When we started this research we were aware of at least one university in Germany that hinders other WLANs on their premises with the help of so-called deauthentication packages. This means that the university's systems are configured so that they block other WLAN access points (e.g. a mobile hotspot on the phone or an LTE router) by sending special packets. These packages ensure that the user of this WLAN access point is always disconnected from his own WLAN and cannot establish a stable connection. This university we know claims that other universities do the same.
We want to research this claim!
This page is about WLAN systems that are self-sufficient (e.g. smartphones, LTE hotspots) and not connected to the existing university networks.
This page will provide an overview, which is based on inquiries with the help of FragDenStaat.de (or other sources), which universities show such behavior. We will try to ask every university in Germany. Refusals to provide information (e.g. due to "security concerns") are interpreted in such a way that WLANs are impeded and marked with an *.
Our goal is to provide an overview of these universities, make the public aware of this topic and to stimulate changes in the IT of the university landscape (where necessary).
Are you a lawyer or journalist and want to support us? Contact us!
We try to explain as little as possible with technical details so that as many people as possible can understand it. But it's a technical issue.
We are aware of two main arguments and have a guess:

1. Ensuring the quality of service of the own university WLAN
Every other device with WLAN uses the same frequencies and therefore reduces the bandwidth / speed = quality of service of this WLAN. This applies to end devices as well as to additional access points. In the case of access points that exist side by side in parallel, this is particularly detrimental to quality if the WLAN channels of the different access points differ particularly unfavorably, i.e. use channels other than the university WLAN. If another access point is Using the same channels as the university WLAN, the quality reduction is rather low, since all devices (regardless whether it is a cell phone as client or access point) work according to the same protocol and only start to transmit when no other is transmitting (CSMA / CA). However, since for different channels the devices cannot "hear" each other, this is particularly problematic. In order to be able to offer all users of the university WLAN the best possible quality of service, some universities block all third-party access points so that the operator cannot use them and eventually switches them off.

2. Security aspects
The "problem" is the way in which the login to the WLAN network works, especially with the Eduroam offered for universities. It's not like most people at home, where access is granted with a single password. At Eduroam, everyone uses their own individual login / password. Usually this is the university login of the corresponding university, which is directly entered in the e.g. Mobile phone. There is an attack scenario in which an attacker sets up his own access point that uses the same name (e.g. Eduroam) as the university. This attacker wants to get the login data of the university login. End devices such as cell phones generally always try to connect to the access point that has the strongest radio signal. The attacker, of course, ensured this with the appropriate antenna and signal strength. The end device now connects to the "wrong" access point (such access points are also called rogue access points1) and may send the university login access data stored in the end device. The "may" part is important here as this only happens if the end device is not configured securely. It is then configured unsecure if it does not check whether the access point is the "right" when logging on to the access point. This is done by checking a certificate that the access point must present (including the attacker). The access points of universities have this (secret) certificate and can thus prove to be the "right" one. The attacker doesn't. The latter presents a different or forged certificate. If the end device is setup so that a certificate check takes place, there is no danger.

3. Assumption: Psychological reasons
The IT service providers of universities are of great importance in today's digital age. Nothing works without networking and the Internet. So it may be that these service providers are solely responsible for deciding how the finite resources are to be divided between the different requesters. This creates a considerable element of power. Depending on the personality of the decision-maker, this creates a concentration of power, which of course can lead to abuse of power with all its consequences without technically competent control and regulatory authorities. We see the assumption that one can / may hinder all other WLANs (except the own) as such a form of abuse of power, even if the intention to want to provide the best possible security and quality of service should be rated positively. It is in the interest of all those involved to define university structures in such a way that decisions are not made by individuals, but by democratically legitimate and technically competent people from those affected by these decisions. In this way, an optimal balance of interests can be established and at the same time it relieves the IT service provider of having to make decisions himself.

1A rogue access point is generally only referred to in this way if it also establishes a connection to the university's network. However, since it is difficult to determine whether such a connection actually exists, it is interpreted that all access points in the geographic area of the university are classified as rogue (and therefore unintentional = hostile).
Prelimanry note: We are computer scientists, not a lawyers.
As always in such cases, where there is no plaintiff there is no judge. So far we have not heard of any judgments in Germany that would answer this question. Hence our (certainly amateur) legal opinion on this subject.
1. On the aspect of service quality
We positively count for the universities that they want to deliver the best possible quality. However, it is also the case that the frequencies used for WLAN have been made available to EVERYONE. The responsible government agency is the Bundesnetzagentur (Federal Network Agency), which does this within the framework of the TKG with general assignments. In a general assignment, the Bundesnetzagentur determines how the frequency may be used. The following is stated for WLAN (among others):
Transmissions that deliberately disrupt or prevent the intended use of WLAN, e.g. It is not permitted to send out radio signals and / or data packets that aim to log off or influence other users' WLAN connections against their will. The frequency ranges mentioned above are also used for other radio applications. The Bundesnetzagentur does not guarantee the minimum quality or freedom from interference in radio communications. There is no protection against impairments due to other intended frequency uses. In particular, mutual interference cannot be ruled out and accepted if the spectrum is used jointly.
So it seems clear to us that the universities violate the general allocation if they interfere with other WLAN signals. Our own request to the Bundesnetzagentur confirms this. Since the university's actions are exploiting a design vulnerability in the WLAN protocol (WPA2), other frequency users are not affected. This means that DECT phones, Bluetooth headphones, smartwatches, wireless mice and keyboards, heart rate belts, pedometers, car door openers and many more cannot be hindered. If the quality standards of the university are so high, then our suggestion would be to switch to a licensed frequency band (e.g. mobile radio over 5G), where the operator can determine who uses it.

2. On the security aspect
This page is about WLAN systems that are self-sufficient (e.g. smartphones, LTE hotspots), i.e. not connected to the existing university networks. It is argued that the necessary technical means must be used to secure the network (§ 109 TKG). This is then interpreted in such a way that, if the technology has the option, it can also be used in order to hinder other access points. This is not understandable for us in several aspects when considering the technical details properly.
On the one hand, an access point can be set up worldwide. So also in the supermarket. A cell phone would also reveal the login data there, provided that it is not configured securely.
On the other hand, a serious attacker will activate a function in the access point (PMF) that counteracts deauthentication packets. The mobile phone will register at the access point despite the ongoing packet sending due to the university WLAN and will then reveal the login data if it is not configured securely.
Actually, the problem is not primarily about the security of a network, but about the security of a device. Deauthentication packets that are limited to the campus of the university are not helping in any way. It is actually much worse as it covers up the actual security problem of the unsafe configuration of the end device. The user is weighed in safety.
The security of the university's network (or more precisely the services within it) is only at risk (as a result of the login data of an unsecure configured device becoming known) if the university login is also used for WLAN access. If all university services can be accessed with this university login, these services or the data of the services are at risk. Alternatively, the services could also be secured with a second factor (e.g. using a TAN generator). Obstructing other WLANs therefore does not add any substance to security. If a university argues with this point, it can be assumed that it does not implement well established security rules: different services - different logins or two-factor authentication and therefore does not protect its members according to state of the art technology.
We have already heard that certifications (e.g. BSI Grundschutz or ISO 27001) require that other WLAN signals are blocked. However, according to our request, the BSI (which makes the requirements for this certification) does not see it that way.

3. Exemption / permission
According to the Bundesnetzagentur, it does not issue any exemptions. It is also not aware of any other authority that issues such permits. There is no legal basis that would allow such an exception. It is just a frequency allocation for everyone.
Source at FragDenStaat.de
The Bundesnetzagentur also does not allow or prohibit administrative measures (e.g. user regulations) restricting frequency use. It is not responsible for this and the legal situation is unknown to the Bundesnetzagentur.
Source at FragDenStaat.de
We see additional other aspects legally critical.
We have already mentioned the violation of the general allocation of the Bundesnetzagentur.

In addition, we see a violation of personal rights if visitors or members of the university cannot operate their own hotspots. Some universities have organizational rules that prohibit their members (or provide restrictions) from operating their own WLANs. With these own WLANs, we explicitly refer to autonomous WLANs that are not connected to the university network. If the use of such autonomous WLANs is restricted, we see an interference with the Academic Freedom, since it is no longer possible to make completely free decisions in the design of a system and its architecture. In addition, these restrictions only apply to the WLAN protocol. Other radio protocols such as Bluetooth, DECT etc. are not restricted. The universities restrict the free use of the frequency as legally intended by the Bundesnetzagentur.

Since the Bundesnetzagentur has made it clear that technical measures, such as sending deauthentication packets, violate the general assignment, administrative / organizational rules must also be considered illegal. These rule sets undermine the goal that the TKG wants to achieve with the general assignment. Legally, we see a legal circumvention / legal circumvention business.

As the last point, we see the possible criminal liability according to § 303b StGB:
Anyone who significantly interferes with data processing that is essential for another person by [...] inserting or transmitting data with the intention of inflicting another disadvantage will be imprisoned for up to three years or fined.

and § 202b StGB:
Anyone who obtains unauthorized or other data that is not intended for him using technical means (Section 202a (2)) from a non-public data transmission or from the electromagnetic radiation of a data processing system will be punished with imprisonment for up to two years or with a fine if the Did not face more severe punishment in other regulations.
The relevance arises from the fact that the attack on another WLAN only works if the MAC address (a unique ID of each WLAN device) of the attacker is recorded and then used by the attacker himself (and thus falsifying his own MAC address ).
If we argue as before, we get (almost reflexively) statements that the wirless network will then no longer be usable and then all the rules of the GDPR are used to argue and one has to use all the options there are. Now there have already been some responses to our inquiries, even from large universities, which show that this is probably not quite the case.
We find it logical that members of a university want to use a functioning WLAN. We want that too. From a legal point of view, however, we see no claim to this because a freely available frequency band is used (unlicensed). The WLAN specification is defined so that everyone has a chance to use it. The assumption of a university that it can have more rights here does not result from any legal regulation known to us.
Many universities also have organizational restrictions for employees through rules and regulations. Of course, these are not binding for visitors. Situations then arise, where one can do something in the role of a private person on the premises, but not in the role of an employee or reseacher. Do such regulations really help or are they just annoying?
We can therefore well imagine that it will be in everyone's interest if guidelines (but not legally enforceable) are developed TOGETHER at universities that allow EVERYONE to access the frequencies. These regulations should then also be negotiated democratically and should not be a dictatorship of individuals.
We therefore recommend, starting with the most important:
1. The separation of the university login from the access data for WLAN access. RWTH Aachen with its EGM (device manager) is an example.
2. Optimize the WLAN channels used. If 1,6,11 is used, it would be quite possible to try 1,5,9,13 in order to make full use of the available frequencies. This is what the Leibniz data center does, for example.
3. Introduction of two-factor authentication for some or all of the university's services and thus a departure from the one-password policy. The KIT shows how it can be done.
4. Create transparency about the right to use the frequency for everyone, the problems associated with it and the basic assumption that an employee will always be cooperative first.
5. Create a guide to WLAN usage (no order or rule) with the REQUEST to get a channel assigned so that the best possible frequency coverage can be achieved.
Help us and give hints or ask questions at FragDenStaat.de!
Use in the subject of your inquiry at FragDenStaat.de: WLAN of the [HERE THE UNIVERSITY NAME]
You can use the following as text:
Are the WLAN systems (e.g. those that provide Eduroam) of the university set so that they e.g. by using a rogue accespoint containment function interfering with other WiFi signals using Deauth / Deassociation packages?
If so, why and what settings are used?
If not why?

If you let us know (see imprint), the university will be put in the database of this page. But you also have to provide us with a reliable source. We feel obliged to protect the informants!
If you are technically adept, you can set up measurement equipment and prove the deauthentication packets or prove that they do not exist. You may also ask for help from an Erfa group at the nearby Chaos Computer Club. If deauthentication packets have been proven, you can report a radio interference to the Bundesentzagentur. We advise you not to do this yourself if you are a member of the same university that you believe is the cause of the disturbances. According to current (German) law, you could still be fired if you have not previously reported anything to the employer. However, we are aware that it is particularly difficult in institutions with a high level of hierarchy to give information and not to be seen as negative. Ultimately, of course, it can also be assumed that the settings of the university's WLAN are of course also known to those responsible, so you could therefore not report anything new that would be unknown. Whistleblower protection in Germany will only change fundamentally in 2021.
- continue to work on asking the universities
- corona break
January 2020:
- our fired research colleague cancels the employment and now works for someone else (but is still involved with us)
- added english translation
- added history section
- one of our reseach colleagues is fired without notice (because of the involvemnet in this page)
- startet page and first request at FragDenStaat.de


(and responsible for content according to § 5 TMG, § 55 RStV)

Marcel Langner
Kuckucksweg 1A
15741 Bestensee
Tel: 033763-149978
Fax: 033763-149992


Liability for content

The content of these pages were created with the greatest possible care. However, we cannot guarantee that the content is correct, complete and up to date. As a service provider, we are responsible for our own content on these pages in accordance with general laws in accordance with Section 7 (1) TMG. As a service provider, however, we are not obliged to monitor third-party information that is transmitted or stored, or to research circumstances that indicate illegal activity. This transmitted third-party information includes in particular the requests made by users according to the Freedom of Information Act as well as the answers of the respective institutions. The obligation to remove or block the use of information according to general laws remains unaffected. However, liability in this regard is only possible from the time we become aware of a specific legal violation. As soon as we become aware of such violations, we will remove the content immediately.

Liability for links

Our offer contains links to external third party websites, the content of which we have no influence on. Therefore, we cannot accept any liability for this external content. The respective provider or operator is always responsible for the content of the linked pages. The linked pages were checked for possible legal violations at the time the link was created. No illegal content was discernible at the time the link was created. A permanent control of the content of the linked pages is not reasonable without concrete evidence of an infringement. As soon as we become aware of legal violations, we will remove such links immediately.

Public PGP key of the contact email above

We feel obliged to protect the informants!


Data privacy statement


With the following data protection declaration we would like to inform you which types of your personal data (hereinafter also referred to as "data") we process, for what purposes and to what extent. The data protection declaration applies to all processing of personal data we have carried out, both within the scope of the provision of our services as well as in particular on our websites, in mobile applications and within external online presences (hereinafter collectively referred to as "online offer")

Responsible person

Marcel Langner
Kuckucksweg 1A
15741 Bestensee
Tel: 033763-149978
Fax: 033763-149992

Relevant legal bases

In the following we share the legal basis of the General Data Protection Regulation (GDPR), on the basis of which we process the personal data. Please note that in addition to the provisions of the GDPR, the national data protection regulations in your or our country of residence and domicile may apply.

  • Legitimate interests (Art. 6 Para. 1 S. 1 lit. GDPR) - The processing is necessary to safeguard the legitimate interests of the person responsible or a third party, unless the interests or fundamental rights and freedoms of the data subject that protect personal data Data require, outweigh.

National data protection regulations in Germany: In addition to the data protection regulations of the General Data Protection Regulation, national regulations on data protection in Germany apply. This includes in particular the law on protection against misuse of personal data in data processing (Federal Data Protection Act - BDSG). The BDSG contains in particular special regulations on the right to information, the right to deletion, the right to object, the processing of special categories of personal data, the processing for other purposes and the transmission as well as automated decision-making in individual cases including profiling. Furthermore, it regulates data processing for the purposes of the employment relationship (Section 26 BDSG), in particular with regard to the establishment, implementation or termination of employment relationships and the consent of employees. State data protection laws of the individual federal states can also be applied.

Safety measures

We take appropriate technical and organizational measures in accordance with the legal requirements, taking into account the state of the art, the implementation costs and the type, scope, circumstances and purposes of processing, as well as the different probability of occurrence and the extent of the threat to the rights and freedoms of natural persons to ensure a level of protection appropriate to the risk.

The measures include, in particular, ensuring the confidentiality, integrity and availability of data by controlling the physical and electronic access to the data as well as the access, input, transfer, safeguarding of availability and their separation. Furthermore, we have set up procedures that guarantee the exercise of data subject rights, the deletion of data and reactions to the risk to the data. Furthermore, we take the protection of personal data into account when developing or selecting hardware, software and processes according to the principle of data protection, through technology design and through data protection-friendly default settings.

Shortening the IP address: When the IP address is saved, it is stored in shortened form. In this method, also referred to as "IP masking", the last octet, which is the last number of an IP address, is deleted (in this context the IP address is an individually assigned to an Internet connection by the online access provider ID). By shortening the IP address, the identification of a person based on their IP address is to be prevented or made significantly more difficult.

SSL encryption (https): In order to protect your data transmitted via our online offer, we use SSL encryption. You can recognize such encrypted connections by the prefix https: // in the address line of your browser.

Provision of the online offer and web hosting

In order to be able to provide our online offer securely and efficiently, we use the services of a web hosting provider, from whose servers (or servers managed by them) the online offer can be accessed. For these purposes, we can use infrastructure and platform services, computing capacity, storage space and database services as well as security and technical maintenance services.

The data processed as part of the provision of the hosting offer can include all information relating to the users of our online offer, which is incurred in the context of use and communication. This regularly includes the (abbreviated) IP address, which is necessary in order to be able to deliver the content of online offers to browsers, and all entries made within our online offer or websites.

Email sending and hosting: The web hosting services we use also include the sending, receiving and storage of emails. For these purposes, the addresses of the recipients and senders as well as other information regarding the sending of e-mail (e.g. the providers involved) and the content of the respective e-mails are processed. The aforementioned data can also be processed for the purpose of detecting SPAM. We ask you to note that emails are generally not sent encrypted on the Internet. As a rule, e-mails are encrypted during transport, but (unless an end-to-end encryption process is used) not on the servers from which they are sent and received. We can therefore not take any responsibility for the transmission path of the emails between the sender and the receipt on our server. For end-to-end encryption you can find a PGP key in the imprint.

Collection of access data and log files: We myself (or our web hosting provider) collects data on every access to the server (so-called server log files). The server log files can include the address and name of the websites and files accessed, the date and time of access, the amount of data transferred, notification of successful access, browser type and version, the user's operating system, referrer URL (the previously visited page) and, as a rule (shortened ) IP addresses and the requesting provider belong.

The server log files can be used on the one hand for security purposes, e.g. to avoid overloading the server (in particular in the event of abusive attacks, so-called DDoS attacks) and on the other hand to ensure the server's load and stability.

Right to lodge a complaint with the competent supervisory authority

As the person concerned, you have the right to lodge a complaint with the responsible supervisory authority in the event of a breach of data protection law. The responsible supervisory authority for data protection issues is the state data protection officer of the federal state in which our seat is located. The following link provides a list of data protection officers and their contact details.

Right to data portability

You have the right to have data that we process automatically based on your consent or in fulfillment of a contract handed over to yourself or to third parties. It is provided in a machine-readable format. If you request the direct transfer of the data to another person responsible, this will only take place if it is technically feasible.

Right to information, correction, blocking, deletion

You have the right to free information about your stored personal data, origin of the data, its recipient and the purpose of the data processing and, if necessary, the right to correction, blocking or deletion of this data at any time within the scope of the applicable legal provisions. You can contact us at any time using the contact options listed in the imprint if you have any questions about this or personal data.

The following table explains the possible entries in the Deauth? and rules? columns.
The question we ask the universities is actually a yes or no answer. If the university does not interfere with other WLANs, you will of course answer no. In this case, she has no reason to say otherwise. If a university refuses to give a statement with reference to security aspects, it becomes clear on the one hand that the sending of such packets is regarded as a "security function" (which it is not, see above) and on the other hand it can also be assumed that this function is also used because the university wants to take all security precautions. This is particularly true when arguing with Section 109 TKG. So she reveals herself by refusing to testify. We took the list of universities and the number of students from Wikipedia and the Hochschulkompass.
no: There are no deauthentication transmissions by the university to others..no: There are no additional rules for handling WLANs in the university.
not anymore: In the past, the university sent deauthentication messages to others, but currently no longer.soft: There are additional rules for dealing with WLANs in the university, but these are limited to a notification requirement or recommendations from the university.
twin: There are deauthentication broadcasts on WLANs by the university that have the same SSIDs as the university broadcasts.medium: There are additional rules for handling WLANs in the university, with slight restrictions e.g. when choosing a channel.
yes: The university sends out deauthentication transmissions to all other WLANs (this includes measures of last resort).
yes*: The university refused to provide this information. Deauthentication transmissions to other WLANs are probably taking place by the university.
strict: There are additional rules for the use of WLANs in the university that require a permit.
strict*: The university refused to provide this information. There are probably additional rules for the use of WLANs in the university that require a permit.
nrta (not required to answer): The university has no legal obligation to make a statement and relies on it.nrta (not required to answer): The university has no legal obligation to make a statement and relies on it.
cd: communication denied by the university.cd: communication denied by the university.
?: unclear, e.g. university does not exist anymore.?: unclear, e.g. university does not exist anymore.
empty: state unknownempty: state unknown

progress bar:
green = Number of universities listed with no for Deauth in the table.
red = Number of universities listed as yes, yes * or twin for Deauth in the table and thus violating the rules of the BNetzA.
orange = Number of universities that have been requested but have not yet answered.
black = Number of universities that claim that there is no legal obligation to provide information. Usually because the IFG was not implemented in state law.

database as .csv