A Coordination System That Takes Your Word For It
In April 2020, the FCC opened 1,200 MHz of 6 GHz spectrum for unlicensed Wi-Fi use — a major expansion of unlicensed spectrum. To let access points transmit at standard power in that band without interfering with the point-to-point microwave links, cellular backhaul, and public-safety networks already operating there, the FCC required a check-in step: Automated Frequency Coordination, or AFC. Before a standard-power access point can broadcast, it reports its GPS coordinates to an AFC operator, which looks up which frequencies are safe to use at that location and grants or withholds access accordingly.
The Location the System Trusts Is the Location the Device Reports About Itself
Researchers from Pennsylvania State University and Idaho National Laboratory, working under Department of Energy funding, found that AFC systems accept that self-reported GPS coordinate without independently verifying it. In a session titled 'Blind Trust in the 6 GHz Band: Weaponizing Wi-Fi Automated Frequency Coordination,' scheduled for Black Hat USA 2026 and detailed in an earlier research paper, the team showed that in the AFC systems and AP hardware they tested, low-cost software-defined radio hardware can generate synthetic GPS signals convincing enough to make an access point report a false position. Whether all seven FCC-approved AFC operators are equally vulnerable was not established in the published research. An AP spoofed into an incumbent-free location can request channels it should not have access to; one spoofed into a foreign or restricted location can be denied service outright — a way to disrupt connectivity without touching the network itself.
A Familiar Blind Spot, Outside WebPulse's Usual Field of View
WebPulse doesn't detect Automated Frequency Coordination systems or Wi-Fi access points — that infrastructure sits outside the roughly 30 web frameworks it scans for via HTML and HTTP signatures, and none of the detection data WebPulse collects speaks to this disclosure one way or another. What's transferable is the pattern, not the data: a coordination layer that treats a client's self-reported identity — here, physical location — as ground truth, with no independent check, is the same trust assumption that has produced client-side validation failures across web applications for years. AFC has been fully automated since its creation in 2020 — no human sits at a keyboard to approve each frequency grant — which makes unverified self-reporting not a corner case but the entire attack surface by design.
What This Means for Budget-Signers
This is a single research disclosure, not a documented pattern of AFC breaches in the field. No CVE has been assigned to the underlying design issue, and it does not currently appear in the CISA Known Exploited Vulnerabilities catalog. For organizations operating or planning standard-power 6 GHz deployments near incumbent spectrum users — utility backhaul links, public-safety networks, point-to-point microwave — there's a concrete procurement question worth putting to access-point vendors and AFC operators directly: does the coordination system independently corroborate a device's reported location, or does it take the device's word for it? The answer determines whether that check-in step functions as a safeguard or as a formality.


