By Bryan Vest

When a Aromatherapy Diffuser Decides To Be The Network

When a Aromatherapy Diffuser Decides To Be The Network

Earlier this week, I was working a support case for a rural fiber customer. They live far out in the country—clean spectrum, no neighboring SSIDs, 1G fiber connection running through a Gigaspire router. Normally a stable setup. But suddenly their Wi-Fi fell apart. Devices dropped off. Speeds tanked. Phones and TVs struggled to stay online.

I pulled up the spectrum analytics and right there—loud and clear—was a rogue SSID broadcasting as AROMA-013-240709. It was consuming 85% of the 2.4GHz airtime. Not bandwidth. Airtime. That means the medium itself was congested. Devices couldn’t talk. Even though the router stayed up and signal levels looked fine, the channel was gridlocked.

The device responsible had a MAC that fingerprinted to an ESP32 chip. Likely some cheap IoT device. At that point, I didn’t know what it was, just that it was hammering the air. I called the customer and explained something on their network was blasting the spectrum. They asked me to disable SSID broadcast and reset the Wi-Fi password.

The Smoking Gun

I told the customer I would figure out what is going on and reach out to them in about an hour. After lunch, I rechecked the spectrum. Airtime usage had fallen back to a normal 22%. The network was calm. That told me everything I needed to know—the problem device hadn’t reconnected after the password reset. It was boxed out.

I called the customer back. The wife answered. I explained that something on their network had gone haywire and asked if they had an internet-connected aromatherapy diffuser. She said yes, explaining that she could control it from her phone. That was the moment it all clicked.

This device had lost its connection and decided to flip into pairing mode, broadcasting its own SSID—fully open, 40MHz wide, and right on channel 1, which is exactly where their Gigaspire router operates by design.

Why This Is Bad Design

  • 2.4GHz only has three non-overlapping channels: 1, 6, and 11
  • A 40MHz AP on channel 1 bleeds into channels 2–5
  • The diffuser was essentially stepping sideways into traffic, blocking 5 of 11 channels
  • On a clean spectrum, this obliterates throughput

And let’s be clear: 85% airtime usage is the same as 100% in real terms. Once you hit that threshold, everything else is queuing up, backing off, retrying. From the end user’s view? Nothing works.

Why 2.4GHz Still Matters

Even with 5GHz and 6GHz widely available, 2.4GHz is still critical:

  • It has longer range and better wall penetration
  • Many IoT devices only support 2.4GHz
  • It’s often used for onboarding and failover
  • Devices like phones and smart hubs still fall back to it in edge cases

That means 2.4GHz remains fragile, and it’s under constant attack from low-cost, poorly-behaved devices flooding the market.

The Real Problem

  • ESP32-based devices are everywhere. They’re cheap, programmable, and easy to mass produce
  • Vendors prioritize low BOM cost and fast pairing over responsible RF behavior
  • Firmware often defaults to open AP mode when a device loses Wi-Fi
  • Users have no idea these devices are misbehaving

This diffuser joined the network, blew through DHCP, failed, and responded by opening its own AP, likely to reach a phone app. But in doing so, it jammed the entire spectrum.

Who Supports This?

Here’s the kicker: we do. As ISPs, we spend as much time supporting third-party garbage like this as we do maintaining our own infrastructure. It’s not our hardware, not our firmware, not our failure—but it’s still our support queue.

And who else is going to track down a rogue ESP32 aromatherapy diffuser at 1 a.m. causing spectral collapse? No one. That’s not in the user manual. That’s not in the Alexa app. That’s not what the Best Buy Geek Squad is trained to handle.

But we are.

Takeaways

  • IoT vendors: Stop shipping devices that broadcast open APs when they fail
  • ISPs: Start treating spectrum as a shared battlefield, not just a signal graph
  • Consumers: Understand that not all "smart" means smart for your network

This wasn’t an attack. It wasn’t malware. It was just bad firmware doing exactly what it was told.

And it nearly took down a household.

In a different setting, it could’ve taken down dozens.

The air is the wire now. And we better start defending it like one.

--Be One Step Ahead
-Bryan

Previous

Recovering the Metrics Stack After Quick Shutdown