A deauthentication (deauth) attack works by exploiting a design flaw in Wi-Fi: the management frames that control connections between your device and a router are sent unencrypted and unauthenticated. An attacker spoofs the router’s identity and sends forged “disconnect” commands to kick devices off the network. The attack requires no password, no network access, and can be performed with cheap, widely available hardware.
The Vulnerability Behind It
Wi-Fi networks use three types of frames: data frames (your actual internet traffic), control frames (coordination signals), and management frames (connection setup and teardown). Your data traffic can be encrypted with a password, but management frames, including authentication, deauthentication, association, and disassociation, were originally designed to be transmitted in the open. Every nearby device needs to hear and understand them, so they’re sent as plaintext with no way to verify who actually sent them.
This means a router has no way to distinguish a legitimate disconnect request from a forged one. If an attacker sends a deauthentication frame that appears to come from the router’s MAC address, your device accepts it without question and drops the connection. The attacker just needs two pieces of information that are broadcast openly: the router’s MAC address and the target device’s MAC address.
What Happens During the Attack
The attacker starts by putting a wireless adapter into monitor mode, which lets it passively listen to all Wi-Fi traffic in range. This reveals every nearby network and every device connected to it, along with their MAC addresses. No interaction with the network is required for this step.
With those addresses in hand, the attacker crafts deauthentication frames. These are a specific subtype of management frame (subtype 1100 in the IEEE 802.11 standard) that tells a device its session is being terminated. The attacker can target a single device by specifying its MAC address, or broadcast the frame to disconnect every client on the network simultaneously. Tools like aireplay-ng let an attacker set the target access point, destination device, and even the number of packets sent per second. The attack can send a single burst of disconnect packets or flood them continuously, making reconnection impossible as long as the attack is running.
From the victim’s perspective, the Wi-Fi icon drops out. The device tries to reconnect automatically, but each reconnection attempt gets immediately killed by another spoofed frame. The network appears to be malfunctioning or out of range.
Why Attackers Use It
A deauth attack on its own is just a disruption, like cutting someone’s phone line. But it becomes far more dangerous as a stepping stone for other attacks.
The most common follow-up is an evil twin attack. The attacker sets up a fake access point with the same network name as the legitimate one, then deauths everyone off the real network. When victims’ devices try to reconnect, they latch onto the fake network instead, since it’s broadcasting the same name and is often closer with a stronger signal. Once connected to the attacker’s access point, all traffic flows through their hardware. They can capture unencrypted usernames, passwords, and session cookies, or manipulate the content of web pages in real time through a man-in-the-middle position.
Deauth attacks are also used to capture the WPA2 handshake. When a device reconnects to a legitimate network, it exchanges a four-way cryptographic handshake with the router. An attacker listening in monitor mode can capture this handshake, then attempt to crack the network password offline. Forcing a reconnection through deauthentication is often the fastest way to grab one.
The Hardware Is Cheap and Accessible
One of the reasons deauth attacks are so common is that they require minimal equipment. The ESP8266, a microcontroller that costs a few dollars, can send deauthentication frames on 2.4 GHz Wi-Fi networks. Open-source firmware turns it into a pocket-sized deauth tool with a web interface. Its main limitation is that it only works on 2.4 GHz. It cannot target 5 GHz networks, and it can’t simultaneously host its control interface and sniff for targets.
More capable setups use standard laptop Wi-Fi adapters or USB dongles that support monitor mode and packet injection. Dual-band adapters based on certain Realtek chipsets (like the rtl8812au) can target both 2.4 GHz and 5 GHz networks, though they require specific drivers and are more expensive. A Raspberry Pi with the right Wi-Fi module can also serve as a dual-band platform.
How WPA3 and Protected Management Frames Fix This
The core fix is called Protected Management Frames (PMF), introduced in the IEEE 802.11w amendment. PMF encrypts the management frames used for disconnection using the same trusted keys established when a device joins the network. When a router with PMF enabled receives a deauthentication frame, it decrypts and validates the frame against those keys. A forged frame from an attacker, who doesn’t possess the keys, fails validation and gets ignored.
Since July 2020, every device certified under WPA3 is required to support PMF. In WPA3-Personal mode, PMF is mandatory by default, meaning only devices capable of protected management frames can connect. This effectively eliminates deauth attacks on WPA3-only networks. Wi-Fi 6 (802.11ax) certified devices also require PMF support.
The catch is backward compatibility. Many networks still run WPA2, or WPA2/WPA3 transition mode, which may allow older devices that don’t support PMF. As long as unprotected clients are permitted on a network, the vulnerability remains partially open. Networks that enforce WPA3-only connections with mandatory PMF are fully protected.
Legal Status
In the United States, the FCC has explicitly warned that Wi-Fi blocking is prohibited. Intentionally interfering with Wi-Fi connections, whether through jamming or deauthentication, violates federal law. The FCC has taken enforcement action against businesses that used deauth techniques to force customers onto paid networks. The prohibition applies regardless of whether the attacker owns the physical space where the network operates.
Deauth tools are legal to possess and are widely used in legitimate security testing and penetration testing with explicit authorization. Using them against networks you don’t own or don’t have written permission to test is illegal in most jurisdictions.