Papers
Topics
Authors
Recent
Search
2000 character limit reached

From Pilot to Precoding Design: Blind Angular Spoofing For Location Privacy in MIMO Systems

Published 1 May 2026 in eess.SP | (2605.00535v1)

Abstract: This paper studies location privacy in uplink MIMO systems, where a user equipment seeks to spoof the angular signature observed by a single base station performing localization. We propose a blind analog precoder design that manipulates the perceived angle-of-arrival and angle-of-departure configuration without requiring channel-gain knowledge. The method enforces consistency between the received signal and a desired spoofed angular subspace, and is solved using an alternating optimization algorithm under practical amplitude constraints. Simulations in a multipath scenario show that the proposed approach achieves near-perfect angular spoofing and clearly outperforms pilot-only blind spoofing, which exhibits an error floor. The results also show a trade-off between spoofing accuracy and communication rate, depending on the chosen virtual geometry.

Summary

  • The paper formulates blind angular spoofing as an analog precoder design problem that deceives BS location estimation without using CSI.
  • It introduces an alternating optimization method that achieves near-zero RMSE for spoofed AoA/AoD, outperforming pilot-based spoofing approaches.
  • The work quantifies the trade-off between enhanced location privacy and reduced UE communication rate, emphasizing critical design considerations.

Problem Context and Motivation

The paper addresses the increasing threat to user location privacy in contemporary and emerging wireless networks—especially in uplink MIMO settings—where large antenna arrays and wide bandwidths allow accurate extraction of geometric channel features such as AoA and AoD. These features are directly leveraged for position inference by base stations (BS), sometimes without explicit user consent. Such privacy vulnerabilities are exacerbated when user equipment (UE) cannot reliably trust the BS or lacks channel state information (CSI), limiting the applicability of conventional privacy-preserving schemes that assume full or partial CSI.

Existing CSI-blind privacy mechanisms offer only coarse geometric obfuscation or are developed primarily for digital architectures, lacking applicability to systems where the UE is restricted to analog precoding. Pilot-based blind spoofing, while not requiring CSI, cannot precisely control the spatial (angular) features perceived by the BS. The paper seeks to introduce a new solution framework for such scenarios, targeting near-perfect deception of BS localization mechanisms even under analog hardware constraints and absent channel gain knowledge.

Technical Contributions

The core contributions are threefold:

  1. Formulation of Angular Spoofing as Analog Precoder Design: The paper rigorously casts blind angular spoofing as the problem of designing time-varying analog precoders to force the received BS signal into an arbitrary, attacker-selected angular subspace (i.e., target AoA/AoD configuration), regardless of the true channel gain vector.
  2. Optimization Framework: An alternating optimization method is proposed for the non-convex joint precoder and auxiliary variable design problem under practical per-element amplitude constraints. Each precoder can be updated efficiently, exploiting the separability of the optimization across measurements and symbols. The approach is compatible with real analog hardware utilizing phase shifters and attenuators.
  3. Empirical Demonstration of Superiority: Numerical results demonstrate that the proposed method enables the UE to spoof both AoA and AoD with near-zero RMSE in the absence of receiver knowledge of true channel gains—a substantial improvement over the error floor exhibited by pilot-only blind spoofing [16]. The approach also quantifies fundamental trade-offs between privacy/obfuscation strength and UE communication rate.

System and Attack Model

The system considered is an uplink single-BS narrowband multipath MIMO system, with frequency-flat channels and both LoS and NLoS paths. The BS estimates geometric channel parameters via a grid-based maximum likelihood cost function, searching for the peaks corresponding to angular features. The adversarial UE is modeled as being able to dynamically select analog precoders per measurement and symbol, constrained only by hardware limits.

The spoofing attack is thus: design a precoder sequence such that, for any (unknown) physical channel gain vector, the BS perceives the received angular response as arising from attacker-specified coordinates. The essential mathematical constraint is to match the received signal to the observation subspace of the desired (spoofed) geometry. The optimization is performed "blindly," i.e., without CSI at the UE.

Methodology and Theoretical Guarantees

The attack's feasibility is formalized via a subspace alignment condition: perfect spoofing is possible if the received signal induced by the (adaptively designed) analog precoders lies within the range space of the model evaluated at the spoofed angular parameters. To enforce this constraint, the optimization alternates between updating the analog precoders, auxiliary variables, and equivalent target channel gains, exploiting convex subproblems and elementwise optimal phase and amplitude updates for tractable implementation.

The coordinate descent algorithm is shown to decrease the objective monotonically and is guaranteed to converge due to the non-negativity and lower-boundedness of the cost function. The overall per-iteration complexity is O(SMNt)O(SMN_t), a significant practical advantage over prior pilot-based blind spoofing methods which scale at least quadratically or cubically with system parameters.

Numerical Results and Implications

Simulation studies distinctly highlight the benefits of the proposed analog precoder design. For both AoA and AoD, precoder-based spoofing achieves RMSEs that decrease toward zero with increasing transmit power, while pilot-based methods plateau due to insufficient control over the spatial signature imparted to the BS. Furthermore, when enforcing spoofed angular geometries that are misaligned with the actual propagation environment, the communication rate of the UE-BS link necessarily drops due to the partial sacrifice of favorable channel directions. This reveals an explicit trade-off between deceptive efficacy and communication rate.

The approach enables adversarial UEs to achieve virtually indistinguishable angular footprints at the BS from attacker-chosen locations, even under spatially-structured multipath, elevating the location privacy risk compared to existing methods. Conversely, it demonstrates that secure localization in future MIMO systems must account for the possibility of sophisticated analog spoofing attacks, especially under device constraints that preclude CSI-based methods.

Future Directions

Several future research avenues are identified. The extension to multicarrier or wideband systems, robustification against hardware impairments, handling dynamic or time-varying channels, and generalization to multi-BS network geometries are all essential for fully characterizing privacy risks. Furthermore, the development of countermeasures (e.g., cross-validation across multiple BSs, physical-layer authentication, or anti-spoofing analytics) is necessary to mitigate the practical risks posed by blind analog precoder-based attacks.

Conclusion

The paper establishes that geometry-aware, CSI-blind analog precoder design enables highly effective blind angular spoofing in uplink MIMO systems, permitting precise control over the perceived spatial signature at the BS and thereby significantly enhancing user location privacy. The method outperforms existing pilot-based blind spoofing approaches in both accuracy and flexibility, at the cost of a trade-off with respect to achievable communication rate. The findings emphasize the necessity for rigorous consideration of blind spatial spoofing threats in the design of future localization and privacy protocols in wireless networks.

For further technical detail, see "From Pilot to Precoding Design: Blind Angular Spoofing For Location Privacy in MIMO Systems" (2605.00535).

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Collections

Sign up for free to add this paper to one or more collections.