The Safety System Keeping 6 GHz Wi-Fi Away From Critical Infrastructure Has Serious Holes
Researchers say the automated gatekeeper that stops modern Wi-Fi from crashing radio towers and public safety networks can be tricked, and some equipment makers are slow to take it seriously.

Key points
- Researchers from Pennsylvania State University and Idaho National Laboratory will present findings at Black Hat USA 2026 showing that a key Wi-Fi safety system has exploitable weaknesses.
- The system in question, called Automated Frequency Coordination (AFC), is supposed to stop powerful 6 GHz Wi-Fi signals from disrupting emergency networks, radio towers, and cellular backhaul links.
- Attackers could feed the AFC system false location data to grab unauthorized broadcast power, or block devices from getting valid permissions at all, disabling 6 GHz Wi-Fi entirely.
- A second research paper published this year demonstrated a working, real-world attack against commercial Wi-Fi equipment by impersonating an AFC server.
- Some vendors contacted by the research team have acknowledged the issues; others pushed back, citing usability concerns.
Most people have no idea there is a digital gatekeeper standing between their new Wi-Fi router and the radio systems that emergency services, cellular networks, and weather satellites depend on. That gatekeeper is called Automated Frequency Coordination, or AFC. Its job is simple: before a Wi-Fi access point, meaning the hardware box that broadcasts wireless internet, can use the fast 6 GHz band, it must check in with an AFC server and get permission to broadcast on specific channels at specific power levels. The server checks the device's location and makes sure it will not trample on protected signals nearby.
Researchers at Penn State and Idaho National Laboratory have now spent months pulling at that system's seams. What they found is not reassuring.
The AFC server trusts a lot of information it receives from outside itself. Location data from GPS or other positioning systems. Time signals from a protocol called NTP (Network Time Protocol), which keeps clocks synchronised across the internet. Domain name lookups, which translate human-friendly addresses into the numerical addresses computers actually use. None of those inputs are strongly verified. An attacker who can manipulate any one of them can feed the AFC server a lie.
What could actually go wrong for ordinary people?
The damage falls into two broad categories. First, a bad actor could fake a device's location to make the server think the router sits somewhere with fewer restrictions, unlocking higher broadcast power. That extra power can bleed into frequencies used by public safety networks or radio observatories. Second, and more immediately disruptive to everyday users, an attacker could do the opposite: flood the system with bogus location reports, bad time signals, or poisoned domain lookups to stop access points from ever receiving valid permissions, shutting 6 GHz Wi-Fi down for everyone in range.
No attacks matching these descriptions have been recorded in the wild so far. But researcher Yilu Dong told Dark Reading that even a confused consumer, not a criminal, could accidentally cause interference by trying to boost their own router's range and bypassing the AFC check in the process.
The failure mode here is architectural. The channel between a Wi-Fi access point and an AFC server is encrypted, so no one can eavesdrop on that conversation. The problem is everything feeding into the conversation from the outside: location, time, naming services. All of it arrives trusted by default.
The research team published two white papers this year. The second describes what they call the first working proof-of-concept attack against commercial equipment, impersonating an AFC server entirely and injecting false instructions.
Proposed fixes include using multiple independent location sources at once, building in detection for suspicious location jumps, and switching to more secure versions of the time and naming protocols involved. The researchers say their immediate goal is getting vendors to pay attention.
One thing the post-mortem will say, if this ever becomes an incident report: the trust boundary was drawn in the wrong place from the start.



