New 'AirSnitch' Attack Bypasses Wi-Fi Client Isolation
Researchers have detailed a new wireless attack called "AirSnitch" that enables lateral movement between Wi-Fi clients, even when client isolation is enabled. The attack uses five different vectors to bypass or abuse encryption protocols at Layer 2/3, potentially allowing an attacker to jump from a guest network to an enterprise network.
Researchers from the University of California, Riverside, and KU Leuven presented the "AirSnitch" attack at the NDSS Symposium 2026. Their work demonstrates that every tested router and network from vendors like Cisco, Netgear, and Ubiquiti was vulnerable to at least one of the attack vectors they developed. The core vulnerability stems from the fact that Wi-Fi client isolation is not a standardized feature in the IEEE 802.11 standards. This has led to inconsistent and ad-hoc implementations by vendors across the encryption, packet switching, and IP routing layers, creating the security gaps exploited by AirSnitch. One of the attack vectors, "gateway bouncing," exploits Layer 3 routing failures by sending packets to the gateway's MAC address but with the victim's IP address as the destination, causing the gateway to forward the traffic back to the supposedly isolated client. Another method abuses the shared Group Temporal Key (GTK) used in WPA2/WPA3 to inject malicious frames disguised as broadcast traffic. This attack directly undermines the network pillar of a Zero Trust architecture, reinforcing the DoD's mandate that identity, not network location, must be the security perimeter. Since AirSnitch allows lateral movement despite network segmentation controls, it elevates the importance of the User & Identity pillar's role in continuously verifying every access request, assuming the network is already compromised. For detection engineering in Splunk, focus on correlating wireless infrastructure logs with network traffic data. Build rules to detect anomalies such as a single MAC address rapidly re-associating with different credentials or SSIDs, or traffic patterns indicative of gateway bouncing where packets egress and immediately ingress the gateway destined for the same wireless subnet. Even WPA3-Enterprise networks are vulnerable, as attackers can intercept RADIUS authentication traffic to target the shared secret, potentially allowing them to stand up a rogue access point to harvest enterprise credentials. This makes robust identity and credential management, a core tenet of the DoD's Zero Trust strategy, a critical compensating control.
