This work addresses the vulnerability of WiFi to eavesdropping due to the penetrative nature of radio-frequency (RF) signals, which risks exposure of cryptographic keys. To mitigate this, the paper proposes LightGuard—a novel approach that leverages the physical confinement of LiFi channels to securely generate session keys and transparently deploy them to WiFi interfaces, thereby avoiding key transmission over open RF channels. The system integrates commercial off-the-shelf WiFi NICs with a custom-designed LiFi transceiver frontend to establish a dual-link key distribution architecture, enabling physical-layer isolation for enhanced security. Prototype evaluation demonstrates that LightGuard effectively prevents cryptographic keys from being exposed via RF emissions, significantly strengthening WiFi security.

WiFi is inherently vulnerable to eavesdropping because RF signals may penetrate many physical boundaries, such as walls and floors. LiFi, by contrast, is an optical method confined to line-of-sight and blocked by opaque surfaces. We present LightGuard, a dual-link architecture built on this insight: cryptographic key establishment can be offloaded from WiFi to a physically confined LiFi channel to mitigate the risk of key exposure over RF. LightGuard derives session keys over a LiFi link and installs them on the WiFi interface, ensuring cryptographic material never traverses the open RF medium. A prototype with off-the-shelf WiFi NICs and our LiFi transceiver frontend validates the design.