New AirSnitch attack breaks Wi-Fi encryption in homes, offices, and enterprises

Seems bad!

AirSnitch “breaks worldwide Wi-Fi encryption, and it might have the potential to enable advanced cyberattacks,” Xin’an Zhou, the lead author of the research paper, said in an interview. “Advanced attacks can build on our primitives to [perform] cookie stealing, DNS and cache poisoning. Our research physically wiretaps the wire altogether so these sophisticated attacks will work. It’s really a threat to worldwide network security.” Zhou presented his research on Wednesday at the 2026 Network and Distributed System Security Symposium.

Direct link to paper:

Abusing GTK: We discover a new technique to bypass client isolation by exploiting the shared GTK (Group Temporal Key). Normally, a Wi-Fi client encrypts broadcast/multicast frames with its PTK, sending them to the AP for the latter to re-encrypt with the GTK (shared with all clients connected to the same BSSID). While the GTK is meant for the AP to control broadcast access, attackers can abuse it to wrap unicast IP traffic in a broadcast frame encrypted with the GTK, pretending that the frame comes from the AP by spoofing its MAC address. The victim accepts this frame, bypassing client isolation. The technique requires the attacker to temporarily connect to the victim’s BSSID to obtain the per-BSSID GTK (which is shared during the handshake).

So okay, first of all, you need to authenticate to the wireless network in question in the first place (GTK is provided only after the client presents the pre-shared key, right?), and then can spoof the base station with the temporal key. Eh?