Xin'an Zhou (University of California, Riverside), Juefei Pu (University of California, Riverside), Zhutian Liu (University of California, Riverside), Zhiyun Qian (University of California, Riverside), Zhaowei Tan (University of California, Riverside), Srikanth V. Krishnamurthy (University of California, Riverside), Mathy Vanhoef (DistriNet, KU Leuven)

To prevent malicious Wi-Fi clients from attacking other clients on the same network, vendors have introduced client isolation, a combination of mechanisms that block direct communication between clients. However, client isolation is not a standardized feature, making its security guarantees unclear.

In this paper, we undertake a structured security analysis of Wi-Fi client isolation and uncover new classes of attacks that bypass this protection. We identify several root causes behind these weaknesses. First, Wi-Fi keys that protect broadcast frames are improperly managed and can be abused to bypass client isolation. Second, isolation is often only enforced at the MAC or IP layer, but not both. Third, weak synchronization of a client's identity across the network stack allows one to bypass Wi-Fi client isolation at the network layer instead, enabling the interception of uplink and downlink traffic of other clients as well as internal backend devices. Every tested router and network was vulnerable to at least one attack. More broadly, the lack of standardization leads to inconsistent, ad hoc, and often incomplete implementations of isolation across vendors.

Building on these insights, we design and evaluate end-to-end attacks that enable full machine-in-the-middle capabilities in modern Wi-Fi networks. Although client isolation effectively mitigates legacy attacks like ARP spoofing, which has long been considered the only universal method for achieving machine-in-the-middle positioning in local area networks, our attack introduces a general and practical alternative that restores this capability, even in the presence of client isolation.

View More Papers

Vibenix: An AI Assistant for Software Packaging with Nix

Martin Schwaighofer (Johannes Kepler University Linz), Martim Monis (INESC-ID and IST, University of Lisbon), Nuno Saavedra (INESC-ID and IST, University of Lisbon), Joao F. Ferreira (INESC-ID and Faculty of Engineering, University of Porto), Rene Mayrhofer (Johannes Kepler University Linz)

Read More

Work-in-progress: Assertive Trace

Shun Kashiwa (UC San Diego), Michael Coblenz (UC San Diego), Deian Stefan (UC San Diego)

Read More

MVPNalyzer: An Investigative Framework for Auditing the Security &...

Wayne Wang (University of Michigan), Aaron Ortwein (University of Michigan), Enrique Sobrados (University of New Mexico), Robert Stanley (University of Michigan), Piyush Kumar Sharma (University of Michigan, IIT Delhi), Afsah Anwar (University of New Mexico), Roya Ensafi (University of Michigan)

Read More