniffed wireless signals.Then, the attacker needs to extract the wireless signals that are only affected by the subject of interest by resolving the multipath reflections, as the received signals at the attacker are the results of the multipath effect.
2. As discussed in Section 4.3, the attacker sniffs the wireless signals propagated in the physical environment using the deployed sensing device to extract different information from the wireless signals

Figure 2 :
Figure 2: Overview of our proposed signal processing pipeline-based HCWS framework for analyzing and systematizing the existing humancentered wireless sensing.

Figure 3 :
Figure 3: Illustration of the prevention strategy.(a) geofencing that can block the wireless signals at the transmitter.(b) Nulling can nullify the signals received by the attacker.(c) Randomization introduces artifacts to the transmitted wireless signals.(d) Jamming can distort the received signals at the attacker.Obfuscation with a phased array or meta surface (e) and full-duplex relay (f) can distort the received wireless signals at the attacker.

7. 1 . 3 Figure 4 :
Figure 4: Illustration of the detection strategy.(a) Stimulus uses the generated wireless signals to excite the attacker for detection purposes.(b) Passive sensing can detect the existence of the attacker by overhearing the emanations from him/her.(c) Sensing through the side channel can detect the attacker by sensing the leakage of the undesired side-channel information from the attacker's Rx.

Figure 5 :
Figure 5: Adversarial example introduced by the smart surface, phased array, or full-duplex radio can disable the private information inference at the attacker.
We consider the attacker can sense the types of wireless signals around a victim.For instance, the attacker can first perform coarse-grained spectrum scanning to check if electromagnetic waves exist in the physical environment and then use fine-grained spectrum scanning to figure out the operating frequency of the wireless signals if they exist.
Receiving wireless signals via deploying a radio receiver.After the attacker senses the type of wireless signals, we consider the attacker is able to deploy a radio receiver to receive the wireless Tx Human Wall Rx Figure 1: A typical wireless sensing system consists of a transmitter (Tx) and a receiver (Rx), where the Tx transmits wireless signals undergoing the physical environment and the Rx receives wireless signals.The wireless signals may reach the Rx through multiple paths due to reflections of the different objects (e.g., walls) and subjects (e.g., humans) in the physical environment.

Table 2 :
Comparison of wireless technologies.

Table 3
The listed papers in the last column of the table can leverage different wireless technologies as shown in Section 4.2 for the attack.For example, one paper uses WiFi technology for attack and another paper uses cellular technology for attack.The stealthiness indicates if the attack is easy to detect.For example, in comparison to the active attacker who actively transmits wireless signals for attack, the passive attacker who passively receives the wireless signals is more stealthy.
shows the taxonomy of existing inference attacks based on our proposed signal processing pipeline-based framework, where the sniffed wireless signals at the attacker will be processed and distilled to infer human private information.The prior works are categorized across multiple dimensions such as the attack goal, privacy leakage, wireless environment, attacking device, wireless signals, inferring private information, and property.Note that the property includes three metrics: cost, stealthiness, and wireless technology.The cost metric is measured by whether the attack requires a customized hardware device that can work with high bandwidth or a large antenna array.Usually, the customized attacking device working at the high bandwidth with a large antenna array is high-cost.The ubiquitous wireless radios such as WiFi access points and COTS software-defined radios are considered to be low-cost and are widely available.The wireless technology column indicates all the wireless technologies such as WiFi, RFID, cellular, etc.

Table 3 :
Taxonomy of existing inference attacks in the human-centered wireless sensing.