man politely opening car door for a woman

Polite WiFi loophole could allow attackers to drain device batteries

Researchers at the University of Waterloo in Ontario have further researched a loophole in the WiFi protocol that was dubbed “polite WiFi”.

Last year the researchers published a study in which they showed someone could use this loophole to triangulate the location of any WiFi enabled device. Now, they’ve followed up that study to say that someone could also drain the batteries of such device. A further study may involve privacy threats based on interference of the usage of the device with the response time.

Polite WiFi

A MAC address (media access control address) is a unique identifier assigned to a network interface controller (NIC) for use as a network address in communications within a network segment. This use is common in most IEEE 802 networking technologies, including Ethernet, WiFi, and Bluetooth.

The “polite WiFi” loophole is based on the fact that a WiFi enabled device responds to every correct packet it receives, as long as it is directed at its own MAC address. This means the sending device does not have to be on the same network.


Based on this knowledge and knowing the response time, the researchers built a drone equipped with some readily available parts and sent it out on a scouting mission. Because the drone is on the move it can use triangulation to pinpoint the location of the responding devices.

Within seconds, a burglar equipped with such a device would know with an accuracy of a meter/yard where your WiFi enabled devices like phones, tablets, TVs and other “smart” devices can be found in your home. And, in a similar fashion a criminal could track the movements of security guards inside a bank by following the location of their phones or smartwatches.

Drained batteries

The goal of the battery draining attack is to drain the battery of a WiFi device by forcing the device to transmit WiFi frames continuously. To execute such an attack, an attacker could send back to back fake 802.11 frames to the target device. This forces the target devices to continuously transmit acknowledgment packets, draining its battery. This could be used in a coordinated attack at CCTV cameras that switch to batteries when the power has been cut.


The attacks based on polite WiFi are based on the fact that WiFi devices have to reply with an Acknowledgment (ACK) signal. The ACK signal is sent by the receiving station (destination) back to the sending station (source) after the receipt of a recognizable block of data of specific size. This is usually the start of a more meaningful conversation, but it doesn’t have to be.

To prevent WiFi devices from responding to signals with a malicious intent the device would have to verify if the frame is legitimate before sending an ACK. Unfortunately, this is not possible due to the WiFi standard timing requirements.

The researchers propose some future changes to the WiFi protocol that make it possible to establish whether a frame is legitimate before the ACK is sent.

And they recommend that WiFi chip manufacturers introduce an artificial, randomized variation in device response time, which would make calculations such as those performed by the Wi-Peep inaccurate.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.


Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.