AirSnitch Bypass Found

Wi‑Fi “client isolation” is supposed to keep one logged-in user from reaching another on the same network. AirSnitch shows that barrier can still be sidestepped on WPA2- and WPA3-Enterprise networks. (ndss-symposium.org) The research came from Xin’an Zhou, Juefei Pu, Zhutian Liu, Zhiyun Qian, Zhaowei Tan, Srikanth V. Krishnamurthy, and Mathy Vanhoef, and was presented at the Network and Distributed System Security Symposium held Feb. 23-27, 2026, in San Diego. The paper says every tested router and network was vulnerable to at least one attack. (cs.ucr.edu) Enterprise Wi‑Fi usually gives each user separate credentials and protects radio traffic so nearby eavesdroppers cannot just listen in. The paper says that protection stops at the wireless link, not at the gateway and switching logic that move packets inside the network. (news.ucr.edu) That gap is where “gateway bouncing” fits in. The researchers describe routing-layer attacks that exploit cases where isolation is enforced at one layer but not another, letting a gateway forward traffic in ways that restore client-to-client injection and man-in-the-middle positioning. (cs.ucr.edu) The paper groups the bypasses into three buckets: shared-key abuse in Wi‑Fi encryption, gateway bouncing at the routing layer, and port stealing at the switching layer. In plain terms, the attacks work by taking advantage of mismatches between Wi‑Fi keys, Media Access Control addresses, and Internet Protocol identities. (cisco.com) The researchers say the attacker is not an outsider cracking passwords from the parking lot. AirSnitch assumes an “insider” who is already associated and authenticated to the same wireless network as the victim. (cisco.com) That matters for offices, campuses, hotels, airports, and guest networks that rely on client isolation as a backstop after login. UC Riverside said the team repeatedly showed that a malicious user on the same Wi‑Fi could intercept data and manipulate traffic even when modern protections were enabled. (news.ucr.edu) Cisco, in guidance published March 9, 2026, said the attacks are not flaws in WPA encryption itself and would be less likely to succeed on enterprise networks using layered controls across wireless, switching, and routing. Cisco also said affected deployments should pair wireless isolation with best-practice segmentation, monitoring, and duplicate address detection. (cisco.com) The authors and vendors are converging on the same immediate check: do not assume Enterprise Wi‑Fi authentication alone stops east-west traffic abuse after login. Teams need to test whether gateways, access points, and authentication flows all enforce the same isolation policy before AirSnitch turns that blind spot into a live path. (github.com)