AirSnitch: Nowa luka w sieciach Wi-Fi omija zabezpieczenia WPA3

A recent Wi-Fi vulnerability, dubbed AirSnitch, bypasses WPA3 encryption by exploiting weaknesses at the network stack’s lowest layers. This allows attackers to intercept and modify traffic between devices connected to the same access point, potentially compromising sensitive data. The discovery underscores the ongoing challenges of securing wireless networks, even with the latest encryption standards.

Researcher Xin’an Zhou found that AirSnitch enables sophisticated attacks, including cookie theft and DNS poisoning. Co-author Mathy Vanhoef clarified that the issue is more of an isolation bypass than a direct break of the Wi-Fi encryption itself. “People who don’t rely on network isolation are safer,” Vanhoef stated.

The vulnerability stems from a desynchronization of identity between layers 1 and 2 of the OSI model. This exploits the lack of a link between a device’s MAC address, its encryption key, and its IP address, giving attackers control over network traffic in both directions. This allows them to monitor and alter data even when on a different SSID or network segment connected to the same physical access point.

The attack impacts both home and corporate networks, as it bypasses cryptographic layers entirely. It requires network access, even through a guest network, to function. The discovery highlights the importance of robust network security practices, even when using modern encryption protocols.

The mechanism begins with adapting a classic “port stealing” technique from Ethernet. The attacker maps their MAC address to a port assigned to the victim, capturing outgoing traffic from the router. To restore the original mapping and maintain two-way flow, they then send a ping ICMP with a random MAC address within a frame containing the group key. The switch learns the address changes, stabilizing the attack.

The consequences depend on the application layer. Without HTTP encryption, content can be viewed or altered, and passwords and payment data can be compromised. Even with HTTPS, DNS queries can be hijacked and caches poisoned. Researchers likewise demonstrated scenarios in corporate networks: intercepting RADIUS packets, breaking integrity checks, and launching a rogue RADIUS server with a rogue AP.

Testing involved 11 devices, all of which proved vulnerable to at least one variant of the bypass. Some manufacturers have already released updates to mitigate the issue, but researchers point to systemic vulnerabilities requiring changes in integrated circuit design. For now, if your network contains vulnerable hotspots or you share a guest network, using a VPN and adopting a limited trust model are recommended.