Researchers have unveiled AirSnitch, a series of attacks that undermine client isolation in Wi-Fi networks, allowing unauthorized communication between devices. The technique exploits low-level network behaviors and affects routers from major manufacturers including Netgear, D-Link, and Cisco. Presented at the 2026 Network and Distributed System Security Symposium, the findings highlight vulnerabilities in home, office, and enterprise setups.
Wi-Fi networks, connecting over 6 billion users worldwide, rely on client isolation to prevent devices from communicating directly with each other, even when encrypted. However, new research demonstrates that AirSnitch attacks can bypass this protection by targeting Layers 1 and 2 of the network stack, leading to cross-layer identity desynchronization.
The attacks enable a full bidirectional man-in-the-middle (MitM) setup, where an attacker can intercept and modify traffic between clients. This works even across different SSIDs or network segments sharing the same access point (AP). Lead researcher Xin’an Zhou stated, “AirSnitch breaks worldwide Wi-Fi encryption, and it might have the potential to enable advanced cyberattacks.” Co-author Mathy Vanhoef clarified that it bypasses client isolation without breaking authentication or encryption itself, noting that users not depending on isolation remain unaffected.
Tested on 11 devices—such as the Netgear Nighthawk x6 R8000, D-Link DIR-3040, and Cisco Catalyst 9130—all proved vulnerable to at least one variant. The technique adapts port stealing from Ethernet to Wi-Fi, allowing attackers with network access to redirect traffic. In enterprise settings, it can defeat RADIUS authentication by spoofing gateways and establishing rogue access points.
Security expert HD Moore described the work as impressive, comparing it to restoring pre-isolation attack surfaces like ARP spoofing. While some router updates address parts of the issue, systemic fixes may require chip-level changes. Potential mitigations include VPNs and zero trust models, though they have limitations. Zhou warned that firewalls and VLANs may not fully protect against expanded threat models, including attacks from the internet.
