AirSnitch bypasses Wi-Fi encryption on 11 routers — "threat to worldwide network security" researchers warn

AirSnitch Wi-Fi Vulnerability: Complete Security Guide

A team of researchers from the University of California, Riverside revealed a series of weaknesses in existing Wi-Fi security, allowing them to intercept data on a network infrastructure that they’ve already connected to, even with client isolation in place.

The group called this vulnerability, AirSnitch, and according to their paper, it exploits inherent weaknesses in the networking stack. Since Wi-Fi does not cryptographically link client MAC addresses, Wi-Fi encryption keys, and IP addresses through Layers 1, 2, and 3 of the network stack, an attacker can use this to assume the identity of another device and confuse the network into diverting downlink and uplink traffic through it.

Xin’an Zhou, the lead author on the research, said in an interview that AirSnitch “breaks worldwide Wi-Fi encryption, and it might have the potential to enable advanced cyberattacks.” He also added, “Advanced attacks can build on our primitives to [perform] cookie stealing, DNS and cache poisoning. Our research physically wiretaps the wire altogether so these sophisticated attacks will work. It’s really a threat to worldwide network security.”

AirSnitch does not break encryption at all, but it challenges the general assumption that encrypted clients cannot attack each other because they’ve been cryptographically isolated. The vulnerability was presented at the Network and Distributed System Security (NDSS) Symposium 2026 in San Diego.

🔐 SECURITY ALERT

Understanding the AirSnitch Wi-Fi Vulnerability

Breaking down how this architectural flaw bypasses client isolation across home, office, and enterprise networks

Global Impact at a Glance

42B+

Cumulative Wi-Fi Devices Shipped Through 2023

70%

Global Population Using Wi-Fi Networks

Router Models Tested – All Vulnerable

100%

Success Rate Across All Network Types

What Makes AirSnitch Different?

Unlike previous attacks that broke encryption protocols like WEP and WPA, AirSnitch bypasses encryption entirely by exploiting weaknesses in how Wi-Fi networks handle device identities across different network layers. The research shows that even advanced enterprise systems relying on WPA3 encryption remain vulnerable to these cross-layer attacks.

There are four primary ways that AirSnitch uses to bypass client isolation. The first is by abusing shared keys — since most networks use a single password or a Group Temporal Key (GTK), an attacker can make packets aimed for a specific target and wrap it inside a GTK broadcast frame to make it look like legitimate information meant for everyone. The target would then accept the traffic, thinking that it’s a broadcast packet, allowing the attacker to use that as an initial opening for more complex attacks.

Another attack vector is Gateway Bouncing, where the attacker sends data to an access point that’s addressed to a gateway MAC. When the gateway receives it, it sees that Layer 3 IP header, which is the victim’s IP address, but ignores the Layer 2 destination (which is the gateway itself). It then forwards that to the victim, essentially allowing one client to send data to another client without doing so directly.

How AirSnitch Works: The Attack Flow

Normal Network Operation

📡

Wi-Fi Router

💻

Your Device

📱

Other Devices

AirSnitch Attack in Progress

📡

Wi-Fi Router

⚠️

Attacker Intercepting

💻

Your Device (Unaware)

⚠️ Critical Vulnerability

AirSnitch exploits the lack of cryptographic binding between client MAC addresses, encryption keys, and IP addresses across network Layers 1, 2, and 3. This allows attackers to assume another device’s identity and redirect traffic through their own device, even when client isolation is enabled. The vulnerability affects both consumer and enterprise infrastructure.

Four Primary Attack Vectors

Shared Key Abuse

Attackers wrap malicious packets inside legitimate Group Temporal Key (GTK) broadcast frames. Target devices accept this traffic as normal broadcast data, creating an opening for advanced attacks.

Gateway Bouncing

Data sent to the access point addressed to a gateway MAC gets forwarded to the victim based on Layer 3 IP headers, allowing indirect client-to-client communication that bypasses isolation.

MAC Spoofing (Downlink)

Attackers spoof the victim’s MAC address, causing the gateway to forward all downlink traffic intended for the victim to the attacker’s device instead.

Backend Device Spoofing

By spoofing the MAC of backend devices like the gateway itself, attackers can intercept uplink traffic from targets, completing the bidirectional machine-in-the-middle attack.

The researchers found that these vulnerabilities exist in five popular home routers — Netgear Nighthawk x6 R8000, Tenda RX2 Pro, D-LINK DIR-3040, TP-Link Archer AXE75, and Asus RT-AX57 — two open-source firmwares — DD-WRT v3.0-r44715 and OpenWrt 24.10 — and across two university enterprise networks.

This shows that the issue is not just limited to how manufacturers make and program their routers. Instead, it’s a problem with Wi-Fi itself, where its architecture is vulnerable to attackers who know how to take advantage of its flaws. The researchers called on the tech industry to address the vulnerabilities, but acknowledged that fixes will require more than simple patches — the problem is architectural and demands revision at the standards level.

Confirmed Vulnerable Devices

All tested routers showed vulnerability to at least one attack method

Netgear Nighthawk x6 R8000

Tenda RX2 Pro

D-LINK DIR-3040

TP-LINK Archer AXE75

ASUS RT-AX57

DD-WRT v3.0-r44715

OpenWrt 24.10

Ubiquiti AmpliFi Alien

Ubiquiti AmpliFi HD

LANCOM LX-6500

Cisco Catalyst 9130

Enterprise Networks Also Affected

The vulnerability extends beyond home routers. Enterprise-grade systems using WPA3 encryption and RADIUS authentication also showed vulnerabilities. Attackers can even break RADIUS protocols to set up rogue access points and intercept corporate credentials. This has implications for enterprise security infrastructure across industries.

How to Protect Yourself

Update Router Firmware

Some manufacturers have released updates that mitigate certain attack vectors. Check your router manufacturer’s website regularly for security patches and apply them immediately.

Use VPN for Sensitive Activities

While VPNs can leak metadata and DNS queries, they add an additional encryption layer. Choose reputable VPN providers and use them especially on public or shared networks.

Avoid Public Wi-Fi Networks

For critical tasks involving passwords, banking, or sensitive data, use cellular data (4G/5G) or tether from your phone instead of connecting to public Wi-Fi networks.

Verify HTTPS Connections

Always check for HTTPS in website URLs. Avoid entering sensitive information on non-encrypted sites. Install browser extensions that force HTTPS connections when available.

Strong Guest Network Passwords

Even guest networks sharing the same access point infrastructure can be exploited. Use strong, unique passwords and change them regularly. Consider whether you truly need a guest network.

Zero Trust Network Architecture

For enterprises, implement zero trust security models that verify every device and user attempting to access resources, regardless of network location. This provides defense-in-depth against AirSnitch attacks.

“This work is impressive because unlike other frame injection methods, the attacker controls a bidirectional flow,” said HD Moore, security expert and CEO of runZero. This bidirectional control allows attackers to not only intercept data but also modify it before it reaches its destination.

Lead researcher Xin’an Zhou, who conducted the research as a doctoral student at UC Riverside and now works for Palo Alto Networks, warns that “enterprises are seemingly relying on a fake sense of security” with current WPA3 enterprise encryption.

The researchers hope that this revelation would force the industry to come together and create a rigorous set of requirements for client isolation and avoid this flaw in the future. While this may sound concerning, the researchers pointed out that this type of attack is rather complicated, especially with how complex modern wireless networks have become.

Understanding the Broader Context

The weaknesses stem in part from hardware designs that have not kept pace with increasingly sophisticated hacking techniques. Mitigation strategies proposed by the researchers include stronger separation of encryption keys and better synchronization of device identities across network layers. They have also shared their findings with vendors in advance of publication. For context on related technology security developments, industry experts continue monitoring these architectural vulnerabilities.

The Current State

AirSnitch exposes fundamental weaknesses in how Wi-Fi handles device identities across network layers. While the attack requires existing network access, it works across separate SSIDs and even network segments sharing the same infrastructure. Complete fixes will require coordinated efforts from chip manufacturers, router vendors, and standards organizations. The research was presented at the NDSS Symposium 2026.

The AirSnitch vulnerability was disclosed by UC Riverside researchers at the NDSS Symposium 2026. The research examined client isolation mechanisms across home routers, enterprise WPA3 deployments, and multi-access-point systems. Every tested system proved vulnerable to at least one attack variant.

The researchers tested 11 Wi-Fi devices from vendors including Cisco Systems, Netgear, D-Link, Asus, and Ubiquiti. Vendors were notified before disclosure, but complete fixes require hardware redesign and stronger key separation. The timeline for standardization and hardware updates extends from months to years.

The research paper covered the vulnerability’s technical mechanisms, tested network configurations, and proposed mitigation strategies. The findings were shared with the wireless security community and equipment manufacturers.