TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Palo Alto Unit 42

When Wi-Fi Encryption Fails: Protecting Your Enterprise from AirSnitch Attacks

Emmanuel Zhou, Adam Robbie, Rick Wyble, Zhutian Liu, Zhiyun Qian, Zhaowei Tan, Srikanth V. Krishnamurthy and Mathy Vanhoef · 2026-04-22 · Read original ↗

ATT&CK techniques detected

22 predictions
T1557.001Name Resolution Poisoning and SMB Relay
98%
“inherently insecure. additionally, other exploits, like gateway bouncing, rely on diverse, organization - specific network configurations, making universal vendor testing and coordinated responsible disclosure impractical. therefore, these findings are being released publicly to …”
T1557.001Name Resolution Poisoning and SMB Relay
97%
“. palo alto networks customers are better protected from airsnitch attacks discussed in this post with the following products and services : if you think you might have been compromised or have an urgent matter, contact the unit 42 incident response team. the airsnitch threats : …”
T1557.001Name Resolution Poisoning and SMB Relay
97%
“( arp ) poisoning ), airsnitch works at even lower networking layers and restores meddler - in - the - middle ( mitm ) capabilities in current wi - fi networks. this effectively breaks the security perimeter that enterprises rely on, making even a properly configured wpa2 / 3 - e…”
T1557.001Name Resolution Poisoning and SMB Relay
96%
“can misuse the shared gtk to wrap unicast ip traffic inside broadcast / multicast frames encrypted with the gtk. this enables an attacker to inject packets directly to victims, bypassing client isolation on target enterprise aps. to better illustrate this, figure 2 shows that, as…”
T1557.001Name Resolution Poisoning and SMB Relay
95%
“adversary can perform dns or dhcp poisoning, modifying gateway addresses or poisoning arp caches to maintain long - term control over the victim ' s traffic. how to mitigate the airsnitch attacks for enterprise wi - fi networks to protect against airsnitch attacks, enterprises mu…”
T1557.001Name Resolution Poisoning and SMB Relay
95%
“. however, these often fail to provide complete isolation. for example, many enterprises often deploy guest ssids with no encryption at all ( i. e., open system authentication ), or weak encryption ( i. e., passphrase authentication ), along with wpa2 / 3 - enterprise for privile…”
T1557.001Name Resolution Poisoning and SMB Relay
92%
“. conclusion the airsnitch attacks illustrate a fundamental fact about modern wi - fi networks. client isolation, as currently implemented, is an inconsistent and unreliable defense. the lack of standardization has led to ad hoc and incomplete solutions that fail to protect again…”
T1557.001Name Resolution Poisoning and SMB Relay
92%
“the osi model. however, airsnitch breaks this barrier. unlike more commonly known threats, airsnitch focuses on exploiting the wireless infrastructure itself rather than just client devices, fundamentally shifting our assumptions of wireless security. by subverting how networks h…”
T1557.001Name Resolution Poisoning and SMB Relay
91%
“when wi - fi encryption fails : protecting your enterprise from airsnitch attacks executive summary enterprises have long trusted wi - fi encryption and client isolation to secure their wireless infrastructure. however, we conducted research presented at the ndss symposium 2026 t…”
T1557.001Name Resolution Poisoning and SMB Relay
90%
“east : + 31. 20. 299. 3130 - asia : + 65. 6983. 8730 - japan : + 81. 50. 1790. 0200 - australia : + 61. 2. 4062. 7950 - india : 000 800 050 45107 - south korea : + 82. 080. 467. 8774 palo alto networks has shared these findings with our fellow cyber threat alliance ( cta ) member…”
T1557.001Name Resolution Poisoning and SMB Relay
86%
“##linked to the core network despite being phased out of active management? our airsnitch research also suggests more specialized solutions to nullify the attacks : - improve network isolation with virtual local area networks ( vlans ). implement vlans to logically separate netwo…”
T1557.001Name Resolution Poisoning and SMB Relay
85%
“: starting with wi - fi fundamentals airsnitch attacks circumvent standard wi - fi security by exploiting weaknesses in the interplay between encryption, switching and routing layers, despite wpa2 / 3 encryption being designed to secure over - the - air traffic. below, we begin b…”
T1557.001Name Resolution Poisoning and SMB Relay
85%
“, internal wired switches of enterprise networks ), an attacker can manipulate traffic across ap boundaries even if those aps are broadcasting different network names ( ssids ). for example, figure 6 shows that without strict isolation, an attacker could exploit a faraway ap ’ s …”
T1557.001Name Resolution Poisoning and SMB Relay
83%
“legitimate clients do. this allows an attacker to passively decrypt and inject traffic, breaking client isolation. due to the dragonfly handshake added right before the four - way handshake, meddler - on - the - side attacks are no longer effective for the wpa3 - personal protoco…”
T1557.001Name Resolution Poisoning and SMB Relay
81%
“between the physical layer ( layer 1 ) and the data link layer ( layer 2 ). this means that all unencrypted networking protocols carried by wi - fi, such as arp, dns, tcp and http, can fall victim to wi - fi port stealing. even encrypted protocols like tls can expose ip addresses…”
T1557.001Name Resolution Poisoning and SMB Relay
79%
“network. as a result, an attacker can actively decrypt wpa2 / 3 - enterprise traffic and become a mitm, intercepting bi - directional traffic ( i. e., both to and from a wi - fi client ). putting it together : chaining primitives, executing cross - ap attacks and enabling higher …”
T1557.001Name Resolution Poisoning and SMB Relay
64%
“bouncing to exploit the failure to enforce isolation at the ip layer in home and enterprise networks. an attacker sends a packet with the victim ' s layer 3 ip address as the destination but uses the network gateway ' s mac address as the layer 2 destination. the ap accepts and f…”
T1557.003DHCP Spoofing
63%
“##s will then mistakenly update their forwarding tables ( i. e., layer 1 interface port - to - mac - address mappings ), associating the victim ' s mac address with the bssid the attacker is exploiting. as a result, all traffic meant for the victim is redirected to the attacker '…”
T1557.003DHCP Spoofing
43%
“network. as a result, an attacker can actively decrypt wpa2 / 3 - enterprise traffic and become a mitm, intercepting bi - directional traffic ( i. e., both to and from a wi - fi client ). putting it together : chaining primitives, executing cross - ap attacks and enabling higher …”
T1557.001Name Resolution Poisoning and SMB Relay
41%
“##s will then mistakenly update their forwarding tables ( i. e., layer 1 interface port - to - mac - address mappings ), associating the victim ' s mac address with the bssid the attacker is exploiting. as a result, all traffic meant for the victim is redirected to the attacker '…”
T1557.001Name Resolution Poisoning and SMB Relay
40%
“##ing aps to use per - client randomized gtks. the passpoint ( hotspot 2. 0 ) specification includes a mechanism called downstream group - addressed forwarding ( dgaf ), which allows access points to control or disable forwarding of multicast / broadcast traffic to clients. this …”
T1557.001Name Resolution Poisoning and SMB Relay
32%
“##ks to prevent shared gtks and maximize isolation, certain wi - fi standard handshakes ( group key, ft, fils, wnm - sleep ) still expose the real gtk. moreover, integrity gtks ( igtks, another shared group key for management purposes ) are never randomized. this enables an attac…”

Summary

Unit 42 research reveals AirSnitch attacks bypass WPA2/3 Wi-Fi encryption and client isolation, exposing critical infrastructure vulnerabilities.

The post When Wi-Fi Encryption Fails: Protecting Your Enterprise from AirSnitch Attacks appeared first on Unit 42.