Why 802.11 Management Frames Are the Problem
The 802.11 Wi-Fi standard defines three types of frames: data, control, and management. Management frames handle connection state — joining a network, maintaining association, and disconnecting. In WPA2, management frames are not encrypted or authenticated by default. Any station on the same channel can craft and transmit a deauthentication (type 0x0c) or disassociation frame using a spoofed source MAC address.
When a client receives a deauth frame claiming to be from its access point, it immediately terminates the association and disconnects from the network. It does not verify whether the frame actually came from the AP.
How a Deauth Attack Works Step by Step
- Scan for target: The attacker uses a wireless adapter in monitor mode to capture Wi-Fi traffic and identify the target AP's BSSID (MAC address) and the client devices' MAC addresses.
- Craft spoofed frame: A deauthentication frame is built with the AP's BSSID as the source and the client's MAC as the destination (or FF:FF:FF:FF:FF:FF for a broadcast attack hitting all connected clients simultaneously).
- Transmit on the AP's channel: The attacker transmits the frame on the same channel as the AP. No association or password is needed.
- Client disconnects: The client processes the frame, drops its association, and must reconnect — triggering a new WPA handshake that can be captured.
Why Attackers Use Deauth Attacks
Deauth attacks serve two purposes. First, as a denial-of-service: continuously flooding deauth frames prevents any device from staying connected to the target AP. Second, as a handshake capture trigger: a single deauth causes the client to reconnect, broadcasting the WPA2 four-way handshake that can be captured and subjected to offline dictionary or brute-force attacks.
Protection: 802.11w Protected Management Frames (PMF)
The IEEE 802.11w amendment (2009) introduced Protected Management Frames, which cryptographically authenticate management frames using the session key established during association. PMF makes spoofed deauth frames impossible for clients to accept — they verify the frame signature and discard unsigned ones.
PMF status by standard:
- WPA2: PMF is optional. Must be explicitly enabled in router settings. Look for "Protected Management Frames" or "802.11w" in your router's wireless settings — set to Required or Enabled.
- WPA3: PMF is mandatory. All WPA3 connections are immune to deauth attacks by specification.
How to Protect Your Network
- Enable WPA3 or WPA2/WPA3 mixed mode on your router — WPA3 mandates PMF.
- Enable PMF in WPA2 settings if WPA3 isn't available. Set to "Required" to prevent deauth attacks; "Optional" protects devices that support it while allowing older clients.
- Use a strong, unique Wi-Fi password so captured handshakes are computationally infeasible to crack.
- Monitor for deauth floods with router intrusion detection or tools like Kismet if you suspect an ongoing attack.
Frequently Asked Questions
Can a deauth attack steal my Wi-Fi password?
Not directly. But it is commonly used to force a WPA2 handshake capture. During reconnection after a deauth, the four-way handshake is broadcast and can be captured for offline brute-force. A strong, unique password makes this computationally infeasible.
Does WPA3 protect against deauth attacks?
Yes. WPA3 mandates Protected Management Frames (802.11w), which cryptographically authenticate deauth frames. Spoofed deauth frames are rejected. WPA3 eliminates the deauth attack vector entirely.
Is it legal to run a deauth attack?
Only on networks and devices you own or have explicit written authorization to test. Running deauth attacks against any network you don't own is illegal under the CFAA (US), Computer Misuse Act (UK), and equivalent laws worldwide.