Nathaniel Bennett (Idaho National Laboratory and University of Florida), Arupjyoti Bhuyan (Idaho National Laboratory), Nicholas J. Kaminski (Idaho National Laboratory)
Within the past five years, countries globally have opened 6 GHz spectrum for Wi-Fi use to account for increased throughput demand. In order to safeguard incumbent services from interference, several countries have evaluated and adopted Automated Frequency Coordination (AFC) systems; such systems calculate and relay safe operating channels and power levels to devices based on their reported location. However, the recent design and deployment of these systems combined with the inherent trust relationships introduced (control over potentially hundreds of thousands of Wi-Fi device frequency/power decisions) points to a need to rigorously evaluate the security of AFC system design. In this work, we perform a holistic security analysis of the Wi-Fi Alliance AFC standards, comprising the AFC System Reference Model and the AFC System to AFC Device Interface Specification. We consider key security properties necessary for correct AFC operation in adversarial conditions, identify several gaps in specifications that undermine these properties, and point to vulnerabilities stemming from these specification weaknesses. Our analysis reveals five findings corresponding to seven vulnerabilities, including trivial authorization bypass weaknesses, practical resource exhaustion attacks and persistent poisoning of local AFC system data stores. Our discoveries underscore the need for spectrum-sharing systems to account for a variety of potentially malicious interactions in protocol design.