Hoping to confirm my understanding of how AirSnitch might impact OpenWrt.
First, some background on AirSnitch: Arstechnica article and whitepaper.
Airsnitch:
appears to impact configurations using a potentially separate guest wifi. This example guest wifi has wifi client isolation enabled, while sharing the primary LAN.
the author seems to recommend a (rather impractical) solution of setting up a per-client VLAN
However in a simple case of wanting a primary network to be protected from AirSnitch coming from a device on the guest network, Openwrt
would potentially be vulnerable if the guest network is on the primary LAN, regardless of whether client isolation is configured on the guest Wi-Fi network
the primary network is protected from AirSnitch attacks coming from guest if the guest network is using a separate LAN interface, as recommended in this guide for Luci
Using a separate LAN for guest, devices on the guest network may potentially be at risk from AirSnitch from each other, but devices on the guest network can not affect devices on the primary network (and vice-versa).
I may be wrong but from some discussions here regarding hostapd and per client psk configurations I took with me that you can not configure OpenWrt to have client isolation on a guest network only. Either none or all wifi networks share this setting.
Thank you for the responses. It appears to me that AirSnitch is only a concern for guest networks that rely on wifi client isolation for security. Guest networks that leverage on other best-practice forms of security (including vlans, strong passwords, etc) aren’t impacted by AirSnitch. The rather alarmist tone of the Arstechnica article caused me to double check.
Client isolation is inside the wifi driver. It only works for clients connected to the same radio interface. If your guest network is switched or bridged to a different radio interface (either dual band in the same AP, or multiple APs bridged together), an attacker can connect to a separate interface and reach the target client through the switch or bridge.
The mitigation would be to offer guest networks on only one radio interface and have a separately routed network for each band and/or AP.
I am not an expert by any means, but with this thread wanted to provide my understanding of how airsnitch might impact a vanilla guest network setup on OpenWRT in the hopes of receiving correction or confirmation from those more knowledgeable.
To me it appears that by following the guest network guide for Luci, guest devices will be segregated on a separate lan. Devices on that guest LAN will not have access to the primary LAN, and an airsnitch attack will not be effective between the guest and primary networks.
Of course, in this vanilla guest network scenario, I'm assuming that guests can airsnitch on each other all they want by default. Same with devices on the primary network, as untrusted isolation between primary LAN network devices is not the default (nor often desirable). Neither of these scenarios would be concerning to me personally for my use case.
Do others have a different reading of the impacts?
Improving Network Isolation. To improve isolation mechanisms on single APs, untrusted BSSIDs (e.g., guest networks) can be put in isolation groups, i.e., VLANs. VLANs logically separate network segments… which effectively nullifies the exploitation techniques listed in Table VI.
Same with devices on the primary network, as untrusted isolation between primary LAN network devices is not the default (nor often desirable). Neither of these scenarios would be concerning to me personally for my use case.