That guest network you set up for your neighbors may not be as secure as you think.
See full article...
See full article...
New AirSnitch attack breaks Wi-Fi encryption in homes, offices, and enterprises
- Thread starter JournalBot
- Start date
I would have appreciated a bit more about the infrastructure issues and work arounds for those that have to run enterprise networks with guest WiFi as well as the client side information.
Upvote
84
(86
/
-2)
So I understand the MitM aspects of the attack and how that can break client isolation on guest networks. What I'm not seeing is how that works to grab trusted client data.
Upvote
61
(61
/
0)
Interesting, but Wi-Fi encryption has never been considered very secure. That's why we have proper encryption between individual devices or use VPN's.
also, https://www.eff.org/pages/openwirelessorg
also, https://www.eff.org/pages/openwirelessorg
Upvote
37
(38
/
-1)
Wait, I am having a very hard time understanding the severity of this potential attack.
Does it require Physical access to anything? If so, it's kind of odd to think of a someone who works with network stuff. I can't wrap my head around how this isn't just easily thwarted by proper VLAN management.
No exposed data ports should have the same VLAN as any of the access points, and especially any of the SSIDs. I don't get how the man in the middle in this case would work. Seems like several things need to be wrongly configured to make this attack work well.
Does this potentially break WIFI encryption? Yeah. But it seems like the traditional "If the attacker can get this exploit done, then you've had bigger problems before" type of exploit.
I just need to know how easy it is to get this exploit done on a properly configured enterprise level network, with VLANs and other security measures set. Just because you splice into a cable physically doesn't mean Layers 2 to 7 suddenly become vulnerable...
Does it require Physical access to anything? If so, it's kind of odd to think of a someone who works with network stuff. I can't wrap my head around how this isn't just easily thwarted by proper VLAN management.
No exposed data ports should have the same VLAN as any of the access points, and especially any of the SSIDs. I don't get how the man in the middle in this case would work. Seems like several things need to be wrongly configured to make this attack work well.
Does this potentially break WIFI encryption? Yeah. But it seems like the traditional "If the attacker can get this exploit done, then you've had bigger problems before" type of exploit.
I just need to know how easy it is to get this exploit done on a properly configured enterprise level network, with VLANs and other security measures set. Just because you splice into a cable physically doesn't mean Layers 2 to 7 suddenly become vulnerable...
Upvote
92
(93
/
-1)
Haha, I read the paper and the attack only works if you put the guest SSID on the same vlan as the enterprise SSID or the networking equipment. Nobody doing an enterprise network is going to be doing that. Heck, my home network has an isolated vlan for the guest SSID because nobody has ever thought that guest isolation was impervious.
Upvote
127
(127
/
0)
It appears that you can mitigate threats to internal networks by putting guest wifi onto its own VLAN with no access to the internal VLANs. Just setup the guest wifi as only allowed WAN access. Still sucks for public wifi and for guest wifi at large public spaces though.
This is directly quoted from page 13 of the white paper:
This is directly quoted from page 13 of the white paper:
[edited to add source.]
Last edited:
Upvote
66
(66
/
0)
It seems to only work in same VLAN , so an issue for domestic guest WiFi which tend to be in same vlan as production (same subnet) but not for proper enterprise setup with a vlan per SSID and general assumption that everyone on same vlan is at same trust level.
Upvote
40
(40
/
0)
I've configured a few public WIFI stuff. And in the back-end, especially in businesses and enterprise settings, you always segment the Guest/Public Wireless. Some even go as far as having a separate WAN link dedicated to guest to fully isolate Guest from Internal services.
Upvote
39
(39
/
0)
And this folks is why I told Comcast to shove their router with WIFI up their exhaust port. Outside the fact that I'm not here to build out their infrastructure for their VOIP business unless they pay me, I don't want to allow ANYONE I don't know to be on the same network as my stuff.
Last edited:
Upvote
100
(102
/
-2)
Good to know. I put all my IOT crap on its own isolated VLAN and have "production" e.g. my day to day devices on its own VLAN.
Upvote
24
(24
/
0)
Same confusion and basic questions here. I found the linked paper to be somewhat clearer, especially in stating that specifically WLAN device isolation is affected in the first place, not WIFI encryption as such.
So- if I got that correctly - the attack vector starts with a valid access to a "guest" or normal WLAN and from there you need to solely rely on WLAN's built-in device isolation to be vulnerable.
Upvote
35
(35
/
0)
Presuming ISPs were as foolish in configuration as they frequently are at the install points....that could make take this from being a "problem", to being a really big deal.
Upvote
21
(21
/
0)
This is what I was thinking as well. I can kind of see how maybe you might be able to DOS a production client from a guest vlan with this attack but that's about it. As soon as you tried to mitm, wouldn't layer 3 come into play and then you...the attacker...would be on the wrong segment?
Upvote
7
(7
/
0)
The X factor is I have no idea how Comcast configures the isolation on these devices. Is it a straight up VLAN or something else? Doesn't really matter to me. I have a zero trust relationship with these devices.
Upvote
32
(32
/
0)
It isn't just Comcast, Spectrum officers a similar thing IIRC. It seemed like a neat idea--but now a really dumb one.
Upvote
16
(16
/
0)
It was always stupid. Random people hopping on your AP wastes your airtime and your already oversubscribed, congested DOCSIS link back to a shit ISP that couldn't give less of a fuck about you because they have an effective monopoly with essentially no regulation.
Upvote
56
(56
/
0)
"..including those from Netgear, D-Link, Ubiquity, Cisco, and those running DD-WRT and OpenWrt."
^^ Ubiquiti **
^^ Ubiquiti **
Upvote
19
(20
/
-1)
- Add bookmark
- Featured
- #22
What is physical access to Wi-Fi? I mean, yes, you have to be in range of the wifi devices. But that might be having a nearby repeater device outside the premises.
Keeping in mind that this IS about Wi-Fi and not ethernet, but, perhaps your confusion is because of some things the article said about ethernet. If I'm understanding correctly, the references to Ethernet are because, Wi-Fi at a low level, basically is Ethernet over radio, with a few tweaks like SSIDs, and then encryption layered on top of that.
But the very lowest level of the stack, that goes out over the radio waves, isn't encrypted and validated against known keys. So MAC address spoofing can happen, which it sounds like is the basis of this attack - that the malicious device spoofs another device, then forwards traffic as a machine-in-the-middle.
Any traffic that gets decrypted at the router, normally, like DNS, can thus be decrypted by the MITM using the MITM's provided keys, I think is what's being said here. Which is yet another argument to use encrypted DNS.
What we really need, I think, though, is a modern Wi-Fi replacement/updated version that uses strong key-based encryption/authentication at Level 1 of the network stack? Is that the right takeaway here?
Upvote
32
(33
/
-1)
Thanks to you and Afidel. I had wondered about that. My guest network is already setup as WAN access only for my guest network. I'll admit I don't have VLANs setup (but I can, my switch and AP support VLANs).
Upvote
5
(5
/
0)
Aren't you supposed to hold vinyl records by the edges so you don't risk damaging the grooves?
Upvote
11
(15
/
-4)
- Add bookmark
- Featured
- #25
If guest devices are on the same subnet as everything else, it sounds like you'd be vulnerable to this. This sounds like spoofing at layers 1 and 2.
Just turning on VLANs doesn't do anything. You have to segment your network. VLANs are a tool that allow you to segment your network without duplicating every switch and AP on your network for each subnet.
Upvote
21
(21
/
0)
For anyone who wants to read the paper, the link is a bit buried, but here you go:
https://www.ndss-symposium.org/wp-content/uploads/2026-f1282-paper.pdf
https://www.ndss-symposium.org/wp-content/uploads/2026-f1282-paper.pdf
Upvote
26
(26
/
0)
I do not worry about touching my records, but even if I was precious with some of them I would not be with my novelty 45 I bought for a dollar in 1998 for the Reservoir Dogs connection.
Upvote
20
(22
/
-2)
- Add bookmark
- Featured
- #29
Repeaters add delay. Most attackers will use an antenna. A 9 dBi yagi antenna is inexpensive and can get you several hundred meters of distance with a little practice.
Wi-Fi has the same basic problem as SMTP: it has fundamental weaknesses that are extremely hard to fix without utterly shattering backward compatibility that too many things rely on. It's good enough for most things, and there are a pile of fixes to address the problem.
My first thought on this was increasing the security of the perceived reconnection. Require it to be encrypted by the last key used or signed by the last DH key negotiated. If it's not, don't let it connect and don't put it in the CAM table. Require a timeout from the last known good connection before letting it reconnect. However, this could affect devices that sleep for long periods and could set up a DoS attack by connecting with a known MAC address that one wants to block.
Upvote
20
(20
/
0)
I blame uncle Terry for this.
He’s always going to totallylegitaibotbettingsite.russia.
He’s always going to totallylegitaibotbettingsite.russia.
Upvote
-18
(0
/
-18)
I have a question that I lack the wisdom to know if it's silly or not.
Is there a potential intersection between the hardware capabilities of the cellular-capable satellite mega constellations and WiFi attacks? My understanding is that these satellites use what is essentially a software defined radio, which means they could transmit and receive on pretty much any frequency, with sufficient capability to connect to something as low-power a cell phone (albeit with very low bandwidth). Given this, does the potential exist for interception of and attacks on WiFi traffic, assuming ground density is low enough?
Is there a potential intersection between the hardware capabilities of the cellular-capable satellite mega constellations and WiFi attacks? My understanding is that these satellites use what is essentially a software defined radio, which means they could transmit and receive on pretty much any frequency, with sufficient capability to connect to something as low-power a cell phone (albeit with very low bandwidth). Given this, does the potential exist for interception of and attacks on WiFi traffic, assuming ground density is low enough?
Upvote
6
(6
/
0)
I never used the 'xfinititywifi' or whatever it's called that comes with their router. I always used my own cable modem and router. But surely it doesn't dump the random xfinitity customers onto the same LAN as your own stuff. I mean if it did, that gives you the opportunity to do all sorts of hilarious stuff to the unwanted visitors on your network.
Upvote
1
(3
/
-2)
- Add bookmark
- Featured
- #33
Hi folks! Great comments and questions on whether VLAN isolation helps here.
Edit: Original comment indicated that VLANs didn't help, I had misread the cross-BSSID attack details.
The paper is clear that the inject/MITM is cross-BSSID but not cross-VLAN (assuming the device isolates correctly).
Thanks for the feedback!
Edit: Original comment indicated that VLANs didn't help, I had misread the cross-BSSID attack details.
The paper is clear that the inject/MITM is cross-BSSID but not cross-VLAN (assuming the device isolates correctly).
Thanks for the feedback!
Last edited:
Upvote
30
(32
/
-2)
I would not at all be surprised if it just does client isolation, which as this exploit demonstrates is not all that isolated.
Upvote
21
(21
/
0)
Upvote
18
(24
/
-6)
My takeaway from this is that to be secure, you need to get a separate physical WiFi network switch and put your guest network on that. Guest networks and VLANs on your main switch won't help you, since the attack is at a lower level. Is that correct?
Upvote
4
(8
/
-4)
I haven't read the paper (I will if I find some time later today), but this made me go re-read the description of the attack here.
If there wasn't too much lost in the game of telephone, it looks like the attack is MAC spoofing to get the traffic from another client and...that's it? And you're suggesting these APs are happy to send traffic tagged for VLAN100 to a client connected via BSSIS tagged VLAN200?
Upvote
13
(13
/
0)
Client isolation has always been security theater. Treat any network as untrusted, and don't click through certificate warnings (in fact at work we disable user's ability to bypass cert warnings). This seems like a nothingburger. Your data can always be intercepted at any point along the path.
Upvote
-6
(5
/
-11)
So I didn't read the whole paper, but I did skim it. Mainly because I wanted to see how they were getting the upstream traffic. I think the short version is, all the games you can play with wired ethernet switches in terms of ARP and MAC spoofing can be done on WiFi. Downstream, you can connect to the WiFi with someone else's MAC and start getting their traffic. Just like one a wired ethernet you can spoof someone else's MAC and get the CAM table to point to your port instead of theirs. And to get upstream traffic you can connect to the WiFi with the routers MAC and start getting all the upstream traffic. Which you can also do on a wired ethernet. On the wired side, these aren't new attacks and there are mitigations for them. But those mitigations aren't always configured by default, and I'm not surprised that they aren't always present on WiFi based ethernets.
That said, WiFi may make some of these easier because in most cases an attacker has access to essentially multiple switches at once. For upstream traffic especially, it's one thing to steal the gateway MAC but then you are left with the problem of getting the traffic to the actual gateway after it's been viewed/edited so that clients perceive a working end to end connection. It looks like based on the paper that an attacker could connect to both 2.4GHz and 5GHz radios, spoof the gateway on one frequency and get all the upstream traffic from client on that freqency and then resend those packets on the other frequency to the actual gateway without breaking the spoof on the first frequency.
Anyway, interesting paper. SSL and HTTPS are your friends. And don't trust WiFi any more than your ISP. Which is to say not at all.
That said, WiFi may make some of these easier because in most cases an attacker has access to essentially multiple switches at once. For upstream traffic especially, it's one thing to steal the gateway MAC but then you are left with the problem of getting the traffic to the actual gateway after it's been viewed/edited so that clients perceive a working end to end connection. It looks like based on the paper that an attacker could connect to both 2.4GHz and 5GHz radios, spoof the gateway on one frequency and get all the upstream traffic from client on that freqency and then resend those packets on the other frequency to the actual gateway without breaking the spoof on the first frequency.
Anyway, interesting paper. SSL and HTTPS are your friends. And don't trust WiFi any more than your ISP. Which is to say not at all.
Upvote
28
(28
/
0)