Unit 42 researchers discover "Air Snitch," a wireless attack technique that allows cybercriminals to intercept corporate traffic and steal credentials without even setting foot inside the building.
By: MSB
The security perimeter of an office no longer stops at concrete walls. A new technical report from Unit 42, the intelligence unit of Palo Alto Networks, has exposed "Air Snitch," a sophisticated set of tools and tactics designed to compromise enterprise wireless networks (WPA2/WPA3-Enterprise) using low-cost, long-range hardware.
The Spy Who Doesn't Need to EnterUnlike traditional Wi-Fi attacks that require physical proximity to the router, Air Snitch uses high-gain antennas and compact devices that can easily hide in the vicinity of a company—like a parked car or a planter.
The attack works by creating an "Evil Twin" of the corporate network. By taking advantage of the fact that many devices (laptops, mobile phones, and tablets) are configured to connect automatically to known networks, Air Snitch "tricks" the victim's device into connecting to a fake access point controlled by the attacker.
How Data Theft WorksOnce the employee inadvertently connects to the attacker's access point, Air Snitch executes an identity interception attack:
Handshake Capture: The system captures the authentication packets that the device sends to attempt to validate its identity.
Security Degradation: On networks using authentication protocols like PEAP, the attacker can force the device to use weaker versions of encryption.
Exfiltration: The captured data is automatically sent to a cloud server where AI computing power is used to decrypt the passwords within minutes.
The report highlights a systemic problem in the current security culture: most users are used to ignoring or accepting "certificate warnings" in their browsers. Air Snitch exploits this alert fatigue. When the victim's device detects that the Wi-Fi certificate does not match, it shows a warning; if the user clicks "Trust", they hand their corporate account keys to the attacker on a silver platter.
How to Protect Yourself: Unit 42 TipsFor IT and security teams, the discovery of Air Snitch serves as a wake-up call to review wireless defenses:
Ditch PEAP/MSCHAPv2: Unit 42 strongly recommends migrating to more secure certificate-based protocols, such as EAP-TLS, which are immune to evil twin attacks.
Disable Auto-Connect: Configure corporate managed devices so they do not join known Wi-Fi networks without user intervention.
Network Segmentation: Ensure that Wi-Fi connected devices do not have direct access to critical company servers without passing through an additional layer of authentication (VPN or Zero Trust).
User Education: Train employees to immediately report unusual warnings when connecting to the office Wi-Fi.
Air Snitch demonstrates that, while the world focuses on cloud and AI security, attacks on basic physical infrastructure remain a devastatingly effective entry point. As Unit 42 points out, in the era of hybrid work, the air surrounding our office is now part of the attack surface, and it is time to start protecting it.