Home / Threat Intelligence bulletins / WiFi protocol 802.11 security design flaw


IEEE 802.11 is the commonly implemented protocol for WiFi. Recently, researchers have discovered a flaw in this protocol. A mechanism is in place that allows sleeping devices to queue and buffer data at the WiFi receiver.

Attackers can impersonate the sleeping device and convince the receiver to decrypt the queued data.


WiFi receivers encapsulate data into frames. These frames contain everything the protocol requires to send the data to the intended target. Alongside the data payload, this includes source/destination MAC addresses and general information describing how the frame should be handled.

A power saving mechanism is implemented in the 802.11 standard that allows devices to inform a WiFi receiver that the device is sleeping. The WiFi receiver will then queue any frames intended for the device. Once the device wakes up, the data is transmitted in the order it was queued.

An attacker can impersonate a sleeping device and force the WiFi receiver to send the queued packets unencrypted. Any unencrypted traffic that travels the network is at risk of capture and manipulation.

Affected Products

Wireless receivers that implement the 802.11 IEEE standard.

Containment, Mitigations & Remediations

Any local traffic should implement some form of encryption where possible. This ensures that the cleartext WiFi packets that are intercepted contain data payloads that have been encrypted by another mechanism.

Indicators of Compromise

No direct IoCs can be directly contributed to this vulnerability.
Unusual ARP entries on Wireless Access Points may indicate that an attacker has attempted to impersonate a device.

Threat Landscape

The 802.11 IEEE standard is present in virtually all WiFi receivers. This attack requires a high level of sophistication. It is likely that tools and techniques will be developed in the future to exploit this security flaw.

The nature of this security flaw and the devices it affects means this will be exploitable for some time.

Mitre Methodologies

TA0007 – Discovery

TA0009 – Collection

Further Information

Framing Frames: Bypassing Wi-Fi Encryption by Manipulating Transmit Queues


Intelligence Terminology Yardstick