Researchers discover massive Wi-Fi vulnerability affecting multiple access points — AirSnitch lets attackers on the same network intercept data and launch machine-in-the-middle attacks

Source: Tom’s Hardware

A team of researchers from the University of California, Riverside revealed a series of weaknesses in existing Wi‑Fi security, allowing them to intercept data on a network they have already joined, even when client isolation is enabled. The vulnerability, named AirSnitch, exploits inherent weaknesses in the networking stack. Because Wi‑Fi does not cryptographically bind client MAC addresses, Wi‑Fi encryption keys, and IP addresses across Layers 1‑3, an attacker can assume the identity of another device and cause the network to divert downlink and uplink traffic through the attacker.

How AirSnitch Bypasses Client Isolation

AirSnitch employs four primary techniques:

1. Abuse of Shared Keys

Most networks use a single password or a Group Temporal Key (GTK). An attacker can craft packets for a specific target, wrap them inside a GTK broadcast frame, and make them appear as legitimate broadcast traffic. The victim accepts the packet, providing an opening for further attacks.

2. Gateway Bouncing

The attacker sends data to an access point addressed to the gateway’s MAC address. The gateway sees the victim’s IP address in the Layer 3 header, ignores the Layer 2 destination (the gateway itself), and forwards the packet to the victim. This enables one client to send data to another client indirectly.

3. MAC Spoofing (Victim)

By spoofing the victim’s MAC address, the attacker causes the gateway to forward all downlink traffic to the attacker’s device.

4. MAC Spoofing (Backend Devices)

Spoofing the MAC address of backend devices (e.g., the gateway) allows the attacker to receive uplink traffic from the target.

Affected Devices and Firmware

The researchers identified the vulnerabilities in:

• Home routers: Netgear Nighthawk X6 R8000, Tenda RX2 Pro, D‑LINK DIR‑3040, TP‑Link Archer AXE75, Asus RT‑AX57
• Open‑source firmware: DD‑WRT v3.0‑r44715, OpenWrt 24.10
• Enterprise networks: Two university networks (see the paper for details)

These findings indicate that the issue is not limited to specific manufacturers but stems from fundamental weaknesses in Wi‑Fi architecture.

Impact and Recommendations

While exploiting AirSnitch is complex—especially given the sophistication of modern wireless networks—the vulnerability highlights a systemic problem. The researchers urge manufacturers and standards bodies to:

• Re‑evaluate client isolation mechanisms
• Develop rigorous requirements that cryptographically bind MAC addresses, encryption keys, and IP addresses across network layers
• Implement mitigations in firmware updates and future Wi‑Fi standards

The full research paper is available for reference: PDF.