This study reveals previously unexplored vulnerabilities in Wi-Fi physical-layer security mechanisms that rely on channel state information (CSI) for authentication and key generation. To exploit this weakness, the authors propose BFIAttack, a novel attack that leverages beamforming feedback information (BFI) as an attack surface for the first time. By exploiting spatial similarity among antenna pairs, BFIAttack reconstructs legitimate users’ CSI to circumvent existing physical-layer defenses. In single-antenna scenarios, the attack employs closed-form CSI reconstruction, while in multi-antenna settings, it combines maximum likelihood estimation with spatial correlation optimization to achieve high-fidelity CSI recovery. Experimental results demonstrate that the attack succeeds with over 93% probability in a single attempt under single-antenna conditions, and achieves an average success rate of 73% within five attempts in multi-antenna environments, underscoring a critical security flaw in current Wi-Fi physical-layer protocols.

With the rapid evolution of wireless technologies, Wi-Fi has expanded beyond its original role in data transmission to support various emerging applications, particularly in physical-layer security, including device authentication, user authentication, and secret key generation. Despite extensive research on Wi-Fi Channel State Information (CSI)-based physical-layer security, its vulnerabilities remain largely unexplored. In this work, we propose BFIAttack, a novel attack that exploits Beamforming Feedback Information (BFI) to reconstruct the CSI of a legitimate user or device, thereby compromising Wi-Fi-based physical-layer security. We realize the attack by leveraging a closed-form CSI reconstruction method for the single-antenna station scenario and a maximum likelihood estimation-based CSI reconstruction for the multi-antenna station scenario. Moreover, we exploit spatial similarities among antenna pairs to refine the reconstructed CSI and enhance attack effectiveness. Experimental results show that BFIAttack achieves an average attack success rate of $73\%$ in multi-antenna station scenarios with no more than five attack attempts, and over $93\%$ in single-antenna station scenarios with only a single attempt. BFIAttack reveals critical vulnerabilities in existing Wi-Fi-based physical-layer security.