Management Frames (like Authentication and Deauthentication packets) on WiFi are UNENCRYPTED. Anyone can sniff the MAC address of the Access Point and the Client. Then, anyone can spoof a "Deauth" packet claiming to be the Router.
Why do Hackers do this?
1. Denial of Service: Just to be annoying.
2. Capture Handshake: When the victim reconnects (automatically), their device sends the WPA2 4-Way Handshake.
The hacker captures this handshake and can crack the WiFi password offline.
3. Evil Twin: While the real WiFi is down, the hacker starts a fake WiFi with the same name.
1. Tools
`airplay-ng` allows you to send deauth frames.
The ESP8266 "WiFi Deauther" watch is a cheap hardware tool that does this for $10.
2. Defense
WPA3 (Management Frame Protection): Encrypts management frames. This completely fixes the vulnerability.
But most devices still fall back to WPA2.