Wi-Fi deauthentication attack

File:Deauth attack sequence diagram.svg for a Wi‑Fi deauthentication attack]]

Unlike most radio jammers, deauthentication acts in a unique way. The IEEE 802.11 (Wi-Fi) protocol contains the provision for a deauthentication frame. Sending the frame from the access point to a station is called a "sanctioned technique to inform a rogue station that they have been disconnected from the network".

An attacker can send a deauthentication frame at any time to a wireless access point, with a spoofed address for the victim. The protocol does not require any encryption for this frame, even when the session was established with Wired Equivalent Privacy (WEP), WPA or WPA2 for data privacy, and the attacker only needs to know the victim's MAC address, which is available in the clear through wireless network sniffing.

One of the main purposes of deauthentication used in the hacking community is to force clients to connect to an evil twin access point which then can be used to capture network packets transferred between the client and the access point.

The attacker conducts a deauthentication attack to the target client, disconnecting it from its current network, thus allowing the client to automatically connect to the evil twin access point.

In order to mount a brute-force or dictionary based WPA password cracking attack on a Wi‑Fi user with WPA or WPA2 enabled, a hacker must first sniff the WPA 4-way handshake. This sequence can be elicited by first forcing the user offline with the deauthentication attack.

The Federal Communications Commission has fined hotels and other companies for launching deauthentication attacks on their own guests; the purpose being to drive them off their own personal hotspots and force them to pay for on-site Wi-Fi services.

There are a number of software toolsets that can mount a Wi‑Fi deauthentication attack, including: Aircrack-ng suite, MDK3, Void11, Scapy, and Zulu.

A Pineapple rogue access point can also issue a deauth attack.{{citation|title=Five ways to protect yourself from Wi-Fi honeypots|date=March 10, 2012|author=Declan McCullagh |publisher=CNet|url=http://www.cnet.com/news/five-ways-to-protect-yourself-from-wi-fi-honeypots/#!}}{{citation|title=WiFi Deauth Attacks, Downloading YouTube, Quadcopters and Capacitors|work=Hak5|author=Darren Kitchen|id=episode 1722|url=https://hak5.org/episodes/hak5-1722|date=January 14, 2015}}

• Radio jamming
• IEEE 802.11w – offers increased security of its management frames including authentication/deauthentication

{{reflist|30em|refs=

{{citation|title=Marriott fined $600,000 by FCC for blocking guests' Wi-Fi|author= Katia Hetter |date=October 4, 2014|publisher=CNN|url=http://www.cnn.com/2014/10/03/travel/marriott-fcc-wi-fi-fine/index.html}}

{{citation|title=FCC Fines Hotel Wi-Fi Provider for Blocking Personal Hotspots|author=Nicholas Deleon|work=Vice|date=August 18, 2015 |url=https://www.vice.com/en/article/fcc-fines-freedom-hating-hotel-wi-fi-provider-for-blocking-personal-hotpsots/}}

{{citation|title=Order and consent decree — In the Matter of SMART CITY HOLDINGS, LLC|url=http://transition.fcc.gov/Daily_Releases/Daily_Business/2015/db0818/DA-15-917A1.pdf |id=DA 15-917|publisher=Federal Communications Commission|date=August 18, 2015|quote=The complaint charged that its customers could not connect to the Internet using the complainant's equipment at several venues where Smart City operates or manages the Wi-Fi access. Specifically, the complainant alleged that Smart City transmitted deauthentication frames to prevent the complainant's customers' use of their Wi-Fi equipment. ... Smart City's responses [to FCC Letters of Inquiry] revealed that, at several venues where it managed or operated Wi-Fi systems, it automatically transmitted deauthentication frames to prevent Wi-Fi users whose devices produced a received signal strength above a preset power level at Smart City access points from establishing or maintaining a Wi-Fi network independent of Smart City's network. }}

{{citation|title=FCC Fines Marriott For Jamming Customers' WiFi Hotspots To Push Them Onto Hotel's $1,000 Per Device WiFi|author=Mike Masnick|date=October 3, 2014|work=Tech Dirt|url=https://www.techdirt.com/articles/20141003/12083628721/fcc-fines-marriott-jamming-customers-wifi-hotspots-to-push-them-onto-hotels-1000-per-device-wifi.shtml}}

{{citation|title=Deauthentication|publisher=Aircrack-ng|url=https://www.aircrack-ng.org/doku.php?id=deauthentication}}

{{citation|title=Wireless Security Series Part I: Detoolauthentication Attacks by AirMagnet Intrusion Detection Research Team|publisher=Fluke Networks|url=http://www.flukenetworks.com/content/eyeonnetworks-wlan-security-and-analysis|access-date=2015-08-18|archive-date=2016-03-18|archive-url=https://web.archive.org/web/20160318145907/http://www.flukenetworks.com/content/eyeonnetworks-wlan-security-and-analysis|url-status=dead}}

{{citation|author=Joshua Wright|title=Weaknesses in Wireless LAN Session Containment | year=2005 | url=http://www.willhackforsushi.com/papers/wlan-sess-cont.pdf}}

{{citation|title=802.11 Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions|first1=John |last1=Bellardo |first2=Stefan |last2=Savage |date=2003-05-16 |work=Proceedings of the USENIX Security Symposium, Aug 2003|via=Cal Poly|url=http://users.csc.calpoly.edu/~bellardo/pubs/usenix-sec03-80211dos-html/aio.html}} ([http://users.csc.calpoly.edu/~bellardo/pubs/usenix-sec03-80211dos-html/node11.html Deauthentication Attack chapter link])

{{citation|title=Hacking Techniques in Wireless Networks: Forged Deauthentication|first=Prabhaker|last=Mateti|publisher=Department of Computer Science and Engineering, Wright State University|year=2005|url=http://cecs.wright.edu/~pmateti/InternetSecurity/Lectures/WirelessHacks/Mateti-WirelessHacks.htm#_Toc77524675|access-date=2015-08-18|archive-date=2020-07-14|archive-url=https://web.archive.org/web/20200714082902/http://cecs.wright.edu/~pmateti/InternetSecurity/Lectures/WirelessHacks/Mateti-WirelessHacks.htm#_Toc77524675|url-status=dead}}

{{citation|date=October 4, 2014|author=Thomas Claburn|title=Marriott Pays $600,000 For Jamming WiFi Hotspots|work=Information Week|url=http://www.informationweek.com/mobile/mobile-devices/marriott-pays-$600000-for-jamming-wifi-hotspots/d/d-id/1316354}}

}}

• {{citation|title=A Lightweight Solution for Defending against Deauthentication/Disassociation Attacks on 802.11 Networks|first1=Thuc D. |last1=Nguyen|first2=Duc H. M. |last2=Nguyen|first3=Bao N. |last3=Tran|first4=Hai |last4=Vu |first5=Neeraj |last5=Mittal|work=Proceedings of the 17th IEEE International Conference on Computer Communications and Networks (ICCCN)|pages=185–190|location=St. Thomas, Virgin Islands, USA|date=August 2008|isbn=978-1-4244-2389-7|doi=10.1109/ICCCN.2008.ECP.51|citeseerx=10.1.1.310.1319 |s2cid=14833574 }}{{subscription required}}
• [http://www.utdallas.edu/~neerajm/publications/conferences/attacks.pdf author's link] (no paywall)
• [https://web.archive.org/web/20190728194758/https://transition.fcc.gov/eb/jammerenforcement/jamfaq.pdf GPS, Wi-Fi, and Cell Phone Jammers] — FCC FAQ

Category:Denial-of-service attacks

Category:Wi-Fi