New Attack Against Wi-Fi

It’s called AirSnitch:

Unlike previous Wi-Fi attacks, AirSnitch exploits core features in Layers 1 and 2 and the failure to bind and synchronize a client across these and higher layers, other nodes, and other network names such as SSIDs (Service Set Identifiers). This cross-layer identity desynchronization is the key driver of AirSnitch attacks.

The most powerful such attack is a full, bidirectional machine-in-the-middle (MitM) attack, meaning the attacker can view and modify data before it makes its way to the intended recipient. The attacker can be on the same SSID, a separate one, or even a separate network segment tied to the same AP. It works against small Wi-Fi networks in both homes and offices and large networks in enterprises.

With the ability to intercept all link-layer traffic (that is, the traffic as it passes between Layers 1 and 2), an attacker can perform other attacks on higher layers. The most dire consequence occurs when an Internet connection isn’t encrypted­—something that Google recently estimated occurred when as much as 6 percent and 20 percent of pages loaded on Windows and Linux, respectively. In these cases, the attacker can view and modify all traffic in the clear and steal authentication cookies, passwords, payment card details, and any other sensitive data. Since many company intranets are sent in plaintext, traffic from them can also be intercepted.

Even when HTTPS is in place, an attacker can still intercept domain look-up traffic and use DNS cache poisoning to corrupt tables stored by the target’s operating system. The AirSnitch MitM also puts the attacker in the position to wage attacks against vulnerabilities that may not be patched. Attackers can also see the external IP addresses hosting webpages being visited and often correlate them with the precise URL.

Here’s the paper.

Tags: , , ,

Posted on March 9, 2026 at 6:57 AM6 Comments

Comments

AlexT March 9, 2026 9:36 AM

Interisting one.

Just skimmed the paper but does it necessitate specialzed hardware?

Clive Robinson March 9, 2026 9:57 AM

@ AlexT,

Like you, I’ve only had a brief look through the paper.

That said, the conclusion is quite short and the latter part of,

We
believe that a root cause of these vulnerabilities is the missing
standardization of client isolation: this defense was added
by vendors without proper public review. However, we have
shown that client isolation is surprisingly tedious to get right
in modern Wi-Fi networks due to their complexity. Moreover,
we have shown that client isolation in home networks, which
is often a configuration option in routers, is fundamentally
flawed. We hope our work motivates standardization groups
to more rigorously specify the requirements of client isolation
and that Wi-Fi vendors will implement the same more securely.

Is quite revealing in what it says, in that it basically portraits all parts of the design process as not what they could or should have been for a robust and secure system…

Bernie March 9, 2026 10:04 AM

A quick note: Just below the article on Ars are a few highlighted comments that help explain things. If you read the article, make sure you scroll down past its end for those comments.

Peter A. March 9, 2026 11:30 AM

Do I understand correctly that this attack applies only after a rogue device is already authenticated and allowed on the network (SSID), such as an a known-password “guest” or “public” WiFi, or when it has been provided, guessed or cracked the password, and only after that the attacker is able to MiTM traffic to/from other devices on the same SSID?

Rontea March 9, 2026 1:14 PM

AirSnitch is another reminder that the foundations of our wireless networking stack are far weaker than we’d like to believe. Attacks like this don’t rely on breaking WPA3 encryption directly—they exploit the trust assumptions baked into the hardware and firmware that implement Wi-Fi. Client isolation, a feature that was supposed to keep devices safely siloed, is now demonstrably unreliable.

Defense against AirSnitch isn’t about a single patch. It’s about layered mitigations:

  1. Update your infrastructure – Apply firmware updates from your router vendors immediately, even if they only partially address the issue.
  2. Segment and monitor your network – Treat Wi-Fi as an untrusted medium. Use VLANs, network segmentation, and active monitoring to detect unusual traffic between clients.
  3. Use end-to-end encryption – TLS, VPNs, and encrypted protocols remain your best defense against traffic interception.
  4. Consider zero-trust principles – Don’t rely on client isolation or SSID separation alone. Assume the network can be compromised and authenticate at higher layers.

Ultimately, AirSnitch reinforces a point we’ve seen before: security bolted onto inherently insecure protocols will always be fragile. Long-term solutions require redesigning the underlying systems, not just patching the symptoms.

Tuna March 9, 2026 1:26 PM

I’ve assumed that wifi is, itself and absent other mitigations, insecure ever since I played around with aircrack-ng when I was in high school. Good to know my assumption still holds.

Leave a comment

Blog moderation policy

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.