Researchers from UC Riverside have discovered AirSnitch, a vulnerability that allows attackers on the same network to intercept data and launch machine-in-the-middle attacks by exploiting fundamental weaknesses in Wi-Fi security architecture.
A team of researchers from the University of California, Riverside has uncovered a series of critical vulnerabilities in Wi-Fi security that allow attackers to intercept data and launch sophisticated machine-in-the-middle attacks on networks they've already connected to, even when client isolation is enabled.
Named AirSnitch, this vulnerability exploits inherent weaknesses in the networking stack's design. Since Wi-Fi does not cryptographically link client MAC addresses, Wi-Fi encryption keys, and IP addresses across Layers 1, 2, and 3 of the network stack, an attacker can assume the identity of another device and manipulate the network into diverting both downlink and uplink traffic through their own device.
The research team tested AirSnitch across multiple platforms and found the vulnerability present in five popular home routers: Netgear Nighthawk x6 R8000, Tenda RX2 Pro, D-LINK DIR-3040, TP-Link Archer AXE75, and Asus RT-AX57. The flaw also exists in two open-source firmwares—DD-WRT v3.0-r44715 and OpenWrt 24.10—and across two university enterprise networks.
According to Xin'an Zhou, the lead author on the research, AirSnitch "breaks worldwide Wi-Fi encryption, and it might have the potential to enable advanced cyberattacks." He explained that advanced attacks could build upon these fundamental vulnerabilities to perform cookie stealing, DNS and cache poisoning, and other sophisticated intrusions. "Our research physically wiretaps the wire altogether so these sophisticated attacks will work. It's really a threat to worldwide network security," Zhou stated.
However, it's important to clarify that AirSnitch does not actually break encryption. Instead, it challenges the common assumption that encrypted clients cannot attack each other because they've been cryptographically isolated. The vulnerability exploits the fact that Wi-Fi's architecture allows for identity manipulation at the network layer.
The researchers identified four primary methods that AirSnitch uses to bypass client isolation:
Shared Key Abuse: Most networks use a single password or Group Temporal Key (GTK). An attacker can wrap packets intended for a specific target inside a GTK broadcast frame, making them appear as legitimate broadcast information. The target accepts this traffic as a broadcast packet, providing the attacker with an initial entry point for more complex attacks.
Gateway Bouncing: The attacker sends data to an access point addressed to a gateway MAC. When the gateway receives it, it sees the Layer 3 IP header containing the victim's IP address but ignores the Layer 2 destination (which is the gateway itself). It then forwards the data to the victim, allowing one client to send data to another without direct communication.
MAC Spoofing: Attackers can spoof the MAC address of the victim, causing the gateway to forward all downlink traffic to the attacker. Alternatively, they can spoof the MAC address of backend devices like the gateway, receiving uplink traffic from the target.
Layer 3 Manipulation: By exploiting the lack of cryptographic binding between MAC addresses, encryption keys, and IP addresses, attackers can create confusion in the network's routing decisions.
While the researchers acknowledge that executing these attacks is complicated—especially given the complexity of modern wireless networks—they emphasize that this should not lead to complacency. The vulnerability exists at the fundamental architecture level of Wi-Fi, making it a systemic issue rather than a problem limited to specific manufacturers or implementations.
The research team hopes their findings will prompt the industry to develop a rigorous set of requirements for client isolation and prevent similar flaws in future Wi-Fi standards. They believe that standardization groups and manufacturers must work together to address this architectural vulnerability before it can be widely exploited.
For users concerned about this vulnerability, the researchers recommend staying informed about firmware updates from router manufacturers and being cautious when connecting to public Wi-Fi networks. While the attack requires sophisticated knowledge and access to the network, the potential consequences make it a serious security concern that warrants attention from both industry professionals and end users.
The full research paper is available as a PDF from the University of California, Riverside, providing detailed technical information about the vulnerability and potential mitigation strategies.
Comments
Please log in or register to join the discussion