New AirSnitch attack bypasses Wi-Fi encryption in homes, offices, and enterprises

New AirSnitch attack bypasses Wi-Fi encryption in homes, offices, and enterprises


“In a normal Layer-2 switch, the switch learns the MAC of the client by seeing it respond with its source address,” Moore defined. “This attack confuses the AP into thinking that the client reconnected elsewhere, allowing an attacker to redirect Layer-2 traffic. Unlike Ethernet switches, wireless APs can’t tie a physical port on the device to a single client; clients are mobile by design.”

The back-and-forth flipping of the MAC from the attacker to the goal, and vice versa, can proceed for so long as the attacker desires. With that, the bidirectional MitM has been achieved. Attackers can then carry out a number of different assaults, each associated to AirSnitch or ones such because the cache poisoning mentioned earlier. Depending on the router the goal is utilizing, the attack could be carried out even when the attacker and goal are linked to separate SSIDs linked by the identical AP. In some instances, Zhou stated, the attacker may even be linked from the Internet.

“Even when the guest SSID has a different name and password, it may still share parts of the same internal network infrastructure as your main Wi-Fi,” the researcher defined. “In some setups, that shared infrastructure can allow unexpected connectivity between guest devices and trusted devices.”

No, enterprise defenses will not defend you

Variations of the attack defeat the consumer isolation promised by makers of enterprise routers, which generally use credentials and a grasp encryption key which might be distinctive to every consumer. One such attack works throughout a number of APs once they share a wired distribution system, as is frequent in enterprise and campus networks.

In their paper, AirSnitch: Demystifying and Breaking Client Isolation in Wi-Fi Networksthe researchers wrote:

Although port stealing was initially devised for hosts on the identical swap, we present that attackers can hijack MAC-to-port mappings at the next layer, ie, on the degree of the distribution swap—to intercept site visitors to victims related to completely different APs. This escalates the attack past its conventional limits, breaking the idea that separate APs present efficient isolation.

This discovery exposes a blind spot in consumer isolation: even bodily separated APs, broadcasting completely different SSIDs, providing ineffective isolation if linked to a standard distribution system. By redirecting site visitors on the distribution swap, attackers can intercept and manipulate sufferer site visitors throughout AP boundaries, increasing the risk mannequin for contemporary Wi-Fi networks.

The researchers demonstrated that their assaults can allow the breakage of RADIUSa centralized authentication protocol for enhanced security in enterprise networks. “By spoofing a gateway MAC and connecting to an AP,” the researchers wrote, “an attacker can steal uplink RADIUS packets.” The attacker can go on to crack a message authenticator that is used for integrity safety and, from there, be taught a shared passphrase. “This allows the attacker to set up a rogue RADIUS server and associated rogue WPA2/3 access point, which allows any legitimate client to connect, thereby intercepting their traffic and credentials.”

Leave a Reply

Your email address will not be published. Required fields are marked *