As we recently passed the 1 year anniversary of the IEEE Standards Board’s final approval of IEEE 802.11ax in February 2021 I’ve been thinking about the rate of adoption — how many devices and networks are out there communicating via Wi-Fi’s newest standard? Personally I was very drawn to 802.11ax’s mandatory use of Management Frame Protection (MFP) and the forward secrecy provided by Simultaneous Authentication of Equals (SAE) and jumped at the chance to upgrade my home Access Point (AP) to take advantage of the standard’s new features. Has there been a big push by manufacturers to sell more secure and faster equipment to consumers? Have consumers, many of which have been spending more time at home and more time online, been looking at new tech to support their new lifestyles? I set out to learn more and try to answer these questions.

macOS detailed Wi-Fi network view of an IEEE 802.11ax (Wi-Fi 6) connection.

What can Wi-Fi Alliance data tell us?

IEEE 802.11ax is likely more common recognized as Wi-Fi 6: the marketing term promoted by the Wi-Fi Alliance (WFA) to refer to 6th generation 802.11 technology. If you aren’t familiar with Wi-Fi 6 and would like a quick primer, check out this helpful white paper from Cisco.

Wi-Fi generations. © 2018 Wi-Fi Alliance. All rights reserved.

The WFA administers Wi-Fi CERTIFIED™ programs that validate interoperability between Wi-Fi devices to ensure a project has “met industry-agreed standards for interoperability, security, and a range of application specific protocols.” Because of WFA’s posture as a product certifier they have a great aperture into the world of Wi-Fi equipment which they graciously make available to the public via their Product Finder tool. Using this tool I was able to gain some perspective on how many Wi-Fi CERTIFIED 6™ products are in the market.

Note: these numbers just represent products that have obtained certification status from the Wi-Fi Alliance and there are surely gaps in coverage. For example, more recent Apple devices (e.g., iPhone 13 and the 2021 MacBook Pro) don’t show up in search results. All product numbers referenced in this post are from the time of writing.

According to the Product Finder tool, there are 2,280 Wi-Fi CERTIFIED 6™ products, which includes 95 Wi-Fi CERTIFIED 6E™ products (62 unique models). The product categories of products are Routers (1119 devices), Phones (655 devices), Computers & Accessories (293 devices), Other (106 devices), Tablets, Ereaders & Cameras (54 devices), Televisions & Set Top Boxes (44 devices), Gaming, Media & Music (7 devices), and Smart Home (1 device).

• The 95 Wi-Fi 6E products include phones (25 total models from manufacturers Samsung, Google, and Motorola) such as the Samsung Galaxy S21 Ultra 5G (SM-G998U), Motorola Edge 2021 (XT2141–2), and Google Pixel 6 Pro 128GB (G8V0U) and routers (27 total models from manufacturers Huawei, Linksys, ASUSTeK, Broadcom, Cisco, DAVOLINK, HPE, Mercury Corporation, ON Semiconductor, Qualcomm, Sagemcom Broadband, & Technicolor) such as the Linksys Atlas Max 6E Wi-Fi Mesh System (MX8500), ASUS ROG RAPTURE (GT-AXE11000), and Aruba Multiservice Mobility Controller/AP-635 Access Point.

Wi-Fi 6 product certifications started in 2019 and are on-going. Samsung, Huawei, and ZTE lead the pack in certifications of Wi-Fi 6 equipment.

Top 25 manufacturers of Wi-Fi 6 certified products, 2019 to late March 2022. Data source: Wi-Fi Alliance.

Now, compare those numbers with the 22,792 Wi-Fi CERTIFIED™ ac (aka Wi-Fi 5/IEEE 802.11ac) products, which started seeing certifications made in 2013; product certifications started in 2013 and are on-going as of 2022. Of the 358 companies with Wi-Fi 5 certified products, Samsung, LG Electronics, and Panasonic are the top 3 companies by product counts followed closely by Huawei at #4.

Top 25 manufacturers of Wi-Fi 5 certified products, 2013 to late March 2022. Data source: Wi-Fi Alliance.

After spending time reviewing the data from 5th & 6th generation certifications, it was clear that the number of certifications in 2020 and 2021 represent a decline from 2019. Indeed, given the current number of certifications a quarter of the way into this year, it seems the decline could continue through 2022.

Wi-Fi 5 & Wi-Fi 6 Wi-Fi Alliance Product Certifications 2013 to late March 2022. Data source: Wi-Fi Alliance.

It it important to note that this data only references the product models that are certified and by no means speaks to individual unit procurement numbers. There might only be a 2,280+ Wi-Fi 6 products certified but maybe those products are exceptionally popular and are widely used. I don’t have data to say either way.

It seems that the global chip shortage could be a reason for the decline in new product certifications, if at least for Wi-Fi 6E. According to an article by Dan Robinson of The Register, Wi-Fi 6E products might not be taking off because of the lack of endpoint options which in turn might be due to the chip shortage, concerns about spectrum utilization regulations being inconsistent globally, and interference from equipment already operating in the 6 GHz spectrum.

These numbers provide some useful macro context but I was curious what the environment around me looked like. I thought that the quickest way to do that was to make a simple Wi-Fi survey kit and check what was collected.

Where’s that Wi-Fi?

My goals were to find a single board computer (SBC) that was relatively inexpensive, small (wallet sized), USB-PD compatible, and of course, able to monitor 802.11ax frames. I ran into some challenges finding hardware with many suitable options being out of stock or too expensive. I ended up going with the DFRobot LattePanda Delta 432 which, at $259 was about the most I’d want to pay for this little project. The computer didn’t have an 802.11ax capable wireless interface but having an M.2 A/E-keyed socket, it was easy enough to add a $26 Intel AX200 module. I had a protective case and a portable battery sitting around so all I needed to do was configure the device to collect Wi-Fi frames. I decided to add a GPS receiver to the kit in the instance that I find something interesting that I might later want to check out again.

Given everything that I wanted the kit to do, Kismet was the perfect tool for the job and rather quickly I had it installed and configured on the LattePanda Delta 432 running Ubuntu 20.04. After performing a few tests at home I set out with the kit on foot to start my survey.

The 93 channels/channel widths configured for capture via Kismet.Web client view of Kismet capture during testing at home.

In order to maximum my efficiency, I attempted to walk in the most densely populated locations in my area which turned out to be the middle of Washington, DC. My theory was that the greater the human density, the higher likelihood of encountering APs. I also attempted to survey both residential and commercial areas (informed using US Census Bureau and DC Government zoning data).

I tried to make sense of a DC Government zoning map to get a good mix of resident, commercial, and mixed use space as I planned a walking survey route. Data source: DC Government.

8.3 miles, 301 MB of captured data, and one averted thunder storm later it was time to begin the analysis. I decided to look for APs specifically instead of client devices (non-AP STA) such as phones, laptops, printers, and IoT devices. I did this for a couple reasons:

• I figured if I focus on APs I could also get stats on Wi-Fi 6, Wi-Fi 6E, WPA3, and Management Frame Protection (MFP) all in one place via Beacon frames. Also, identifying AP manufacturers and models will likely be easier since the BSSID can likely infer the manufacturer and often times vendor specific data will be present in Beacon frames that can list manufacturer and model information.
• Americans typically tend to replace their smartphones every 2–2.5 years. According to ScientiaMobile’s Mobile Overview Report (MOVR) for 2021-Q4 (October-December 2021), at least 17.37% of North American phones are Wi-Fi 6 capable. That number is likely much higher in the United States specifically and grew in 2022-Q4, especially following the top 3 Mobile Network Operators (MNOs) in the country advertising device trade-ins for new phones supporting Wi-Fi 6. If you purchased a phone in the US since late 2019/early 2020 to present there’s a decent chance you are able to use Wi-Fi 6. I think smartphone Wi-Fi 6 adoption has been progressing well. Being able to get quarterly data on device sales and use for phones isn’t typically hard to come by. What I’m curious about is how many phones aren’t able to utilize Wi-Fi 6 because they don’t have any APs to connect to.
• Given the rise of localized MAC address utilization in mobile client devices like phones, tablets, and laptops, device identification and de-duplication is a bit trickier. Plus, given some of the technical challenges in capturing a specific client/AP Resource Unit (RU), it’s best to avoid the client perspective.
• Finding devices and ensuring a good sample will be easier both the collector and collectee aren’t both moving. I expect most APs that I came across to be static from my perspective as I walked by but I think I’ll find some exceptions like in-car Wi-Fi networks and mobile network hotspots.
• I have a theory that given the monetary cost and power cost of more modern Wi-Fi chips, IoT devices likely aren’t driving the adoption of Wi-Fi 6. My thinking is that such equipment likely uses older, less expensive, more abundant, and less speedy Wi-Fi standards like IEEE 802.11b/g/n (if the equipment uses Wi-Fi at all in lieu of Bluetooth Low Energy or Zigbee). The WFA’s data backs this up too — the top three categories of certified products were Routers (1119), Phones (655), and Computers & Accessories (293). A canvas of the top selling home & consumer IoT devices in the United States confirmed my hunch. Only one device I came across supports Wi-Fi 6, the Amazon Fire TV Stick 4K Max — 1st Gen (2021).

After settling on Beacon frames only I started preparing the data. I go back and forth on my analysis tools, alternating between using Wireshark itself and exporting the data and exploring it with Microsoft Excel or Jupyter Notebook.

Plotting a random sample of discovered APs that have GPS coordinates in their frame from Kismet (n=3000).

Finding High Efficiency (HE) Wi-Fi, efficiently

During my survey I came across 40,886 unique BSSIDs. Of those, 8,622 (21.09%) listed HE Capability and HE Operation Information Elements (IEs) in Beacon frames, identifying them as Wi-Fi 6 capable STAs. Effectively, one in five APs I walked by could support Wi-Fi 6. About 16.2% of Wi-Fi 6 capable STAs advertised support for Access Network Query Protocol (ANQP) meaning additional information about the STA such as its venue’s name, domain name, operator’s name, and authentication details could potentially be queried.

The manufacturers of the Wi-Fi 6 APs that I could definitively resolve are:

• ARRIS Group, Inc. (and Ruckus Wireless)
• ASUSTek COMPUTER INC.
• Arcadyan Corporation
• Belkin International Inc.
• Cisco Systems, Inc. (and Cisco Meraki)
• EnGenius Technologies, Inc.
• Extreme Networks, Inc.
• Fortinet, Inc.
• Hewlett Packard Enterprise (and Aruba)
• Mist Systems, Inc. (a Juniper Company)
• Netgear
• Nokia Solutions and Networks GmbH & Co. KG
• Novatel Wireless Solutions, Inc.
• Open Mesh, Inc.
• Pepwave Limited
• Starry, Inc.
• TP-Link Corporation Limited
• Technicolor CH USA Inc.
• Ubiquiti Networks Inc.
• Zyxel Communications Corporation
• eero inc. (an Amazon company)

Looking at MAC capabilities for a HE network.

How to find via Wireshark: wlan.tag.number == 255 && wlan.ext_tag.number == 35 && wlan.ext_tag.number == 36

Any Wi-Fi 6E?

Of the 62 unique products that are certified as Wi-Fi 6E validated, 31 of them are devices that aren’t phones or computers and I didn’t come across any in my survey. Granted, I wasn’t scanning for 6 GHz channels but no HE network I came across listed 6 GHz information as being present in HE Operation parameters.

Trying to find Wi-Fi 6E networks via HE Operation parameters from 2.4 & 5 GHz spectrum collection.

How to find via Wireshark (from 2.4 & 5 GHz spectrum channel collection): wlan.ext_tag.he_operation.6ghz_operation_information_present == 1

But wait!

There are a couple caveats and points of clarification surrounding packet capture and analysis:

• I’d hardly describe this Wi-Fi capture and analysis process as scientific. It was a best effort attempt to see what degree of device usage was detectable in a given urban area from a simple survey. There were many variables I didn’t control for and my means of sampling could have been skewed by such things as building occupancy/utilization rates, tenant/owner wealth, day time of capture, collection dwell time, and type of structures present on the route.
• Due to Wi-Fi 6’s use of Orthogonal frequency-division multiple access (OFDMA) some data could have been missed by the monitoring card which wasn’t necessarily near the AP or the client device. While this might be true if I was attempting to collect a full, uninterrupted data stream of all AP traffic this isn’t an issue with Beacon frames. It is far more likely that I would have missed networks due to signal attenuation or because Kismet was channel hopping. Given my configuration it takes Kismet about 19 seconds to cycle through all 93 channel/channel-width combinations. In that time I’d cover about 70–90 feet of distance. There were also dwell times as I waited at intersections or for vehicles to enter/leave alleys and garages.
• Kismet was not collecting on all possible channels/channel widths so it is possible some networks (e.g., 160 MHz HE STAs) were missed.

How to make your own survey kit

I’m including the full list of hardware and software I used to make the survey kit as well as the general directions I used to configure the system.

Hardware List

Software List

Kit Configuration

General System Configuration

# apt update -y
# apt upgrade -y
# wget -O https://www.kismetwireless.net/repos/kismet-release.gpg.key | apt-key add -
# echo ‘deb https://www.kismetwireless.net/repos/apt/release/focal focal main’ | tee /etc/apt/sources.list.d/kismet.list
# apt update
# apt install kismet gpsd gpsd-clients openssh-server
# systemctl enable ssh
# systemctl enable gpsd
# systemctl enable kismet

Kismet (/etc/kismet/kismet.conf) — edit

gps=gpsd:host=localhost,port=2947
source=wlo1 # replace with your Intel AX200 interface if different

udev (/etc/udev/rules.d/80-gps.rules) — create + add

SUBSYSTEM==”usb”, ACTION=”add”, ATTRS{idVendor}==”067b”, ATTRS{idProduct}==”2303", NAME=”gps”

gpsd (/etc/defaults/gpsd) — edit

GPSD_OPTIONS=”-D 5 -n /dev/gps1"

cloud-init (/etc/netplan/50-cloud-init.yaml) — create + add

network:
version: 2
ethernets:
{ETHERNET INTERFACE NAME}:
dhcp4: true
addresses: [{IP ADDRESS OF SBC}/24]
match:
macaddress: {ETHERNET MAC ADDRESS OF SBC}
set-name: {ETHERNET INTERFACE NAME}

Do you have any questions, comments, constructive feedback, or things to discuss? Please free feel to DM me via Twitter @wirelessbits_!

In a future post I plan to review and discuss the security aspects (e.g., WPA3 & Management Frame Protection usage) of the network data I collected.