XR Devices Send WiFi Packets When They Should Not: Cross-Building Keylogging Attacks via Non-Cooperative Wireless Sensing
Christopher Vattheuer
Network and Distributed System Security (NDSS) Symposium 2026 · Day 2 · Wireless Security
Presented by Justin from UCLA, this research introduces **TWIST** (Transition Web and Spring Tension Network), a novel keylogging attack against extended reality (XR) headsets that operates at distances of tens of meters -- even through walls and across buildings. Unlike prior VR keylogging attacks that require malware installation on the victim headset, close-range cameras, or nearby RF equipment, TWIST exploits a fundamental WiFi protocol behavior called **Polite WiFi** to turn the victim's headset into an involuntary transmitter. The attack requires no machine learning, no pre-training, and no fine-tuning -- only approximately 90 seconds of passive measurement to build a mapping between WiFi channel state information (CSI) and keyboard positions. The researchers demonstrated a cross-building attack at UCLA, successfully inferring keystrokes from one building to another across a courtyard.
AI review
A genuinely novel side-channel attack that weaponizes the WiFi protocol's mandatory ACK behavior to keylog XR headset users at distances of tens of meters, through walls, and across buildings. No ML, no training data, cheap hardware (ESP32), and works against MetaQuest 2/3 and Apple Vision Pro. The Polite WiFi exploitation combined with the near-field domination insight makes this both technically elegant and practically dangerous.