AirSnitch Attack Bypasses Wi-Fi Encryption Across Major Router Brands

Summary

Security researchers have unveiled AirSnitch, a novel attack that bypasses Wi-Fi encryption by exploiting fundamental weaknesses in the lowest levels of the networking stack rather than breaking cryptographic protections. The attack, presented at the 2026 Network and Distributed System Security Symposium, affects routers from major manufacturers including Netgear, D-Link, Ubiquiti, and Cisco, as well as those running DD-WRT and OpenWrt firmware. Lead researcher Xin'an Zhou warns the vulnerability "breaks worldwide Wi-Fi encryption" and could enable advanced cyberattacks including cookie stealing, DNS poisoning, and cache poisoning.

Unlike previous Wi-Fi attacks that targeted flaws in encryption protocols like WEP and WPA, AirSnitch exploits cross-layer identity desynchronization between Layer-1 (physical devices) and Layer-2 (data link) of the networking stack. The attack effectively nullifies client isolation, a fundamental security feature that prevents direct communication between devices on the same network. Co-author Mathy Vanhoef clarified that the attack is better described as an encryption "bypass" since it circumvents client isolation without breaking the underlying cryptographic authentication.

The vulnerability has significant implications for home users, offices, and enterprises that rely on guest networks and client isolation for security. With over 48 billion Wi-Fi-enabled devices shipped since the late 1990s and an estimated 6 billion users worldwide, the attack surface is substantial. The research highlights how long-standing architectural assumptions in Wi-Fi networking may contain overlooked security weaknesses that persist regardless of encryption strength.

• The vulnerability enables advanced attacks including cookie stealing, DNS poisoning, and cache poisoning across guest and enterprise networks