Researchers discover massive Wi-Fi vulnerability affecting multiple access points — AirSnitch lets attackers on the same network intercept data and launch machine-in-the-middle attacks

A team of researchers from the University of California, Riverside revealed a series of weaknesses in existing Wi-Fi security, allowing them to intercept data on a network infrastructure that they’ve already connected to, even with client isolation in place.

The group called this vulnerability, AirSnitch, and, according to their paper [PDF], it exploits inherent weaknesses in the networking stack. Since Wi-Fi does not cryptographically link client MAC addresses, Wi-Fi encryption keys, and IP addresses through Layers 1, 2, and 3 of the network stack, an attacker can use this to assume the identity of another device and confuse the network into diverting downlink and uplink traffic through it.

Xin’an Zhou, the lead author on the research, said in an interview, according to Ars Technica, that AirSnitch “breaks worldwide Wi-Fi encryption, and it might have the potential to enable advanced cyberattacks.” He also added, “Advanced attacks can build on our primitives to [perform] cookie stealing, DNS and cache poisoning. Our research physically wiretaps the wire altogether so these sophisticated attacks will work. It’s really a threat to worldwide network security.”

AirSnitch does not break encryption at all, but it challenges the general assumption that encrypted clients cannot attack each other because they’ve been cryptographically isolated.

There are four primary ways that AirSnitch uses to bypass client isolation. The first is by abusing shared keys — since most networks use a single password or a Group Temporal Key (GTK), an attacker can make packets aimed for a specific target and wrap it inside a GTK broadcast frame to make it look like legitimate information meant for everyone. The target would then accept the traffic, thinking that it’s a broadcast packet, allowing the attacker to use that as an initial opening for more complex attacks.

Another attack vector is Gateway Bouncing, where the attacker sends data to an access point that’s addressed to a gateway MAC. When the gateway receives it, it sees that Layer 3 IP header, which is the victim’s IP address, but ignores the Layer 2 destination (which is the gateway itself). It then forwards that to the victim, essentially allowing one client to send data to another client without doing so directly. The other two vulnerabilities include MAC spoofing — the attacker can spoof the MAC of the victim, meaning the gateway will forward all downlink traffic to the attacker, or they could spoof the MAC of backend devices, like the gateway, receiving uplink traffic from the target.

The researchers found that these vulnerabilities exist in five popular home routers — Netgear Nighthawk x6 R8000, Tenda RX2 Pro, D-LINK DIR-3040, TP-Link Archer AXE75, and Asus RT-AX57 — two open-source firmwares — DD-WRT v3.0-r44715 and OpenWrt 24.10 — and across two university enterprise networks. This shows that the issue is not just limited to how manufacturers make and program their routers. Instead, it’s a problem with Wi-Fi itself, where its architecture is vulnerable to attackers who know how to take advantage of its flaws.

While this may sound bad, the researchers pointed out that this type of attack is rather complicated, especially with how complicated modern wireless networks have become. Still, that does not mean that manufacturers and standardization groups should ignore this problem. The group hoped that this revelation would force the industry to come together and create a rigorous set of requirements for client isolation and avoid this flaw in the future.

Follow Tom's Hardware on Google News, or add us as a preferred source, to get our latest news, analysis, & reviews in your feeds.