Unit 42 researchers present AirSnitch, a novel set of Wi-Fi attack techniques demonstrated at NDSS 2026 that bypass WPA2/3-Enterprise encryption and client isolation. The attacks exploit weaknesses in protocol-infrastructure interactions across encryption, switching, and routing layers. Key primitives include Gateway Bouncing (exploiting IP-layer isolation gaps), Port Stealing (hijacking MAC-to-port mappings below the ARP layer), and Broadcast Reflection (injecting unicast payloads via broadcast frames without knowing the GTK). These techniques can be chained to achieve full man-in-the-middle positions, enable RADIUS secret brute-forcing, DNS/DHCP poisoning, and traffic decryption. The attacks affect all major operating systems and Wi-Fi vendors. Mitigations include VLAN segmentation, MAC/IP spoofing prevention, per-client randomized GTKs, and MACsec (IEEE 802.1AE) link-layer encryption.
Table of contents
Executive SummaryThe AirSnitch Threats: A New Security ParadigmThe Anatomy of AirSnitch Attacks: Starting With Wi-Fi FundamentalsThe Broader Context of Wi-Fi Client IsolationOne Step Further: Dissection of Selected Novel MitM Primitives in AirSnitchPutting It Together: Chaining Primitives, Executing Cross-AP Attacks and Enabling Higher-Layer AttacksHow to Mitigate the AirSnitch Attacks for Enterprise Wi-Fi NetworksConclusionIndicators of CompromiseAdditional ResourcesSort: