12

Is WPA2 WiFi protected against ARP poisoning? If not, can the ARP poisoner decrypt the packets?

AviD
  • 72,138
  • 22
  • 136
  • 218
fhucho
  • 245
  • 3
  • 10

1 Answers1

18

WPA2 is NOT protected against ARP poisoning.

When you perform ARP poisoning, you announce that your MAC address is responsible for a given IP address. All of this happens at a layer higher than WPA2 is aware of. Let's say layer 3. Because the WPA2 encryption link is down on layer 2, and packets destined for the attacked IP are now addressed to the attacker's MAC address on layer 2, they will be encrypted for the attacker.

Edit: Also, one should be aware of "Hole 196".

Jeff Ferland
  • 38,090
  • 9
  • 93
  • 171
  • ARP is a layer 2 protocol. – fianchetto Mar 03 '11 at 20:23
  • 1
    Yes, strictly it belongs there. Like most things it doesn't perfectly fit, though. It is the bridging of the L3 IP to the L2 Mac that is above the access point's head, if you will. The access point is L2. While no L3 encapsulates an ARP request, there would be no ARP request without L3 in the first place. – Jeff Ferland Mar 03 '11 at 20:27