The Michael shutdown attack (the TKIP MIC countermeasure attack) is a Wi-Fi DoS that weaponizes TKIP's own "defense." TKIP protects each packet with a lightweight MIC (Message Integrity Check) called Michael, but Michael is cryptographically weak (only about 20 bits of effective security). So the 802.11i standard added a countermeasure: if an AP (or station) detects two Michael MIC failures within 60 seconds, it concludes an active forgery attack is underway and shuts down TKIP communication for 60 seconds. An attacker deliberately satisfies that trigger to cause a DoS. Just inject two frames with an invalid Michael MIC within 60 seconds — only about two packets per minute — to force the AP into a 60-second halt. In stark contrast to the deauth flood's continuous high-volume injection, this is an extremely low-bandwidth, stealthy denial of service.
The essence is three things. (1) The Michael shutdown attack is one where "the attacker deliberately trips the '60-second halt' safety device that TKIP built to protect itself, in order to take down the Wi-Fi." (2) Only legacy Wi-Fi using TKIP (WPA / WPA1, or WPA2 configured with TKIP) is affected. WPA2-AES (CCMP) and WPA3 are not. (3) The fix is simply "drop TKIP and use WPA2-AES or WPA3." That removes the attack surface completely. Read this alongside the sibling article on the Deauthentication Attack for the full picture of Wi-Fi DoS.
What the Michael shutdown attack is — in one line #
In one line: "a DoS that weaponizes TKIP's defense mechanism." The attacker injects two frames with an invalid MIC within 60 seconds and forces the AP into the 60-second shutdown the standard itself mandates. Repeating that alone takes the Wi-Fi down.
Michael was originally built as a "safety device to detect forged packets." But a safety device can be made to misfire. If pulling the fire alarm twice evacuates the whole building (= a 60-second halt), the attacker simply pulls it twice on purpose. Where the deauth flood is a brute-force "keep kicking the door," the Michael attack is a refined disruption that "reads the opponent's defensive rule and triggers it with the fewest possible moves."
And the decisive point: this attack is limited to TKIP. A WPA2 setup using AES-CCMP, or WPA3, has no Michael and no such countermeasure (CCMP has a strong MIC). In practice, then, this is positioned as a legacy-network attack.
Background — TKIP and the Michael MIC #
Understanding why a "weak MIC" had to be used makes the structure of the attack snap into focus.
TKIP was designed to patch WEP's broken crypto while keeping the existing WEP-only hardware. So its integrity check, Michael, was built to be extremely lightweight so even old hardware could compute it (designed by Niels Ferguson). In exchange for that lightness, its cryptographic strength was sacrificed: only about 20 bits of effective security — weak enough that forgery by brute force is practically feasible.
To compensate, 802.11i added the Michael countermeasures (MIC failure countermeasures). Since Michael alone can't fully prevent forgery, a follow-up safety measure was layered on: "if signs of forgery (MIC failures) cluster in a short window, halt communication and re-key."
| Element | Role | Weakness / role |
|---|---|---|
TKIP | A cipher that delivers WPA while staying WEP-hardware compatible | A WEP stopgap. Now deprecated |
Michael (MIC) | Per-packet integrity check | Weak — about 20 bits of effective security |
CRC / ICV | Detects transmission errors | Does not prevent tampering |
Countermeasure | Protective action on repeated MIC failures | Abused by this attack |
The weakness of TKIP / Michael also underpins the Beck–Tews attack (2008). But Beck–Tews aims at partial decryption and forgery of packets, which is clearly different in purpose from this article's Michael shutdown attack (a DoS). Both stem from the same TKIP weakness, but keep the distinction clear: "steal/forge data" (Beck–Tews) versus "halt communication" (Michael shutdown) are different things.
How a "defense" — the 60-second shutdown — becomes the attack surface #
The countermeasure's trigger and behavior are defined in the 802.11i standard as follows.
A normal DoS needs "more volume than the target can absorb," but this attack does not. Because the 60-second halt is mandated by the standard itself, the attacker can extract 60 seconds of downtime from just two packets. The goal becomes not volume but "satisfying the trigger condition of the defense" — that is the heart of this attack.
Legal and ethical considerations #
The Michael shutdown attack runs on a single cheap Wi-Fi card and free OSS and works with just a handful of packets, so it's tempting to "try it on an old AP nearby." But the moment you fire it at someone else's Wi-Fi, it is a crime. The only places to learn legally are (1) an AP you own and administer, and (2) a target you have written authorization for under a pentest contract.
- Radio Act Article 109 (radio interference / obstruction of wireless communication) — interfering with another person's wireless communication can fall under this provision. The Michael shutdown attack deliberately halts another party's AP TKIP communication every 60 seconds, which is textbook radio interference.
- Forcible obstruction of business (Penal Code Article 234) — deliberately disrupting the Wi-Fi of a commercial facility or office can additionally raise this offense.
- "It's a niche attack that only hits TKIP, so it's minor" is wrong — even with a narrow attack surface, the act of halting someone else's communication is no less illegal than a deauth.
- An AP you own and administer — a TKIP AP you stood up yourself for testing, an isolated learning lab.
- Targets you have explicit written permission for — a pentest contract where the scope (target BSSIDs, period) is documented.
- Anything else — firing at someone else's Wi-Fi — is illegal. The APs at a cafe, hotel, or a neighbor's house are out of scope.
Execution — mdk4 mode m and a comparison with the deauth flood #
The classic implementation is the mdk3 / mdk4 toolkit. Attack mode m corresponds to "Michael shutdown exploitation (TKIP)." As a prerequisite, the interface must first be in monitor mode.
# Put the Wi-Fi card into monitor mode (creates wlan0mon)
$ airmon-ng start wlan0# mdk4: interface -> mode m -> -t for the target BSSID
$ mdk4 wlan0mon m -t <BSSID>
# -j enable TKIP QoS exploitation (triggers faster)
# -s set the packet rate (packets per second)
# older mdk3 syntax: mdk3 wlan0mon m -t <BSSID>| Main options for mode m | Effect |
|---|---|
-t <BSSID> | Specify the target AP's BSSID |
-j | Enable TKIP QoS exploitation (triggers faster) |
-s | Set the packet rate (packets per second) |
Comparison with the deauth flood #
Both are Wi-Fi DoS, but the deauth flood and the Michael shutdown attack differ sharply in nature.
| Aspect | Deauth flood | Michael shutdown |
|---|---|---|
| Injection volume needed | Continuous, high (hundreds–thousands/sec) | About two packets per minute |
| Ease of detection | Easily detected by the burst of deauths | Low volume evades simple deauth detection |
| Target | Any Wi-Fi without PMF | TKIP only (WPA/WPA1, WPA2-TKIP) |
| Basis of the halt | Overpowers with frame volume | Weaponizes the standard-mandated 60-second halt |
A deauth flood requires continuous high-rate injection and is easily spotted by a WIDS. The Michael attack, by contrast, needs only two packets per minute and slips past simple deauth detection. And the 60-second shutdown is behavior mandated by the standard itself — the attacker is weaponizing the defense mechanism. That is why it is called the "minimal-move stealth DoS." The decisive difference from the more general deauth, however, is that its impact is limited to TKIP.
Defenses — drop TKIP (WPA2-AES / WPA3) and WIDS #
The fundamental fix is clear: if you don't use TKIP at all, there is no Michael and no countermeasure, and this attack surface disappears entirely.
In your home Wi-Fi router's admin panel, set the cipher to "WPA2-AES (CCMP) only" or "WPA3." If you have "WPA/WPA2 mixed" or "TKIP+AES" selected, TKIP stays enabled and the network remains a target for the Michael shutdown attack. "Can you fully disable TKIP" is the litmus test for resilience against this attack.
| Defense | What it is | Effect |
|---|---|---|
| Disable TKIP entirely | Use WPA2-AES (CCMP) only, or WPA3 | Removes the attack surface completely |
| WIDS / monitoring | Flag repeated MIC-failure events | Detection when TKIP can't be removed |
| Rate-limit / logging | Vendor implementations limit/log countermeasure triggers | Implementation-dependent mitigation |
If TKIP can't be fully removed (e.g. for legacy-device compatibility), use a WIDS (Wireless IDS) to detect repeated MIC-failure events. A short burst of consecutive MIC failures is a textbook sign of the Michael attack. Some vendor implementations also rate-limit or log countermeasure triggers. But these are only mitigations — the only fundamental fix is "drop TKIP."
- The Michael shutdown attack is a DoS that weaponizes the defense 802.11i added to compensate for TKIP's weak MIC, Michael: "two MIC failures within 60 seconds trip the countermeasure, which shuts TKIP down for 60 seconds."
- The attacker need only send two frames with an invalid MIC within 60 seconds. At about two packets per minute, a persistent, stealthy disruption holds — with far fewer injections than a deauth flood.
- The implementation is mdk4 / mdk3 mode
m, with monitor mode as a prerequisite. - The impact is TKIP only (WPA / WPA1, WPA2-TKIP). WPA2-AES (CCMP) and WPA3 are unaffected, so the fundamental fix is to disable TKIP entirely.
- Firing at someone else's Wi-Fi falls under Japan's Radio Act Article 109 (radio interference) and similar. Learn only on your own AP or an authorized pentest target.
