From San Diego: Picture yourself at the departure lounge of Sydney Airport, laptop open, connected to the free Wi-Fi, comforted by the reassurance that your device is isolated from every other machine on the network. That reassurance, it turns out, may have been an illusion. Security researchers presenting at an international symposium in San Diego last week have demonstrated that the very feature designed to protect you in that moment is fundamentally and broadly broken.
The attack is called AirSnitch, and the team behind it reads like a serious academic collaboration. The research was conducted by researchers from the University of California, Riverside, and KU Leuven's DistriNet group. They presented their paper, "AirSnitch: Demystifying and Breaking Client Isolation in Wi-Fi Networks", on February 25 at the NDSS Symposium 2026 in San Diego. The conclusion is as stark as it gets in security research: the "client isolation" feature many of us rely on in offices, airports, and even home guest networks is fundamentally broken across almost all major hardware brands.
To understand why this matters, it helps to understand what client isolation is supposed to do. Client isolation is a vendor-implemented feature that blocks direct communication between Wi-Fi clients connected to the same access point. When you connect to a hotel's guest network, or your employer's office Wi-Fi, that feature is supposed to prevent the stranger on the next barstool or the desk across the floor from having any visibility into your traffic. The problem, the researchers found, is that the issue is architectural rather than vendor-specific, stemming from design assumptions in WPA2/WPA3 and non-standardised isolation policies.
AirSnitch does not crack Wi-Fi passwords or break encryption in the traditional sense. Instead, it exploits the gaps between the layers of the networking stack. Since Wi-Fi does not cryptographically link client MAC addresses, Wi-Fi encryption keys, and IP addresses through Layers 1, 2, and 3 of the network stack, an attacker can use this to assume the identity of another device and confuse the network into diverting downlink and uplink traffic through it. One specific technique is particularly illustrative: since most networks use a single password or a Group Temporal Key (GTK), an attacker can make packets aimed for a specific target and wrap them inside a GTK broadcast frame to make them look like legitimate information meant for everyone. The router, in essence, does the attacker's work for them.
The breadth of affected hardware is what gives this research its teeth. The researchers found vulnerabilities in five popular home routers — the Netgear Nighthawk x6 R8000, Tenda RX2 Pro, D-Link DIR-3040, TP-Link Archer AXE75, and Asus RT-AX57 — two open-source firmwares (DD-WRT and OpenWrt 24.10), and across two university enterprise networks. Enterprise-grade devices from Cisco and Ubiquiti were also tested and found wanting. Particularly worrying is that even WPA3-Enterprise corporate networks, which require individual login credentials, proved vulnerable.
For lead researcher Xin'an Zhou, the implications reach beyond any single network. Speaking to Ars Technica, Zhou said AirSnitch "breaks worldwide Wi-Fi encryption, and it might have the potential to enable advanced cyberattacks," with further attacks possible including "cookie stealing, DNS and cache poisoning." That is not a trivial list of consequences. Cookie theft can expose authenticated sessions to banking and corporate systems. DNS manipulation can silently redirect users to malicious sites without a single suspicious prompt appearing on screen.
The public network risk deserves particular attention for Australian readers. Public Wi-Fi networks at airports and coffee shops are easier targets because they often require no password, and vulnerabilities in those environments could serve as stepping stones into enterprise systems run by the same entity — for example, accessing free Wi-Fi at an airport could be a step toward breaking into the enterprise system used by the airport's employees. That is not a theoretical concern. Australia's airports, hospitals, universities, and government buildings all operate shared Wi-Fi infrastructure across which guest and staff networks frequently co-exist on the same physical hardware.
It would be fair, though, to weigh against the alarm some of the qualifying factors that the researchers themselves acknowledge. This type of attack is rather complicated, especially given how complicated modern wireless networks have become. Because AirSnitch operates as an insider attack, exploitation requires an attacker to join the network, either as a guest user or with legitimate credentials — though in public hotspots, university campuses, hotels, and enterprise guest networks, that bar is often very low. There is also a meaningful distinction between intercepting data and decrypting it. Applications using end-to-end encryption, such as those transmitting data over HTTPS with strict certificate pinning, add a further layer of protection that AirSnitch cannot pierce on its own.
Security professionals have pointed to several interim steps organisations can take right now. The researchers propose stronger binding between cryptographic keys and network-layer identities, improved group key management, and clearer isolation domains across BSSIDs and distribution systems. In the shorter term, segmenting guest and internal networks onto separate VLANs and, where possible, on separate physical infrastructure represents a practical first line of defence. Keeping access point firmware current and disabling unused network bands also reduces the attack surface.
The harder conversation, however, is one the industry has been slow to have. Client isolation is not standardised in IEEE 802.11, leading to inconsistent, ad hoc implementations across vendors. Each manufacturer has interpreted the feature differently, and that fragmentation is precisely what AirSnitch exploits. The researchers called on the tech industry to address the vulnerabilities but acknowledged that fixes will require more than simple patches — the problem is architectural and demands revision at the IEEE standards level. That process, anyone familiar with international standards bodies knows, moves at its own unhurried pace.
The Australian Cyber Security Centre has long advised organisations to treat public and guest Wi-Fi as untrusted networks, and to enforce end-to-end encryption regardless of what the underlying network promises. The Australian Signals Directorate similarly recommends layered security approaches rather than reliance on any single control. Those advisories now look prescient. The lesson AirSnitch reinforces is not a new one: security guarantees that exist only in documentation, rather than in verified, standardised implementation, are guarantees in name only. For consumers, the immediate takeaway is straightforward enough: treat every shared Wi-Fi network, no matter the padlock icon beside it, as a public space. Because, in a meaningful technical sense, it is. The full research paper is available through the NDSS Symposium and the authors' own PDF has been made publicly accessible for review by the broader security community.