Deauthentication Attack #
A Deauthentication Attack (often Deauth Attack / De-auth) sends spoofed IEEE 802.11 Deauthentication management frames (Subtype 0x0C) to forcibly disconnect Wi-Fi clients from their AP, or vice versa. Hardware: any cheap Wi-Fi card with monitor-mode + packet-injection support. Software: open-source tools — aircrack-ng / mdk4 / wifite. Despite being one of the oldest known Wi-Fi attacks, as of 2026 it is still routinely exploitable on a huge installed base.
The root cause is a 1997 IEEE 802.11 design decision: management frames are sent unencrypted and unauthenticated. Data frames have been progressively protected (WEP → WPA → WPA2 → WPA3), but management frames that handle connection lifecycle — Authentication, Association, Deauthentication, Disassociation — sat in the clear for over two decades. IEEE 802.11w (Protected Management Frames, PMF) was finalized in 2009 and made mandatory in WPA3 in 2018, finally fixing the spec — yet most legacy devices, older corporate APs, and public Wi-Fi still leave PMF disabled, keeping a huge attackable surface.
This article frames Deauth as a building block of larger attacks — outright DoS, WPA2 handshake capture, Evil Twin redirection, and band-downgrade — and walks through how the frame works (SVG 1), the four typical scenarios (SVG 2), the standard tools, the major real-world incidents, the technical fix via 802.11w PMF, and the legal framing under Japan's Radio Act §109(2) and the US Communications Act §333.
1. 802.11 frames and the historical flaw in management frames #
The 802.11 MAC layer defines three frame classes:
| Class | Role | Encryption (WPA2 era) |
|---|---|---|
| Data Frame | Actual user data (HTTP / TCP, etc.) | Encrypted under WPA2 |
| Control Frame | Low-level RTS / CTS / ACK | None |
| Management Frame | Beacon / Probe / Association / Deauthentication / Disassociation | Plaintext under WPA2 (without PMF) |
The problem is the Management Frame class. Frames that control the connection lifecycle (Authentication / Association / Deauthentication / Disassociation) were specified to be plaintext and unauthenticated from 1997 onward, and that stayed unchanged for years.
The consequence: an attacker who can transmit on the right channel can impersonate the AP or the client, send spoofed Deauth frames, and:
- Disconnect any active client
- Make the AP believe a client has left
- After disconnection, catch the 4-way handshake when the client auto-reconnects, or lure the client to an Evil Twin AP
No prior credentials, WEP key, or WPA passphrase are needed — being in radio range is enough. That's what makes the Deauth Attack so decisively powerful.
2. Structure of a Deauth frame — why plaintext is enough #
At byte level, a Deauthentication frame is small:
The key vulnerability: Address 2 (Source Address) is arbitrary, so the attacker can impersonate either the AP or the client. With a Wi-Fi card in monitor mode + injection-capable, the tooling (Linux with iw / aircrack-ng) can transmit hundreds to thousands of spoofed Deauth frames per second.
3. Scenarios — Deauth as a building block, not just a DoS #
Most people hear "Deauth Attack" and think DoS, but in practice it's the entry move of a larger attack:
Four typical Deauth Attack scenarios
DoS / WPA2 4-way handshake capture / Evil Twin redirection / 5GHz→2.4GHz downgrade
① Pure DoS — continuous Wi-Fi disruption
Attacker: broadcast Deauth flood
All clients in range thrash between disconnect and reconnect
Electronic locks / IP cameras / IoT devices can fail open or shut
② WPA2 4-Way Handshake capture → dictionary attack
Attacker: one Deauth → client auto-reconnects → 4-way handshake is captured
capture.pcap → offline dictionary attack with hashcat / aircrack-ng
Short WPA2-PSK passwords (under ~10 chars) crack readily
③ Evil Twin / Rogue AP redirect
Attacker spins up a rogue AP with the same SSID, then Deauths clients off the real AP
Clients auto-reconnect to the rogue AP (stronger signal)
Attacker MITMs all traffic — SSL Strip / captive portal for credentials
④ 5GHz → 2.4GHz downgrade
Attacker Deauths the client off its 5GHz AP
Client rolls back to 2.4GHz — same SSID or attacker's rogue 2.4GHz AP
2.4GHz reaches further and through obstacles — attacker can stay distant
▼ Scenario ②: handshake-capture sequence
[Attacker] Put mon0 on the target AP's channel / use airodump-ng to learn the client's MAC
[Attacker → Client] aireplay-ng --deauth 1 -a [BSSID] -c [client MAC] sends one targeted Deauth
[Client] Auto-reconnects → completes the 4-way handshake (M1 → M2 → M3 → M4)
[Attacker] handshake.pcap → hashcat -m 22000 for dictionary / GPU cracking
Strategic role of each scenario:
- (1) DoS: deliberately taking down Wi-Fi-dependent physical security / IP cameras / electronic locks (legitimate only as a pentest scenario test)
- (2) Handshake capture: keeps WPA2-PSK cracking viable today — Deauth is the necessary step to force a fresh handshake
- (3) Evil Twin: the on-ramp for credential phishing on public Wi-Fi — Deauth gets the victim off the legitimate AP so they reconnect to yours
- (4) Downgrade: an advanced move — even when WPA3 / PMF is in place, forcing a fallback to an unprotected band or mode preserves the attack surface
In real-world incidents, Deauth standing alone as the goal is the minority case — it's the first move of a bigger compromise.
4. Tools — readily available open source #
Standard on Kali Linux / Parrot OS:
| Tool | Purpose |
|---|---|
| aircrack-ng suite | Industry standard — airmon-ng (monitor mode) / airodump-ng (scan) / aireplay-ng (Deauth injection) / aircrack-ng (cracking) |
| mdk3 / mdk4 | More aggressive — large-scale Deauth Flood / Beacon Flood / Authentication Flood |
| wifite / wifite2 | An aircrack-ng front-end — single command runs Deauth + handshake capture + crack |
| scapy | Build custom 802.11 frames in Python — great for learning and bespoke Deauths |
| bettercap | General-purpose MITM framework with a Wi-Fi module that includes Deauth |
| airbase-ng / hostapd-mana / WiFi-Pumpkin | Build Evil Twin / Rogue APs (paired with Deauth) |
Basic aireplay-ng Deauth injection:
# (1) Put the Wi-Fi card into monitor mode
sudo airmon-ng start wlan0
# → produces wlan0mon
# (2) Identify the target AP's channel / BSSID / client MAC
sudo airodump-ng wlan0mon
# → AP BSSID = XX:XX:XX:XX:XX:XX / Channel = 6 / Client = YY:YY:YY:YY:YY:YY
# (3) Lock to that channel and capture
sudo airodump-ng -c 6 --bssid XX:XX:XX:XX:XX:XX -w capture wlan0mon
# (4) In a second terminal, inject 10 Deauth frames
sudo aireplay-ng --deauth 10 -a XX:XX:XX:XX:XX:XX -c YY:YY:YY:YY:YY:YY wlan0mon
# (5) Verify the handshake is in capture-01.cap, then crack it
sudo aircrack-ng -w wordlist.txt capture-01.cap
scapy to build a custom Deauth frame (educational):
from scapy.all import *
bssid = "XX:XX:XX:XX:XX:XX"
client = "YY:YY:YY:YY:YY:YY"
# Deauth frame (subtype 12 = Deauthentication)
pkt = RadioTap() / \
Dot11(type=0, subtype=12, addr1=client, addr2=bssid, addr3=bssid) / \
Dot11Deauth(reason=7)
sendp(pkt, iface="wlan0mon", count=10, inter=0.1)
Legal note: running these against networks you don't own violates Japan's Radio Act and Unauthorized Computer Access Act (and in the US, Communications Act §333). Only use them against your own AP / home LAN / explicitly contracted pentest targets — covered below.
5. Real-world incidents — when Deauth caused real damage #
| Year | Incident | What happened / lesson |
|---|---|---|
| 2014 | Marriott Hotel ($600,000 FCC fine) | Marriott Gaylord Opryland (Nashville) deliberately Deauth-flooded guests' personal Wi-Fi hotspots to force them onto its paid Wi-Fi. FCC fined the chain $600,000 for "commercial Wi-Fi jamming." Established that disabling guest hotspots is illegal even on hotel property |
| 2014 | Hilton-related Wi-Fi jamming ($25,000 FCC fine) | Same pattern at Hilton properties — Deauth on MiFi / personal hotspots to push guests onto paid Wi-Fi. $25,000 fine + cooperation order sent a clear message to the industry |
| 2015 | Smart-City IoT incidents | Smart-city pilots saw outdoor IP cameras and Wi-Fi-controlled street lights knocked offline by Deauth tests — revealing that Wi-Fi-bound control planes don't belong in critical infrastructure |
| 2016-2020 | Credential theft on public Wi-Fi | Multiple reports of Evil Twin + Deauth combinations at airports, cafes, and hotel lobbies capturing social / email credentials. Part of the urgency behind Wi-Fi Alliance mandating WPA3 |
| 2017 | KRACK disclosure | Mathy Vanhoef's WPA2 KRACK vulnerability works standalone, but real-world exploitation typically uses Deauth to force reconnection → KRACK to abuse the nonce reuse. Renewed attention to Deauth as the trigger for other attacks |
| 2018- | Physical-security research | Office IP cameras / electronic locks / access-control systems running on Wi-Fi were repeatedly shown to fail under Deauth in seconds, reinforcing the view that Wi-Fi-dependent physical security is fragile |
The pattern: Wi-Fi-dependent IoT and physical security need to be designed assuming Deauth can take them down at any time. That's why modern devices often add PoE Ethernet or 4G/5G cellular failover paths.
6. Defense — 802.11w (PMF) and detection #
The only technical root-cause fix is enabling 802.11w (Protected Management Frames, PMF):
| Control | Detail |
|---|---|
| Enable PMF (802.11w) | Both AP and client must support and enable PMF — Deauth frames carry a MIC, and tampering is detected and dropped |
| Adopt WPA3 | WPA3-certified gear mandates PMF, so Deauth Attacks are automatically neutralized |
| PMF Required mode | Use "Required" rather than "Capable" — non-PMF clients are refused |
| WIDS / anomaly detection | Wireless IDS flags "high Deauth rate from a single MAC" — built into Aruba / Meraki / Cisco APs |
| RF shielding | Extreme but used in military / SCIF / certain data centers (Faraday cage, RF-absorbing paint) |
| Hardwire critical devices | IP cameras / electronic locks / printers — anything where downtime has physical impact — should run on PoE Ethernet |
| Continuous monitoring | Periodic airodump-ng / Kismet sweeps for unknown APs and unusual Deauth activity |
AP-side PMF (example: hostapd):
# /etc/hostapd/hostapd.conf
wpa=2
wpa_key_mgmt=WPA-PSK
ieee80211w=2 # 0=Disabled / 1=Capable / 2=Required
# For WPA3
# wpa_key_mgmt=SAE
# ieee80211w=2 (SAE requires it)
Client-side (Linux NetworkManager):
# /etc/NetworkManager/system-connections/MyAP.nmconnection
[wifi-security]
key-mgmt=wpa-psk
pmf=3 # 0=default / 1=disable / 2=optional / 3=required
Windows 11, macOS, iOS, and Android all support PMF by default in recent versions — once the AP requires it, clients negotiate it automatically.
Operational obstacles:
- Old APs (more than ~5 years) sometimes have no PMF support and never will, even with firmware updates
- Public Wi-Fi prioritizes compatibility and tends to ship with PMF Optional, which Deauth still bypasses
- WPA2 + PMF Required breaks old IoT devices that don't support PMF — an existing-asset compatibility problem
- Enterprises often have 2.4GHz legacy clients without PMF, requiring split SSID strategies
The litmus test for real Deauth defense is "can we set PMF Required?"
7. Detection — what a Wireless IDS sees #
A WIDS is the easiest place to catch a Deauth attack:
| Signal | What it suggests |
|---|---|
| Large bursts of Deauth from a single BSSID | Broadcast Deauth Flood (e.g., mdk4) |
| Repeated Deauths to one client MAC | Targeted Deauth — usually a handshake-capture preface |
| Multiple BSSIDs beaconing the same SSID | Possible Evil Twin |
| Anomalously strong signal nearby | Attacker may be physically close |
| Plaintext Deauth in a PMF-required environment | Definitely forged — dropped due to MIC failure but worth logging |
Open-source WIDS / monitoring:
- Kismet (the standard, Linux, free) — Deauth flood / rogue AP / anomaly detection
- WAIDPS — built by the wifite author
- Snort + wireless preprocessor
Commercial:
- Cisco CleanAir / Aruba RFProtect / Meraki Wireless Health — enterprise APs with detection + automatic countermeasures (RF containment against rogue APs)
SOC integration: feed Kismet logs into Splunk / Elastic, alert on "more than 100 Deauths/minute on one SSID." That's the modern operating model.
8. The legal side — Japan's Radio Act and the US FCC #
Japan:
- Radio Act §109(2) ("interfering with the function of radio equipment"): emitting radio waves with intent to interfere with another's communications — up to 1 year imprisonment or a ¥1,000,000 fine
- Radio Act §4 (licensing): operating above Wi-Fi-band power limits in pursuit of jamming may also count as unlicensed operation
- Unauthorized Computer Access Act: Deauth → Evil Twin → credential theft escalates into §4 (unauthorized access) and §5 (facilitation) territory
- Obstruction of Business by Force (Penal Code §234): deliberately jamming Wi-Fi at commercial premises — up to 3 years imprisonment or a ¥500,000 fine
United States:
- Communications Act of 1934, §333: interfering with another's licensed communications is a federal violation
- The Marriott / Hilton fines were issued under this provision
- FCC clarified in 2015 that interfering with personal Wi-Fi hotspots is illegal even on hotel or corporate property
For pentest / research, written authorization is non-negotiable:
- An AP you own / your own home LAN — legal
- Inside a customer's Rules of Engagement with written scope — legal
- Anything else — illegal
There is a wide gap between "technically easy" and "legally permitted" here. The single most important rule when working with this attack is "only on your own AP, or within a signed pentest contract."
A Deauthentication Attack exploits a 1997-era design choice — 802.11 management frames are unencrypted and unauthenticated — to forcibly disconnect Wi-Fi clients. The flaw was technically fixed in 2009 with 802.11w (PMF) and mandated in 2018 with WPA3, yet most installed gear runs without PMF, leaving the attack viable in 2026.
Deauth is rarely the goal by itself — it's the building block for WPA2 4-way handshake capture (offline cracking) / Evil Twin redirection (credential theft on public Wi-Fi) / band-downgrades. Hardware costs a few dollars and the tooling (aircrack-ng, mdk4, wifite) is open source, so the on-ramp is extremely low, and real-world damages — Marriott / Hilton FCC fines, credential theft on public Wi-Fi, IoT physical-security failures — keep accumulating.
The single root-cause defense is PMF in Required mode plus migration to WPA3. Legally, it's covered by Japan's Radio Act §109(2) and the US Communications Act §333 — running these tools against any network you don't own is straightforwardly illegal. The only safe places to experiment are your own AP and contracted pentest targets.
