Papers
Topics
Authors
Recent
Search
2000 character limit reached

Automated Frequency Coordination in Wi‑Fi 6E/7

Updated 4 July 2026
  • The paper exposes a critical vulnerability where AFC’s reliance on unverified GPS location enables inexpensive spoofing attacks affecting spectrum grants.
  • Experiments using tools like GPS-SDR-SIM demonstrate that manipulated location data can either grant excessive EIRP or trigger denial-of-service, misaligning interference protection.
  • Mitigation strategies such as geofencing, multi-AP spoofing detection, and cross-verification of location inputs are proposed to enhance AFC security.

Automated Frequency Coordination (AFC) is a cloud-based control system for standard-power Wi‑Fi 6E and Wi‑Fi 7 operation in the 6 GHz band. In the U.S. framework, AFC assigns safe frequency channels and maximum Equivalent Isotropically Radiated Power (EIRP) to a Wi‑Fi access point (AP) on the basis of AP-reported location and device parameters, so that unlicensed operation does not cause harmful interference to incumbent licensed systems such as Fixed Service point-to-point microwave links, public safety communications, utility telemetry, smart grid infrastructure, and radio astronomy observatories. The paper "GPS Spoofing Attacks on Automated Frequency Coordination System in Wi-Fi 6E and Beyond" identifies a central assumption in this architecture: the AP’s GPS-based location is treated as trustworthy. It argues that this assumption is fragile, and demonstrates that inexpensive GPS spoofing can alter AFC outcomes without breaking cryptography or compromising the AFC server (Dong et al., 2 Sep 2025).

1. Regulatory role in 6 GHz spectrum sharing

The FCC opened 5.925–7.125 GHz for unlicensed use in 2020, enabling Wi‑Fi 6E and Wi‑Fi 7 to use up to 1.2 GHz of additional spectrum, including 80/160/320 MHz channels (Dong et al., 2 Sep 2025). The same band is already used by incumbent licensed systems, including Fixed Service microwave links used for cellular backhaul and wireless ISP backhaul, public safety communications, utility telemetry and smart grid infrastructure, and radio astronomy in special protected sub-bands or zones (Dong et al., 2 Sep 2025). These incumbent links are described as mission-critical, and interference can cause loss of connectivity, safety hazards, or power-grid issues (Dong et al., 2 Sep 2025).

Within 47 CFR §15.407 and FCC 20‑51, the regulatory distinction is between standard-power APs and lower-power classes. Standard-Power APs may operate indoors or outdoors, may use up to 36 dBm EIRP, and must be under the control of an AFC system before transmitting in 6 GHz (Dong et al., 2 Sep 2025). By contrast, Low Power Indoor and Very Low Power devices operate under generic lower-power rules and do not use AFC in the current rules (Dong et al., 2 Sep 2025). The experiments in the cited work concern only standard-power APs (Dong et al., 2 Sep 2025).

AFC protects incumbents by combining an authoritative incumbent database with propagation models. The National Regulatory Authority maintains the database of protected links and special protection zones, while AFC computes which channels are safe and what maximum EIRP is permissible at a reported AP location (Dong et al., 2 Sep 2025). The protection criterion is stated in terms of interference-to-noise ratio:

“A properly designed AFC system shall ensure the interference-to-noise ratio (I/N) is less than 6 dB for all protected devices.” (Dong et al., 2 Sep 2025)

In simplified link-budget form, the received interference at an incumbent receiver is represented as

Prx,FS=Ptx,AP+Gt,AP+Gr,FSL(d,f)LotherP_{rx,\text{FS}} = P_{tx,\text{AP}} + G_{t,\text{AP}} + G_{r,\text{FS}} - L(d,f) - L_\text{other}

and AFC enforces

IN=Prx,FSN0B<I/Nmax=6 dB.\frac{I}{N} = \frac{P_{rx,\text{FS}}}{N_0 B} < I/N_{\text{max}} = 6 \text{ dB}.

Here, Ptx,APP_{tx,\text{AP}} is AP transmit EIRP, Gr,FSG_{r,\text{FS}} is FS receive antenna gain, L(d,f)L(d,f) is path loss as a function of distance and frequency, LotherL_\text{other} includes clutter and building loss, and N0BN_0 B is the incumbent receiver noise power (Dong et al., 2 Sep 2025). This formulation makes clear that AFC is fundamentally a location-dependent interference budgeting mechanism.

2. System architecture and authorization workflow

The AFC ecosystem described in the paper comprises four actors: the AP as AFC client, the AFC Operator or AFC Server in the cloud, the National Regulatory Authority, and incumbent systems (Dong et al., 2 Sep 2025). The AP has a GPS receiver or other location source, implements the AFC client protocol, and communicates with the AFC server over TLS. The AFC server receives inquiries, queries incumbent databases, performs propagation and interference calculations, and returns allowed spectrum and power. The National Regulatory Authority maintains the incumbent database and certifies AFC operators. Incumbent systems remain passive and are protected through the database and AFC computations (Dong et al., 2 Sep 2025).

The AP authorization process begins with location determination, primarily via GPS. The AP determines latitude, longitude, height, location uncertainty, and GPS time (Dong et al., 2 Sep 2025). The uncertainty may be represented as an ellipse, and the paper gives an example console output:

IN=Prx,FSN0B<I/Nmax=6 dB.\frac{I}{N} = \frac{P_{rx,\text{FS}}}{N_0 B} < I/N_{\text{max}} = 6 \text{ dB}.4

The AP then composes an availableSpectrumInquiryRequest containing AP identity or device class, country code or regulatory domain if known, location information, antenna type or gain, maximum EIRP capability, PHY type, and required metadata under WINNF-TS-1014 and the Wi‑Fi Alliance afc_spec (Dong et al., 2 Sep 2025). Transport security is explicitly strong: AP and AFC server establish a TLS session, and AP–AFC communication is described as “mutually authenticated, encrypted, and integrity-protected” under REQ1 (Dong et al., 2 Sep 2025).

On receiving the request, the AFC server queries the National Regulatory Authority database for relevant incumbents and protection zones, selects a propagation model based on AP–incumbent geometry, computes path loss and resultant interference at each incumbent receiver, and derives either maximum allowable EIRP or channel denial so that I/N<6I/N < 6 dB is maintained (Dong et al., 2 Sep 2025). The paper notes that OpenAFC implements “all propagation models required by the specification” (Dong et al., 2 Sep 2025). AFC also applies rules such as Special Incumbent Protection, including radio astronomy exclusion zones in which 6650–6675.2 MHz is prohibited (Dong et al., 2 Sep 2025).

The availableSpectrumInquiryResponse returns allowed channels and associated maximum EIRP values for each channel bandwidth. For a spoofed rural Texas coordinate, the paper reports an outcome in which all 6 GHz channels are allowed and the maximum EIRP is 36.0 dBm across 20, 40, 80, 160, and 320 MHz configurations (Dong et al., 2 Sep 2025). The response also includes present time, expiry time, country code, and AFC state. Grants expire and must be refreshed at least once per day; if they are not updated, the AP must stop transmitting in 6 GHz (Dong et al., 2 Sep 2025). This daily refresh requirement later becomes important in the time-manipulation attack.

3. Security model and the role of trusted location

The threat model in the paper assumes that the AP is otherwise benign, uses secure TLS to communicate with AFC, and that the AFC server and incumbent database are uncompromised (Dong et al., 2 Sep 2025). REQ1–REQ3 are assumed to hold: secure AP–AFC communications, protected databases, and correct internal AFC calculations (Dong et al., 2 Sep 2025). The attacker does not break TLS, modify AFC server logic, directly alter firmware, or poison the regulator’s database (Dong et al., 2 Sep 2025).

The attacker instead controls a GPS spoofer near the AP. The described equipment includes low-cost SDR hardware such as a USRP B210 or even a \$199 Flipper Zero, transmitting counterfeit GPS signals that overshadow legitimate satellite signals, which are easy to dominate because real GPS at ground level is below 100-100 dBm (Dong et al., 2 Sep 2025). The attacker can choose arbitrary latitude, longitude, altitude, and GPS time, although timestamp consistency must be managed to satisfy AFC implementations that cross-check time (Dong et al., 2 Sep 2025).

The security significance of GPS follows directly from the AFC computation pipeline. The server’s decision is essentially a function of AP location and height, AP class and antenna information, and the incumbent database (Dong et al., 2 Sep 2025). If the location is wrong, the interference computation is systematically wrong. The paper therefore characterizes location as a security-critical parameter and argues that AFC lacks cryptographic or physical attestation of where the AP actually is (Dong et al., 2 Sep 2025). Message integrity is strong, but sensor integrity is weak (Dong et al., 2 Sep 2025).

This distinction is central to the paper’s analysis. AFC security requirements are server-centric and transport-centric: confidentiality, integrity, and mutual authentication for AP↔AFC communication; database protection; and correct spectrum computation (Dong et al., 2 Sep 2025). They do not require tamper-resistant location hardware, signed location proofs, multi-sensor cross-checking, or explicit handling of GPS spoofing as a threat to AFC (Dong et al., 2 Sep 2025). The resulting blind spot is described as an “input-based vulnerability” (Dong et al., 2 Sep 2025). A common misconception is therefore that cryptographic protection of AP–AFC messaging is sufficient; the paper’s evidence indicates that secure transport does not secure the physical origin of the location input.

4. GPS spoofing attack implementation

GPS spoofing in the paper relies on two properties of civil GPS: the signals are unauthenticated, and a receiver cannot readily distinguish genuine satellite signals from higher-power counterfeit signals transmitted from nearby ground equipment (Dong et al., 2 Sep 2025). The attack procedure is concise. First, the attacker generates baseband samples for a chosen spoofed location and time. Second, those samples are transmitted via SDR at sufficient power for the victim receiver to lock onto them rather than the genuine satellites. Third, the AP’s GPS receiver computes the spoofed location as if the signals were authentic (Dong et al., 2 Sep 2025).

The paper identifies GPS-SDR-SIM as the principal tool for generating spoofed signals, including signals for specific coordinates such as 30.086965, 101.103761-101.103761 in rural Texas (Dong et al., 2 Sep 2025). Some AFC implementations reject location data if the GPS timestamp is inconsistent with wall-clock or network time, so the authors generate spoofing samples for a future timestamp and begin transmission exactly at that time (Dong et al., 2 Sep 2025). This allows the AP to report a plausible GPS time when it constructs the AFC request.

The laboratory implementation uses GPS-SDR-SIM, a USRP B210 as GPS transmitter, an HPE Aruba AP‑634 as target AP, and a commercial AFC system in a controlled environment with shielding so that no other devices are affected (Dong et al., 2 Sep 2025). The AP securely communicates with the vendor’s AFC server (Dong et al., 2 Sep 2025). The experimental flow is: activate the spoofer with a chosen fake coordinate, allow the AP to lock onto the counterfeit GPS, let the AP automatically send an availableSpectrumInquiryRequest using the spoofed location, receive the AFC grant, and observe AP operation under the returned spectrum permissions (Dong et al., 2 Sep 2025).

The cited work emphasizes that the attack does not depend on exploiting software flaws in the AP or the AFC operator. The AP and AFC can both be “perfectly honest and properly secured” at higher layers while still producing a harmful outcome because the trusted input is false (Dong et al., 2 Sep 2025). This is the specific sense in which GPS spoofing differs from a network man-in-the-middle or server compromise.

5. Demonstrated effects on spectrum access and service availability

The paper presents three attack classes, labeled A1 through A3, each illustrating a distinct effect of spoofed location or time on AFC-controlled 6 GHz operation (Dong et al., 2 Sep 2025).

Attack Spoofed condition Reported AFC outcome
A1 Rural Texas location All 6 GHz channels allowed; 36.0 dBm EIRP on all bandwidths
A2 China location No channels; no country code; AFC required and expired
A3 Invalid or stale GPS time AFC failure; same effective outcome as A2

In attack A1, the attacker spoofs the AP to a rural area in Texas at IN=Prx,FSN0B<I/Nmax=6 dB.\frac{I}{N} = \frac{P_{rx,\text{FS}}}{N_0 B} < I/N_{\text{max}} = 6 \text{ dB}.0. The AP computes IN=Prx,FSN0B<I/Nmax=6 dB.\frac{I}{N} = \frac{P_{rx,\text{FS}}}{N_0 B} < I/N_{\text{max}} = 6 \text{ dB}.1, approximately 10 m away, which the paper attributes likely to transmitter clock error and notes is within the GPS uncertainty (Dong et al., 2 Sep 2025). The associated AFC response allows all 6 GHz channels in the U.S. channelization and sets maximum EIRP to 36.0 dBm for 20, 40, 80, 160, and 320 MHz bandwidths (Dong et al., 2 Sep 2025). The paper summarizes this as 100% of 6 GHz channels allowed and 36 dBm EIRP on all bandwidths (Dong et al., 2 Sep 2025). The grant shown is valid for about 24 hours, from present time 2025-06-20 05:13:13 to expiry time 2025-06-21 05:10:00, implying that a transient spoof during the daily refresh can establish maximum permissions for an entire day (Dong et al., 2 Sep 2025).

The significance of A1 is not that AFC malfunctions internally. Rather, AFC correctly enforces the rules for the spoofed location. The harm arises if the AP is physically near a sensitive incumbent while holding a grant computed for a relatively unencumbered rural point (Dong et al., 2 Sep 2025). Under those circumstances, actual emissions can exceed the intended IN=Prx,FSN0B<I/Nmax=6 dB.\frac{I}{N} = \frac{P_{rx,\text{FS}}}{N_0 B} < I/N_{\text{max}} = 6 \text{ dB}.2 dB protection objective for an incumbent receiver and may disrupt Fixed Service backhaul, public safety communications, or radio astronomy observations (Dong et al., 2 Sep 2025). The paper does not include direct measurements at an incumbent receiver; it argues from the AFC policy and the location dependence of the path-loss calculation (Dong et al., 2 Sep 2025).

In attack A2, the AP is spoofed into China at an example coordinate of IN=Prx,FSN0B<I/Nmax=6 dB.\frac{I}{N} = \frac{P_{rx,\text{FS}}}{N_0 B} < I/N_{\text{max}} = 6 \text{ dB}.3. Because the AFC system used by the AP is for the U.S. regulatory domain only, the server returns no channels for 6 GHz, no country code, no expiry time, and marks AFC as required and expired (Dong et al., 2 Sep 2025). The AP interprets this as 6 GHz not being allowed and disables 6 GHz operation (Dong et al., 2 Sep 2025). The paper identifies this as a remote denial-of-service attack against the AP’s 6 GHz capability (Dong et al., 2 Sep 2025).

Attack A3 exploits GPS time rather than geographic displacement. GPS-SDR-SIM by default generates signals as if at the start of a day; if transmitted later without adjustment, the AP’s GPS time becomes inconsistent with real time (Dong et al., 2 Sep 2025). The AFC implementation or the AP then rejects or cannot use the AFC response, producing the same effective result as A2: no valid channels and disabled 6 GHz operation (Dong et al., 2 Sep 2025). The paper verifies at least the forward or invalid-time case and notes conceptually that rolling time backward could make a last grant appear not to expire, while pushing time forward could make current grants appear expired (Dong et al., 2 Sep 2025).

These three attacks support a broader distinction between unauthorized access and denial of service. A1 obtains a permissive spectrum grant inappropriate for the AP’s true location, whereas A2 and A3 suppress 6 GHz operation entirely (Dong et al., 2 Sep 2025). In all three cases, the enabling condition is incorrect yet plausible GPS-derived input.

6. Root causes, mitigations, and broader implications

The root cause identified in the paper is a misplaced trust boundary. AFC standards and regulation define secure communication, correct propagation and interference logic, protected databases, and fail-safe behavior when AFC communication fails, but they do not define location attestation or mandatory anti-spoofing mechanisms for the AP’s position source (Dong et al., 2 Sep 2025). The work therefore argues that the system has strong cryptography on AP↔AFC messages but no assurance that the AP’s sensor inputs are correct (Dong et al., 2 Sep 2025).

The paper contrasts GPS spoofing with other AFC attack vectors. Parameter falsification such as lying about antenna gain or height might be mitigated by device certification and limited configuration options, though it is not the focus of the experiments. Man-in-the-middle attacks are considered out of scope when TLS is correctly implemented, and database poisoning is assumed to be prevented by REQ2 and National Regulatory Authority control of incumbent data (Dong et al., 2 Sep 2025). GPS spoofing is distinct because it exploits unauthenticated physical-layer signals, not a software defect, and remains feasible even when the AP and AFC are otherwise honest and secured (Dong et al., 2 Sep 2025).

Several mitigations are proposed as practical measures that raise the bar rather than eliminate the problem. One is AFC-level geofencing. Because most standard-power APs are assumed to be fixed installations, the AFC provider or operator could maintain an expected deployment area for each AP and flag abrupt movement by many kilometers, movement into another country, or movement inconsistent with deployment records (Dong et al., 2 Sep 2025). In response, the AFC could raise an alert, refuse or limit grants, or require manual verification (Dong et al., 2 Sep 2025). The paper notes trade-offs: registration overhead, limited suitability for truly mobile standard-power use, and residual exposure if spoofing remains within the geofence but still alters path-loss materially (Dong et al., 2 Sep 2025).

A second mitigation is multi-AP or multi-receiver spoofing detection. The paper cites prior work by Jansen et al. 2016 indicating that multiple separated receivers sharing information can detect inconsistencies because a single-antenna GPS spoofer cannot preserve the correct angle-of-arrival differences among receivers (Dong et al., 2 Sep 2025). In enterprise Wi‑Fi deployments, groups of APs under the same operator could function as a distributed GPS receiver array. An operator or AFC backend could compare reported distances between APs against known site geometry and detect anomalies such as all APs suddenly reporting identical movement to a common spoofed location or reporting relative positions inconsistent with installation data (Dong et al., 2 Sep 2025). This increases backend complexity and still leaves room for more sophisticated distributed spoofers, but it increases attacker cost (Dong et al., 2 Sep 2025).

The discussion also implies additional directions: multi-source location verification using GPS plus network-based location or manual provisioning, GNSS receivers with spoofing detection, authenticated GNSS signals where available, and explicit location integrity requirements in IEEE 802.11, Wi‑Fi Alliance AFC specifications, WINNF-TS-1014, and FCC rules (Dong et al., 2 Sep 2025). The paper describes physical-layer authentication of location as an open and challenging research problem (Dong et al., 2 Sep 2025).

Beyond Wi‑Fi 6E and Wi‑Fi 7, the findings are presented as relevant to database-driven spectrum sharing more generally. The paper names CBRS SAS at 3.5 GHz and TV White Spaces as comparable geolocation-based frameworks in which incorrect device location could allow transmissions with privileges inappropriate for the device’s true position (Dong et al., 2 Sep 2025). It also notes that GPS spoofing can be used as a tool for independent AFC testing, including boundary testing near protection zones and differential testing against OpenAFC to identify implementation discrepancies (Dong et al., 2 Sep 2025). This suggests that the significance of the work is twofold: it identifies a concrete vulnerability in AFC-controlled 6 GHz Wi‑Fi, and it frames location integrity as a general systems problem for spectrum-sharing architectures that rely on trusted geolocation inputs.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (1)

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Automated Frequency Coordination (AFC).