11

Mitigating WiFi deauth attacks with Ubiquiti Protected Management Frames (2022)

Takes me back over a decade ago, working for a manufacturer that used a “Wi-Fi setup network” on many of their products, I started encountering early versions of “WIPS” (wireless intrusion prevention systems) that would leverage these deauth techniques in TIFA to prevent connection to rogue (read: our) Wi-Fi networks.

That might sound fine at first glance, so here’s a common scenario we’d have:

During a renovation on a high-rise building BigCorp that still occupies office space on that floor, is happily (unknowingly/uncaringly) spamming deauths and even spoofing our BSSID and to our field techs it would generally just look like “incorrect password”

I wrote a long internal bulletin about it, mostly geared towards helping our techs identifying the issue (with varying levels of networking knowledge) and getting to someone in IT to help.

This is the easy wire shark proof if you suspect it:

#filter for deauthentication frames `(wlan.fc.type == 0)&&(wlan.fc.type_subtype == 0x0c)` Especially looking for a reason code of 2 `Previous authentication no longer valid.`