6 GHz Wi-Fi Automated Frequency Coordination Trusts Unvalidated Client Data, Enabling Location Spoofing Attacks
Automated Frequency Coordination systems for 6 GHz Wi-Fi accept client-supplied location data without proper validation, allowing attackers to spoof their position and disrupt spectrum access for legitimate users and critical infrastructure.
Affected
The 6 GHz Wi-Fi spectrum was opened for unlicensed use in multiple jurisdictions to expand available bandwidth for consumer and enterprise wireless. To manage potential interference with incumbents like fixed satellite and weather radar systems, regulators mandated Automated Frequency Coordination (AFC) as a gatekeeper: devices must query an AFC server before transmitting, providing their location so the server can determine safe power levels and channels. The critical flaw is that AFC systems by default trust the client device to truthfully report its location without independent verification.
An attacker can transmit location coordinates that do not match their physical position, causing the AFC server to authorise transmissions that would otherwise be blocked. If the spoofed location places the attacker in a region where higher power levels are permissible, or where certain channels are available, the attacker gains access they should not have. More significantly, an attacker can report themselves as being far from protected services (radar stations, satellite earth stations) when they are actually in close proximity, bypassing power restrictions designed to prevent interference.
The attack surface extends to critical infrastructure because 6 GHz spectrum is increasingly deployed in industrial, aviation, and telecommunications settings. Disrupting frequency coordination could degrade weather radar observations, satellite uplinks for emergency services, or licensed wireless operations that share the spectrum band. The attack requires only the ability to modify location claims sent to the AFC server, which is a straightforward protocol manipulation and requires no physical coercion or compromise of network infrastructure.
Defenders should treat AFC location validation as a cryptographic problem, not a trust problem. AFC operators must implement cryptographic proof of location (such as GPS signature verification with tamper-evident hardware) and cross-reference client locations against known network topology and signal strength characteristics. Device manufacturers should lock location APIs to certified services and disable manual spoofing. Regulators should mandate AFC servers to reject or downgrade trust in location data that cannot be cryptographically verified or that shows statistical anomalies.
This vulnerability reveals a broader pattern: spectrum management was designed around the assumption that spectrum belongs to regulated entities who police themselves. Unlicensed spectrum introduces a game-theoretic environment where individual users benefit from misrepresenting their location, and the protocol has no mechanism to detect or punish this behaviour. The flaw is architectural rather than implementational, meaning patches alone will not resolve it without protocol redesign.
Sources