AirSnitch: Demystifying and Breaking Client Isolation in Wi-Fi Networks
Xin'an Zhou
Network and Distributed System Security (NDSS) Symposium 2026 · Day 2 · Privacy & Measurement
Wi-Fi client isolation is widely assumed to prevent devices on the same network from intercepting each other's traffic. This talk introduces the **AirSnitch framework**, which demonstrates that client isolation can be **bypassed across all WPA2 and WPA3 configurations** -- including enterprise deployments -- by exploiting fundamental design flaws in how Wi-Fi protocols interact with the underlying network infrastructure. The vulnerabilities span from legacy WEP to modern WPA3 and enterprise standards, affecting mainstream operating systems including **macOS, iOS, Android, Ubuntu, and Windows**.
AI review
A comprehensive dismantling of Wi-Fi client isolation across all WPA2/WPA3 configurations. The BSS ID virtualization exploit that allows two hosts with identical MAC addresses to coexist -- exploiting the lack of cross-layer identity synchronization -- is a genuinely novel finding rooted in deep protocol understanding. The cross-AP attack capability and the chain to TCP hijacking, DNS poisoning, and RADIUS passphrase guessing make this operationally relevant. Open-sourced tool on GitHub.