AirSnitch Wi‑Fi Bypass

A new AirSnitch attack can let someone on the same Wi‑Fi network intercept traffic even when the network uses WPA2 or WPA3 and client isolation. (unit42.paloaltonetworks.com) Palo Alto Networks’ Unit 42 published its write-up on April 22, 2026, based on research presented at the Network and Distributed System Security Symposium 2026. The paper’s authors are from the University of California, Riverside and KU Leuven. (unit42.paloaltonetworks.com) (ndss-symposium.org) Wi‑Fi encryption protects the radio link between a device and the access point, like sealing a letter for the trip through the air. Client isolation is a separate rule that is supposed to stop devices on the same network from talking to or spying on each other. (ndss-symposium.org) (securityweek.com) AirSnitch works by abusing how wireless gear handles broadcast keys, routing paths and switching tables, not by cracking the encryption itself. Unit 42 said those weaknesses can let attackers intercept packets or inject their own traffic after they already have legitimate Wi‑Fi access. (unit42.paloaltonetworks.com) (ndss-symposium.org) The researchers describe attack families with names like Port Stealing and Gateway Bouncing. In the paper, they wrote that every tested router and network was vulnerable to at least one attack. (ndss-symposium.org 1) (ndss-symposium.org 2) That finding hits enterprise guest networks, offices, airports and coffee shops that rely on “AP isolation” or “station isolation” to keep users apart. Unit 42 said the exposure is industry-wide because WPA2‑Enterprise and WPA3‑Enterprise are widely deployed across major vendors and operating systems. (securityweek.com) (unit42.paloaltonetworks.com) The paper argues that one root problem is that client isolation is not a standardized Wi‑Fi feature. The authors said vendors added it in inconsistent ways, which left gaps at the Media Access Control layer, the Internet Protocol layer, or both. (ndss-symposium.org) (securityweek.com) Unit 42 said some AirSnitch paths depend on local network design, while others stem from Wi‑Fi design choices that are hard or impossible to fully patch inside current standards. The researchers released the findings publicly to speed mitigation rather than wait for a single vendor fix. (unit42.paloaltonetworks.com) The defensive advice is less about one setting and more about layers: use end-to-end encryption such as Hypertext Transfer Protocol Secure and virtual private networks, segment sensitive systems, and apply vendor updates where they exist. Unit 42 also pointed defenders to testing tools and configuration reviews instead of assuming WPA2 or WPA3 alone closes the gap. (unit42.paloaltonetworks.com) (github.com) AirSnitch does not mean every encrypted Wi‑Fi session is suddenly readable from the parking lot. It means a nearby user with network access may be able to turn enterprise Wi‑Fi’s built-in guardrails into a path around protections many teams treated as settled. (unit42.paloaltonetworks.com) (ndss-symposium.org)