The Wireless Deauthentication /Disassociation frame sent by an AP to the user device is unicast.
In the recent past, I visited one of my customers as the customer complained, saying the Apple devices cannot connect to Access points in Specific areas. Still, Apple devices have no issues in other regions of the same Premises.
I visited the particular area the customer referred to and interviewed few users regarding the experience of wireless connectivity.
Most of the users were using the Andriod phones, and very few users were using iPhones.
The Andriod Users were saying that establishing a wireless connection takes a long time.
Luckily one Specific user was unable to connect to the wireless. So we collected air captures using MACBOOK during the Issue.
In the Air captures, We have seen Deauthentication broadcast frames (unusual) sent by Access Point on 5GHz channel 40.
Few Questions were raised in everyone mind
1) Why are only Iphones (specific users) affected with Deauthentication Broadcast F Frames but not Andriod Phones?
Our Observation, when Andriod Phones tries to establish a wireless connection using 5GHz and receives Deauthentication Broadcast Frames on channel 40, Andriod Phones are establishing a connection in 2.4GHz. So the users can connect to wireless using Andriod Phones but taking a long time.
But the IPhones are not doing the same.
Enabled 802.11w or Management frame Protection(as Optional) as all the devices (verified) in the premises were supporting 802.11w.
After enabling 802.11w, the user devices were able to connect to the SSID quickly and without any issues.
we can check the user device is supporting 802.11w in Association request RSN capabilities as shown below.
2) Why only Specific Access Point behavior is Unusual as Access points do not send Deauthentication Broadcast Frames all the time on 5GHz?
Air captures did help to isolate the Issue that it was not the actual Access point sending the Deauthentication Broadcast frames. But some other devices send Deauthentication Broadcast frames using Access point BSSID on 5GHz, typically known as Deauthentication Broadcast Attack.
In Air captures, we see the SNR for Deauthentication Broadcast Frames is 7dB, and all other frames were around 48 dB. This is because we did air captures very near the Access point, and we were confident that the 7dB SNR is not from the actual Access point.
SNR of DEAUTHETICATION BROADCAST FRAME
Thanks for going through the article. Do like or leave your feedback (good or bad) to improve.
Comments