“In a standard Layer-2 switch, the switch learns the MAC of the client by seeing it respond with its source address,” Moore explained. “This attack confuses the AP into considering that the client reconnected elsewhere, allowing an attacker to redirect Layer-2 traffic. Unlike Ethernet switches, wireless APs can’t tie a physical port on the device to a single client; clients are mobile by design.”
The back-and-forth flipping of the MAC from the attacker to the goal, and vice versa, can proceed for so long as the attacker wants. With that, the bidirectional MitM has been achieved. Attackers can then perform a bunch of other attacks, each related to AirSnitch or ones reminiscent of the cache poisoning discussed earlier. Depending on the router the goal is using, the attack might be performed even when the attacker and goal are connected to separate SSIDs connected by the identical AP. In some cases, Zhou said, the attacker may even be connected from the Web.
“Even when the guest SSID has a unique name and password, it should share parts of the identical internal network infrastructure as your most important Wi-Fi,” the researcher explained. “In some setups, that shared infrastructure can allow unexpected connectivity between guest devices and trusted devices.”
No, enterprise defenses won’t protect you
Variations of the attack defeat the client isolation promised by makers of enterprise routers, which usually use credentials and a master encryption key which might be unique to every client. One such attack works across multiple APs once they share a wired distribution system, as is common in enterprise and campus networks.
Of their paper, AirSnitch: Demystifying and Breaking Client Isolation in Wi-Fi Networks, the researchers wrote:
Although port stealing was originally devised for hosts on the identical switch, we show that attackers can hijack MAC-to-port mappings at the next layer, i.e., at the extent of the distribution switch—to intercept traffic to victims related to different APs. This escalates the attack beyond its traditional limits, breaking the belief that separate APs provide effective isolation.
This discovery exposes a blind spot in client isolation: even physically separated APs, broadcasting different SSIDs, offer ineffective isolation if connected to a standard distribution system. By redirecting traffic on the distribution switch, attackers can intercept and manipulate victim traffic across AP boundaries, expanding the threat model for contemporary Wi-Fi networks.
The researchers demonstrated that their attacks can enable the breakage of RADIUS, a centralized authentication protocol for enhanced security in enterprise networks. “By spoofing a gateway MAC and connecting to an AP,” the researchers wrote, “an attacker can steal uplink RADIUS packets.” The attacker can go on to crack a message authenticator that’s used for integrity protection and, from there, learn a shared passphrase. “This enables the attacker to establish a rogue RADIUS server and associated rogue WPA2/3 access point, which allows any legitimate client to attach, thereby intercepting their traffic and credentials.”