On the 6 GHz Wi-Fi Band and Tin Foil Hats

We live in an imperfect world. In a perfect world, all countries would share the same set of frequencies that can be used by Wi-Fi devices. In fact, in a perfect world, there would be no countries in the first place. In the real world, each country has its own regulatory body that permits the utilization of certain frequencies for this or that purpose.

If you’re in the business of selling Wi-Fi-capable computer hardware, be it standalone adapters, laptops, or phones, you’ve got to make sure that your hardware is compliant with the local regulations. For instance, if you sell your laptop in Indonesia, you can’t enable channel 100 in the 5 GHz band, while it’s totally legal to enable that channel in the UK.

It’s often infeasible or even impossible to manufacture different product revisions for different markets, which means that hardware manufacturers must find a way to ensure “customized compliance,” so to say. How do they do that?

Well, it’s a mess; there is no single “by the book” method. Some manufactures let the user decide: Users are offered a list of countries to select from, so if a user tells the hardware that the current location is, say, Taiwan, that’s the end of the story; the answer is taken at face value. Other manufactures use a different approach. For example, macOS Sierra and older macOS versions tried to figure out the device location (and dynamically change the adapter’s regulatory domain) by reading the country information element from nearby APs’ beacons. If memory serves me, it took three APs with the same country code to make macOS “decide” that one was in country X. Naturally, one could easily spoof the location by simulating APs using CommView for WiFi or a similar packet generator. Then, in macOS High Sierra and up, Apple decided to use the Location Services, which depend on a huge BSSID database to figure out the location. Again, one could disable Wi-Fi networking access to the Location Services (please don’t do any of the above at home).

The funny part is that even if you put the Wi-Fi NIC of your MacBook into passive monitor mode (which is what a site survey application, such as TamoGraph Site Survey, always does), the available channels are still restricted to the ones allowed by the regulatory domain. This doesn’t make sense, because you can’t break the rules by simply listening. In fact, many years ago, we wrote to Apple saying, “Guys, forget about regulatory domains in monitor mode, it’s passive; you won’t break any rules if you allow *all* channels.” But hey, who would listen to independent developers? 🙂

Now, with the advent of 6E (Wi-Fi 802.11ax in the 6 GHz band), we have had to revisit this problem. Today, the 6 GHz band is still far from universal adoption, and we’re observing another round of the “let’s try to play by the rules” game. While we were working on enabling monitor mode in Intel Wi-Fi 6E AX210 integrated adapters, we figured out that Intel decided to use Apple’s old idea about scanning the environment with the purpose of finding the country beacon element in nearby APs. If a non-US AP is detected nearby (regardless of the band, e.g. a 2.4 GHz AP with the “TW” country code), the adapter refuses to enable the 6 GHz band altogether. While the motivation behind this is quite understandable, the solution is questionable. Firstly, Intel is inevitably lagging behind global regulations; for example, 6E is allowed in Brazil, but Intel Wi-Fi 6E AX210 won’t enable 6E if it detects Brazilian APs nearby. Secondly, many times, I’ve personally seen environments where APs were configured to transmit a country element that didn’t match the actual country. There isn’t much you can do when a nearby café’s owner has bought a few APs from China on eBay to save a hundred bucks and they all transmit “CN” as their country code. Oh, and no, you can’t override the list of “good” countries in Intel AX210. It’s not editable; it’s part of the firmware.

Long story short, when you use CommView for WiFi with an Intel AX210 adapter hoping that you’ll see 6 GHz channels on the list of available channels, things might not work as expected. That’s exactly what we experienced when we were working on our code. How do we trick the adapter into thinking that it’s not located in a “forbidden” country? You have to create a “hearing impairment”, but only for a very short time, because the scan is performed only once, when the adapter is started. Once the adapter enters monitor mode in CommView for WiFi, it doesn’t rescan (and you’re not breaking rules, because the adapter is totally passive while it’s controlled by CommView for WiFi).

If you’re one of those “lucky” Wi-Fi engineers unable to get 6 GHz channels in CommView for WiFi + Intel AX210, how do you ensure the “hearing impairment” (i.e., major decrease in signal strength) from nearby APs? I’m certain that the readers’ ingenuity surpasses mine, but here is what we’ve come up with so far:

  • Use a metal bowl. Run CommView for WiFi and then immediately cover the laptop with something like this:

In addition, ideally, your laptop should be placed on a metal tray for better attenuation of existing sources of Wi-Fi signals.

  • Detach the antennas. This is obviously impossible if you use a laptop, but some engineers use external thunderbolt enclosures to capture packets; in that case, detaching antennas is very easy.
  • Try aluminum foil (typically called “tin foil” in the US) covers. Be creative! Some shapes might work better than others.

Oh, and I was just thinking… If “duping” Wi-Fi adapters is so easy, all it takes to completely kill a 6 GHz-based office Wi-Fi network is simulating beacons of a couple of “CN” or “IN” APs. 🙂 But again, please don’t do this unless you want to see police at your doorstep; remember that anything passive is probably OK in your jurisdiction, whereas anything active might be illegal.