Wi-Fi exposes the biggest vulnerability in history: AirSnitch attack can perform man-in-the-middle interception of "all plaintext messages" and DNS poisoning

Security researchers have uncovered a new Wi-Fi attack technique called “AirSnitch” that can launch fully bidirectional Man-in-the-Middle (MitM) attacks on target devices without cracking existing WPA2/WPA3 encryption. This is achieved by manipulating lower network layers to bypass user isolation mechanisms.
(Background: The story behind North Korean hacker group Lazarus: How they committed the biggest Web3 heist using keyboard attacks)
(Additional context: AI-assisted crime! Hackers easily infiltrate the Mexican government using Anthropic Claude, stealing 150GB of sensitive data)

Table of Contents

Toggle

• Not cracking, but “bypassing”
• Which devices are affected? Almost all
• Even with HTTPS, no need to be complacent

University of California, Riverside, and the DistriNet research team at KU Leuven in Belgium officially published their paper “AirSnitch: Demystifying and Breaking Client Isolation in Wi-Fi Networks” at NDSS Symposium 2026 in San Diego on February 25, 2026, revealing a widely impactful new Wi-Fi attack method.

This attack, named “AirSnitch,” does not involve cracking Wi-Fi encryption but instead exploits lower-level network structures to bypass encryption protections.

Not cracking, but “bypassing”

Existing Wi-Fi security standards (WPA2 and WPA3) assume that devices within the same network are protected by “client isolation,” preventing device A from directly seeing device B’s traffic. This is a fundamental safeguard in enterprise networks, hotel Wi-Fi, coffee shop hotspots, and similar environments.

AirSnitch targets this safeguard.

Researchers found that Wi-Fi standards do not establish cryptographic binding relationships between Layer 1 (physical port mapping), Layer 2 (MAC addresses), and Layer 3 (IP addresses). This structural flaw allows an attacker to impersonate a victim device, causing the access point (AP) to mistakenly send traffic intended for the victim to the attacker instead.

AirSnitch employs three techniques to carry out the attack:

• MAC Address Spoofing (Downlink Hijacking): The attacker fakes the victim’s MAC address to trick the AP into forwarding downlink traffic (from the router to the device) to themselves.
• Port Stealing: The attacker associates the victim’s MAC address with a different BSSID, causing the AP’s internal logic to rebind the connection port, encrypting the victim’s traffic with the attacker’s encryption key.
• Uplink Impersonation (Gateway Spoofing): The attacker impersonates an internal gateway device to intercept the victim’s outbound traffic.

Combined, these methods enable a fully bidirectional MitM attack, allowing the attacker to intercept, view, and modify all inbound and outbound traffic of the victim.

Which devices are affected? Nearly all

The researchers tested various commercial routers and firmware, all of which were vulnerable. Tested devices include:

• Netgear Nighthawk x6 R8000
• Tenda RX2 Pro
• D-LINK DIR-3040
• TP-Link Archer AXE75
• Asus RT-AX57
• Open-source firmware DD-WRT v3.0-r44715 and OpenWrt 24.10

Additionally, the team successfully reproduced the attack in enterprise network environments at two universities. This confirms that AirSnitch is not a specific flaw in certain brands or models but a fundamental weakness in Wi-Fi protocol architecture. Whether in home, commercial, or enterprise settings, any device using current Wi-Fi standards is within the attack scope.

Even with HTTPS, no need to be complacent

Many users believe that if the browser shows a “padlock” icon (HTTPS), their data is secure. However, AirSnitch can bypass HTTPS protections through multiple methods.

For unencrypted traffic, including much internal enterprise HTTP traffic, attackers can directly read passwords, authentication cookies, payment card info, and other sensitive data, or even modify content in real time.

For HTTPS-encrypted connections, attackers cannot directly decrypt the content but can:

• Intercept DNS queries to learn which domains the victim is visiting.
• Use the target website’s external IP address to often infer the specific URL.

Further, through DNS cache poisoning, attackers can insert fake DNS records into the victim’s system cache, and combined with SSL stripping techniques, trick victims into entering credentials on seemingly secure pages.

The highest risk is public Wi-Fi—be extra cautious when working at coffee shops in the future.