Enterprises face a critical risk: WPA2 and WPA3-Enterprise encryption and client isolation — long treated as the primary defenses for wireless networks — can be bypassed by a set of techniques the authors call AirSnitch, exposing credentials and backend systems to both insiders and remote attackers.
How AirSnitch undermines Wi‑Fi cryptography and isolation
Presented at the NDSS Symposium 2026, the AirSnitch research shows that the problem is not a single bug but a class of protocol‑infrastructure interaction failures. WPA2 and WPA3-Enterprise are intended to authenticate and encrypt most IEEE 802.11 traffic and thereby protect legacy cleartext application protocols such as DNS and HTTP at Layer 2. AirSnitch attacks, however, manipulate low‑level network state — for example, MAC‑to‑port mappings and group key handling — to restore meddler‑in‑the‑middle (MitM) capabilities even when WPA is in use.
Three novel primitives: Port stealing, Gateway bouncing, Broadcast reflection
- Port stealing: An attacker spoofs a victim’s MAC toward another BSSID or AP, causing switches and APs to update forwarding tables and redirect traffic to the attacker’s session key (PTK). This operates below ARP and between the physical and data link layers.
- Gateway bouncing: By crafting packets that use the victim’s IP but the gateway’s MAC as the Layer‑2 destination, an attacker forces the AP to forward to the router, which then routes the packet back to the victim — bypassing ap_isolate-like Layer‑2 isolation.
- Broadcast reflection: An attacker sends a frame that appears as a broadcast but carries a unicast IP payload. The AP re-encrypts and rebroadcasts it with the GTK, delivering the payload to the victim without the attacker knowing the GTK.
The research also documents GTK misuse: by modifying wpa_supplicant, an attacker can extract the Group Temporal Key and encrypt spoofed broadcast/multicast frames as an AP would, enabling direct injection into enterprise APs. The authors note that some handshakes (group key, FT, FILS, WNM‑Sleep) and nonrandomized Integrity GTKs (IGTKs) can expose or enable selection of the GTK.
Five attack channels and chaining across APs
AirSnitch is the first public research to propose five concurrent attack channels: delivering frames over the air; injecting via the same AP; injecting from within the wired network; using a different AP; and attacks launched from the internet. These channels can be chained: for example, port stealing to intercept downlink traffic followed by GTK misuse to inject stolen frames. The paper demonstrates cross‑AP attacks in which a distant AP’s guest SSID is abused to steal traffic for an enterprise client, breaking assumptions that physically separate APs provide isolation.
Concrete checklist: immediate and specialized mitigations
The authors urge enterprises and security teams to stop treating WPA2/3‑Enterprise as a sole defense and to adopt layered controls. A practical checklist from the research includes:
- Strictly separate guest SSIDs from WPA2/3‑Enterprise SSIDs and place untrusted BSSIDs in their own VLANs.
- Use firewall policies in core networks to block gateway bouncing and related cross‑segment attacks.
- Audit and strengthen RADIUS secrets and avoid weak RADIUS passphrases.
- Update endpoint operating systems and consider robust VPNs for intranet access.
- Remove legacy or orphaned APs physically attached to the core network.
More specialized recommendations include enabling spoofing prevention (preventing a single MAC across multiple BSSIDs), configuring IP spoofing prevention, enforcing per‑client randomized GTKs where supported, using Passpoint/DGAF options to control downstream group forwarding, and adopting link‑layer encryption like MACsec (IEEE 802.1AE) — noted as available on Ubuntu distributions — to provide end‑to‑end link encryption even if Wi‑Fi keys are compromised.
What this means for technologists, enterprise IT, and the Wi‑Fi industry
- Technologists and security teams: Must look beyond ap_isolate flags and Wi‑Fi encryption to network segmentation, VLANs, firewall policies and endpoint updates; monitor for unexpected MAC‑to‑port mapping changes and spoofed MACs.
- Enterprise IT and procurement: Should evaluate AP support for per‑client GTKs, spoofing prevention features, Passpoint DGAF and VLAN isolation before deployment; retire unmanaged APs and harden RADIUS secrets.
- The Wi‑Fi industry and standards bodies: Are urged to adopt “rigorous, standardized security for complex modern Wi‑Fi networks,” since some attacks exploit fundamental protocol design choices that vendors alone cannot fully mitigate.
The AirSnitch findings reframe a long‑standing assumption: that WPA2/3‑Enterprise and client isolation provide a reliable perimiter. When low‑level switching, group keys and routing interact in unexpected ways, that perimeter can fail. Organizations that rely on Wi‑Fi must treat these results as operational realities, prioritize the checklist above, and — where necessary — contact incident responders. For urgent assistance, the Unit 42 Incident Response team is listed with regional numbers in the report.
