New Attack Against Wi-Fi

Source: Schneier on Security

AirSnitch

Unlike previous Wi‑Fi attacks, AirSnitch exploits core features in Layers 1 and 2 and the failure to bind and synchronize a client across these and higher layers, other nodes, and other network names such as SSIDs (Service Set Identifiers). This cross‑layer identity desynchronization is the key driver of AirSnitch attacks.

The most powerful such attack is a full, bidirectional machine‑in‑the‑middle (MitM) attack, meaning the attacker can view and modify data before it reaches the intended recipient. The attacker can be on the same SSID, a separate one, or even a separate network segment tied to the same AP. It works against small Wi‑Fi networks in homes and offices as well as large enterprise networks.

With the ability to intercept all link‑layer traffic (i.e., the traffic as it passes between Layers 1 and 2), an attacker can perform additional attacks on higher layers. The most dire consequence occurs when an Internet connection isn’t encrypted—something Google recently estimated happened for as much as 6 % of pages loaded on Windows and 20 % on Linux. In these cases, the attacker can view and modify all traffic in the clear and steal authentication cookies, passwords, payment‑card details, and any other sensitive data. Since many company intranets are sent in plaintext, traffic from them can also be intercepted.

Even when HTTPS is in place, an attacker can still intercept domain‑lookup traffic and use DNS cache poisoning to corrupt tables stored by the target’s operating system. The AirSnitch MitM also puts the attacker in a position to exploit unpatched vulnerabilities. Attackers can also see the external IP addresses hosting webpages being visited and often correlate them with the precise URL.

Here’s the paper.