AirSnitch, a set of cross-layer attacks, bypasses Wi‑Fi client isolation and can affect home networks, small offices, and large enterprises. The research shows that encryption alone cannot guarantee isolation when Layer 1 and Layer 2 behaviors are exploited.
AirSnitch works across many devices including Netgear, D-Link, Ubiquiti, Cisco, and routers running DD-WRT or OpenWrt. The researchers describe the impact as a bypass of client isolation rather than a break of WPA2/WPA3, underscoring a different risk vector that leverages the lowest layers of the networking stack.
At the core, the attacks manipulate MAC-to-port mappings on access points and distribution switches, allowing an attacker to intercept and redirect traffic between clients on the same AP or across different APs connected to the same network. In practice, this can enable a bidirectional man-in-the-middle, DNS cache poisoning, and credential theft, even when devices are on separate SSIDs.
Not all devices are equally vulnerable; in tests, 11 devices/firmware variants were affected, and while some vendors have pushed patches, others say the underlying hardware chips must be redesigned. Vendors differ in how they implement client isolation, and there is no universal standard across manufacturers.
Experts suggest mitigations beyond patching: adopting zero-trust networking principles, deploying VPNs, and ensuring rogue-AP detection and proper network segmentation. VLANs and guest networks help, but independent isolation is not guaranteed when cross-layer vulnerabilities exist. The researchers published their NDSS 2026 paper, AirSnitch: Demystifying and Breaking Client Isolation in Wi‑Fi Networks, detailing the technique and implications.
