Ucr researchers unveil AirSnitch that can bypass Wi‑Fi client isolation

Researchers at ucr have described a set of Wi‑Fi attacks called AirSnitch that can nullify client isolation and let a device on the same network intercept or redirect traffic, a risk that the team says affects home, office, and enterprise access points.

Ucr team outlines how AirSnitch sidesteps encryption

The team said AirSnitch does not break Wi‑Fi authentication or cryptographic algorithms but instead exploits behaviors at the lowest levels of the network stack, a design flaw that can let one client assume another device’s identity or trick a gateway into forwarding packets. Xin’an Zhou, the lead author, warned that "AirSnitch breaks worldwide Wi‑Fi encryption, and it might have the potential to enable advanced cyberattacks, " and the researchers presented the work at the 2026 Network and Distributed System Security Symposium.

Four concrete attack paths and affected hardware

The researchers identified four primary techniques that let an attacker bypass client isolation, and they demonstrated the effects on multiple consumer routers and open‑source firmwares. Mathy Vanhoef said the work is better described as a Wi‑Fi encryption "bypass" rather than a break: "We don’t break Wi‑Fi authentication or encryption. Crypto is often bypassed instead of broken. And we bypass it; )"

• Abusing shared keys: wrapping targeted packets in a Group Temporal Key broadcast frame so a victim accepts them;
• Gateway Bouncing: sending traffic addressed to a gateway MAC that the gateway then forwards to the victim;
• MAC spoofing of a victim to receive downlink traffic;
• Spoofing backend devices, such as the gateway, to receive uplink traffic from the target.

The team tested those primitives against several popular devices and firmware builds: Netgear Nighthawk x6 R8000, Tenda RX2 Pro, D‑LINK DIR‑3040, TP‑Link Archer AXE75, Asus RT‑AX57, DD‑WRT v3. 0‑r44715 and OpenWrt 24. 10. They also demonstrated the flaws on two university enterprise networks, showing the issue spans consumer gear and institutional deployments.

Practical consequences for networks and users

The researchers said the vulnerability undercuts the expectation that encrypted clients on the same network are isolated from one another. Zhou added that "Advanced attacks can build on our primitives to [perform] cookie stealing, DNS and cache poisoning, " which outlines how initial access could be escalated into data theft or traffic manipulation.

Article details note that Wi‑Fi’s layered architecture—where Layer‑1 physical behavior and higher layers are not cryptographically bound—creates the attack surface AirSnitch targets. The team emphasized that people who do not rely on client or network isolation are not affected by the bypass.

The researchers published a paper describing the primitives and demonstrated them at the 2026 Network and Distributed System Security Symposium; that presentation served as the public disclosure of the techniques and affected products, and it anchored the team’s call for attention to flaws rooted in the network stack.

Next steps confirmed by the research timeline include the public presentation at the 2026 Network and Distributed System Security Symposium and the release of the research paper that documents the attack methods and the devices and firmware on which the team tested them.