New AirSnitch Attack Bypasses Wi-Fi Encryption Through Cross-Layer Vulnerability

Summary

Security researchers have unveiled AirSnitch, a novel attack that bypasses Wi-Fi encryption protections across homes, offices, and enterprises by exploiting fundamental weaknesses in the lowest levels of the network stack. Unlike previous attacks that broke specific encryption protocols like WEP or WPA, AirSnitch targets the physical and data link layers (Layers 1 and 2) and exploits cross-layer identity desynchronization—the failure to properly bind and synchronize client identities across different network layers.

Lead researcher Xin'an Zhou, presenting at the 2026 Network and Distributed System Security Symposium, demonstrated that the attack works across major router brands including Netgear, D-Link, Ubiquiti, Cisco, and firmware like DD-WRT and OpenWrt. The vulnerability nullifies client isolation, a critical security feature that prevents devices on the same network from directly communicating with each other. Co-author Mathy Vanhoef clarified that while AirSnitch doesn't break Wi-Fi authentication or encryption itself, it effectively bypasses these protections, potentially enabling advanced attacks like cookie stealing, DNS poisoning, and cache poisoning.

The discovery affects an estimated 48 billion Wi-Fi-enabled devices shipped since the late 1990s, used by approximately 6 billion people worldwide—roughly 70 percent of the global population. The attack represents a fundamental threat to network security assumptions, as it exploits architectural features rather than cryptographic weaknesses, making it significantly more difficult to patch than traditional protocol vulnerabilities.

• Unlike previous Wi-Fi vulnerabilities, AirSnitch targets fundamental architectural features, making remediation more challenging than patching specific encryption protocols