AirSnitch Attacks Break Wi-Fi Encryption and Client Isolation in WPA2/3-Enterprise Networks
Unit 42 researchers have unveiled AirSnitch, a set of novel attack techniques that bypass WPA2 and WPA3-Enterprise encryption by exploiting low-level protocol-infrastructure interactions, affecting devices from multiple major vendors.
Researchers at Palo Alto Networks' Unit 42 have presented a new class of wireless attacks, dubbed AirSnitch, at the NDSS Symposium 2026 that fundamentally undermine the security guarantees of WPA2 and WPA3-Enterprise protocols. By manipulating low-level network states such as MAC address table mappings, attackers can break client isolation and intercept or inject packets, completely bypassing Wi-Fi encryption. The findings, published on April 22, 2026, represent a paradigm shift in wireless threat modeling, moving beyond attacks on individual clients to targeting the wireless infrastructure itself.
AirSnitch exploits subtle security issues in the interplay between encryption, switching, and routing layers. Unlike traditional attacks such as ARP poisoning, AirSnitch operates at lower networking layers, restoring meddler-in-the-middle (MitM) capabilities in modern Wi-Fi networks that were previously considered secure. The techniques include Port Stealing, which exploits fundamental Wi-Fi design errors that are difficult or impossible to patch within existing protocol standards, and Gateway Bouncing, which relies on organization-specific network configurations. These attacks can be launched from multiple vectors: over the air directly to a victim, through the same access point, from within the network, through a different AP, or even from the internet.
The impact is industry-wide, affecting Wi-Fi devices from several major vendors and operating systems including Android, macOS, iOS, Windows, and Ubuntu Linux. Because WPA2 and WPA3-Enterprise are used to encrypt the vast majority of global IEEE 802.11 wireless traffic, AirSnitch creates a critical risk to enterprise data confidentiality. Sensitive credentials and backend systems become exposed to both malicious insiders and external over-the-air attackers. The researchers emphasize that these security issues exist within the core logic of how Wi-Fi handles data, representing a fundamental security gap that undermines protections across all Wi-Fi encryption standards, from WEP to modern WPA2/3.
Importantly, AirSnitch also serves as a foundational building block for more sophisticated higher-layer attacks. By compromising the integrity of lower protocol layers, an attacker can launch complex exploits against upper protocol layers that were previously thought to be shielded by WPA. The researchers note. The researchers urge the Wi-Fi industry to adopt rigorous, standardized security for complex modern Wi-Fi networks, as the flaws cannot be fully patched within existing standards.
For individual organizations, Unit 42 recommends moving beyond the assumption that WPA2/3-Enterprise provides robust protection. Key mitigation steps include implementing robust network segmentation, enhancing spoofing prevention, and updating firewall configurations to protect the integrity of both wired and wireless enterprise environments. Palo Alto Networks customers are protected through Next-Generation Firewall (NGFW) capabilities.
The research was presented at the NDSS Symposium 2026, marking the first public research to propose all five attack channels that AirSnitch exploits. The findings have been released publicly to accelerate threat mitigation and security improvement across all impacted enterprises, as universal vendor testing and coordinated responsible disclosure were deemed impractical due to the diversity of network configurations involved.