WiFi Fundamentals · Rolling Thunder Security

WiFi is shorthand for a family of standards published by the IEEE under the number 802.11. Everything labeled "Wi-Fi 5" or "Wi-Fi 7" is a marketing name for a specific 802.11 amendment. The wireless industry tried renaming things for consumer clarity around 2018; the engineering names did not go away. You will see both in real systems and in vendor docs, and you need to recognize both.

The 802.11 family

Each amendment added higher speeds, better spectrum efficiency, and sometimes a new frequency band. The named attacks later in this module mostly target the management plane, which has been broadly unchanged across these generations — the parts that did change are encryption (covered on the next page) and the physical layer.

Amendment	Marketing name	Year	Top speed	Bands	Why it matters
`802.11a`	—	1999	54 Mbps	5 GHz	First 5 GHz commercial standard. OFDM modulation.
`802.11b`	—	1999	11 Mbps	2.4 GHz	Drove early home WiFi adoption. WEP-era.
`802.11g`	—	2003	54 Mbps	2.4 GHz	2.4 GHz speeds caught up to a; mainstream era.
`802.11n`	Wi-Fi 4	2009	600 Mbps	2.4 / 5	MIMO (multiple antennas), channel bonding (40 MHz).
`802.11ac`	Wi-Fi 5	2013	~3.5 Gbps	5 GHz	Wider channels (80/160 MHz), MU-MIMO downstream.
`802.11ax`	Wi-Fi 6 / 6E	2019/2020	~9.6 Gbps	2.4 / 5 / 6	OFDMA (subdivides channels), 6 GHz band opens up.
`802.11be`	Wi-Fi 7	2024	~46 Gbps	2.4 / 5 / 6	320 MHz channels, multi-link operation (MLO), 4K QAM.

There are also subsidiary amendments you'll meet by letter: 802.11i is the one that defined WPA2 in 2004. 802.11r handles fast roaming between APs. 802.11w added management-frame protection (PMF) — the defense against deauth attacks covered later. 802.11s is the mesh networking amendment. Lettered amendments don't change what you put on the AP — they're feature additions that ride alongside.

Bands and channels

WiFi uses unlicensed spectrum, which is why anyone can run an AP without an FCC license. Three bands matter:

2.4 GHz

The crowded one

11 channels in North America (14 in Japan). Channels overlap heavily — only 1, 6, and 11 don't step on each other. Used by everything else too: Bluetooth, microwaves, baby monitors, Zigbee, drones.

Range: longer (lower frequency penetrates walls). Speed: slower (narrow channels, more interference). Still the default in cheap and IoT devices because the radios are pennies.

5 GHz

The fast one

~25 non-overlapping 20 MHz channels in the US. Subject to DFS (Dynamic Frequency Selection) on many channels — APs must avoid weather radar and military radar bands. Less crowded than 2.4 because consumer junk doesn't always reach here.

Range: shorter (higher frequency, more attenuation). Speed: higher (wider channels available: 40/80/160 MHz).

6 GHz

The clean one

Opened in 2020 (US) / 2021 (most of EU) under Wi-Fi 6E. ~59 non-overlapping 20 MHz channels — finally enough room for 160 MHz wide channels without DFS conflicts. Only modern clients can use it. Old laptops and phones from before 2020 can't reach 6 GHz at all.

This is also the band where Wi-Fi 7's 320 MHz channels live. Range is shorter still, so expect it to be a high-density indoor band only.

When you hear "this AP is on channel 36," that's a 5 GHz channel. When you hear "channel 6 is full of microwaves," that's 2.4 GHz. The channel width is separate from the channel number — an AP can be on channel 36 at 20, 40, 80, or 160 MHz wide, and the wider it is, the more of the band it consumes (and the more it interferes with neighbors).

BSS, ESS, SSID, BSSID

These four terms get confused constantly. They're not synonyms, and being precise about them is the entire difference between "a WiFi network" and "an AP."

SSID — Service Set Identifier. The human-readable name you see in the picker: Northgate-WiFi, linksys, The LAN Before Time. Up to 32 bytes. Not unique. Anyone can broadcast any SSID — this is what evil twin attacks exploit.
BSSID — Basic Service Set Identifier. The MAC address of a single AP's radio. Six bytes, looks like aa:bb:cc:dd:ee:ff. This is the unique identifier — if you want to know which physical AP is broadcasting an SSID, look at the BSSID.
BSS — Basic Service Set. One AP plus all the clients currently associated with it. One BSSID, one channel.
ESS — Extended Service Set. Multiple APs sharing the same SSID and connected to the same backbone, so a client can roam between them and stay "on the same network." Different BSSIDs, same SSID. This is what a campus or enterprise WiFi actually is.

Why you'll need this distinction: "Evil twin" means an attacker broadcasts a copy of your SSID from a different BSSID. To clients, both look like "Northgate-WiFi." To the radio, they're different APs. Without 802.1X mutual auth, the client can't tell which one is real. We'll come back to this on the attacks page.

The frames every attack touches

802.11 has three frame types. The data frames carry your traffic. The control frames coordinate transmission (RTS/CTS, ACKs). The management frames are where security lives — and where almost every wireless attack happens.

Frame	Direction	What it does	Why it matters
`Beacon`	AP → broadcast	"I am SSID X, my BSSID is Y, I support these rates."	Sent ~10x/second. Anyone with a radio sees them. Beacon spoofing is the foundation of evil twin.
`Probe Request`	Client → broadcast	"Anyone here named X?" (active scan)	Phones broadcast probe requests for every saved network. Trackable. (iOS & Android randomize MACs now, but the SSIDs still leak.)
`Probe Response`	AP → client	"Yes, I'm X." (often everyone with that SSID answers)	Karma-style attacks: AP says "yes" to whatever the client asks for.
`Authentication`	Client ↔ AP	Open-system or shared-key. Not WPA. This is the 802.11 step before WPA's 4-way handshake.	Always open in WPA/WPA2/WPA3. Confusing but historical.
`Association Request/Response`	Client ↔ AP	"I'd like to join your BSS." Capabilities exchanged here.	After association, encryption negotiation begins.
`Deauthentication`	Either → either	"You're disconnected. Goodbye."	Unauthenticated by default. Anyone can send a forged deauth and kick clients off. This is the entire point of `802.11w` (PMF).
`Disassociation`	Either → either	Like deauth but softer — you leave the BSS, not the auth state.	Same forge-ability problem without PMF.

The thing that surprises students: management frames are not encrypted by default. Even on a WPA2 network, beacons and deauths are sent in the clear. That's a deliberate design choice (you need to be able to find a network before you've joined it), but it means a passive observer can map every WiFi network in a neighborhood without doing anything illegal.

How a client joins a network

The textbook handshake on a WPA2-PSK network, simplified:

# 1. Discovery (no encryption yet) AP —Beacon—→ broadcast "SSID=Northgate, BSSID=aa:bb:..., WPA2, ch36" Client —Probe Req—→ broadcast "anyone named Northgate?" AP —Probe Resp—→ Client "yes, here are my capabilities" # 2. 802.11 auth + association Client —Auth Req—→ AP (open-system, always succeeds) AP —Auth Resp—→ Client OK Client —Assoc Req—→ AP "join your BSS" AP —Assoc Resp—→ Client OK # 3. WPA2 4-way handshake (next page covers this in depth) AP —EAPOL-Key 1—→ Client ANonce Client —EAPOL-Key 2—→ AP SNonce + MIC AP —EAPOL-Key 3—→ Client install PTK + GTK Client —EAPOL-Key 4—→ AP ACK # 4. Encrypted data flows

Stages 1 and 2 happen in the clear. Stage 3 derives the encryption keys from the pre-shared key (PSK) plus the two nonces. If an attacker captures stage 3 and they know or can guess the PSK, they can derive the same keys and decrypt everything. That's the basis of every offline WiFi attack — and the reason a strong PSK is the only thing standing between an attacker with a cheap radio and your home traffic.

Why "5 GHz is just faster" misses the point

Speed is what consumers ask about. Security people care about other properties of the band.

Range. A 2.4 GHz AP can be heard from a parking lot half a block away. A 5 GHz AP, much less so. This is a security feature. The smaller the "RF perimeter," the smaller your attacker's effective war-driving range.
Crowding. 2.4 GHz is full of Bluetooth, Zigbee, microwaves, and every cheap IoT device. Even if your AP is configured perfectly, you'll see retransmissions and timing weirdness that can be misread as attacks.
DFS. 5 GHz APs in the U-NII-2 channels must monitor for radar and vacate within ten seconds if they hear one. This causes "the WiFi just dropped for everyone for thirty seconds" incidents that look like attacks but are just airports.
6 GHz cleanliness. No legacy clients can be there. Which means WPA2 PSK is forbidden on 6 GHz — only WPA3-SAE or Enhanced Open (OWE). The 6 GHz band is the first where you can guarantee everyone connecting is using modern crypto.

Takeaway

WiFi looks like Ethernet to the user and to most applications, but underneath it's a broadcast medium where every nearby radio sees every frame. The management plane is in the clear by default and full of attacks. Each generation of 802.11 has nudged the security model forward — PMF, then WPA3, then mandatory-modern-crypto on 6 GHz — but old clients keep the old weaknesses alive on most networks.

Three things to walk away with: SSIDs are not unique, BSSIDs are. Management frames are unprotected unless you turn on PMF. And the 4-way handshake is the moment of truth — capture it and you can attack the PSK offline.

Sources

IEEE Standards Association. (2021). IEEE Std 802.11-2020: Wireless LAN medium access control (MAC) and physical layer (PHY) specifications. IEEE. https://standards.ieee.org/ieee/802.11/7028/
Wi-Fi Alliance. (2024). Generational Wi-Fi naming guide. https://www.wi-fi.org/discover-wi-fi
FCC. (2020). FCC opens 6 GHz band to Wi-Fi and other unlicensed uses (FCC 20-51). https://www.fcc.gov/document/fcc-opens-6-ghz-band-wi-fi-and-other-unlicensed-uses-0
Vanhoef, M., & Piessens, F. (2017). Key reinstallation attacks: Forcing nonce reuse in WPA2. ACM CCS. https://papers.mathyvanhoef.com/ccs2017.pdf