AirSnitch: WiFi Client Isolation Bypass
AirSnitch is a WiFi security research framework disclosed at the NDSS Symposium on February 25, 2026. It demonstrates that client isolation — a core WiFi security feature designed to prevent connected clients from communicating with each other — can be bypassed at the network and protocol layer on virtually every tested access point and client device.
What is AirSnitch?
Researchers at UC Riverside and KU Leuven (including Mathy Vanhoef, known for the KRACK attack) published "AirSnitch: Demystifying and Breaking Client Isolation in Wi-Fi Networks" at NDSS 2026, a top-tier academic security conference. The framework demonstrates three distinct attack classes:
| Attack | How it works |
|---|---|
| GTK abuse | All clients on the same BSSID share a Group Temporal Key for broadcast traffic. AirSnitch injects unicast IP packets inside broadcast frames, bypassing client isolation entirely. Every tested operating system accepted these packets. |
| Gateway bouncing | Many access points enforce client isolation only at Layer 2 (MAC level) but not at Layer 3. Packets addressed with the gateway's MAC but the victim's IP are routed to the victim by the gateway. |
| Port stealing | By spoofing MAC addresses, an attacker manipulates the AP's internal switching table, redirecting victim traffic to themselves. This is the most severe technique — it works across different BSSIDs, different APs, and even different SSIDs sharing the same physical infrastructure. |
Critical prerequisite: The attacker must already be connected to the target network. AirSnitch does not allow breaking into a WiFi network from the outside — it is an insider attack that requires a valid association.
The enterprise threat: RADIUS interception
For enterprise networks using password-based authentication (PEAP/MSCHAPv2), the port stealing technique enables a severe escalation chain:
- Intercept a RADIUS authentication packet flowing between an access point and the RADIUS server
- Brute-force the RADIUS shared secret offline from the single captured packet
- Deploy a rogue RADIUS server and access point
- Capture employee credentials from clients that unknowingly connect to the rogue infrastructure
Lead researcher Xin'an Zhou: "The biggest concern is for enterprise environments. Enterprise systems usually protect their networks using the most advanced encryption. So that means enterprises are seemingly relying on a fake sense of security."
No CVEs have been assigned. Co-author Mathy Vanhoef explained that the issues are architectural — some weaknesses are software flaws, others configuration issues, and responsibility is diffuse across vendors, standards bodies, and silicon manufacturers. Comprehensive fixes require IEEE 802.11 standard-level changes and may involve hardware redesigns.
Impact on EasyRadius customers (EAP-TLS)
EasyRadius uses EAP-TLS — mutual certificate-based authentication — which directly blocks the most dangerous escalation paths described above. Here is a precise breakdown:
What EAP-TLS protects against
| Threat | EAP-TLS + EasyRadius |
|---|---|
| Rogue RADIUS server / rogue AP attacks | Blocked. With mutual certificate authentication, client devices verify the server's certificate before authenticating. A rogue server cannot present a valid certificate issued by your CA, so the mutual authentication handshake fails. Obtaining the RADIUS shared secret no longer gives an attacker a usable attack path. |
| Credential theft via RADIUS interception | Blocked. EAP-TLS exchanges contain certificate handshakes, not passwords or password hashes. There are no credentials to steal from intercepted RADIUS traffic. |
| Offline brute-force of user credentials | Blocked. Certificate-based authentication contains no password material. Protocols like MSCHAPv2 have known offline cracking weaknesses that EAP-TLS eliminates entirely. |
What EAP-TLS does not protect against
| Threat | Status |
|---|---|
| Client isolation bypass (MitM positioning) | Not addressed. GTK abuse, gateway bouncing, and port stealing operate at layers independent of the authentication mechanism. An attacker who is connected and authenticated — even with a valid certificate — can still achieve traffic interception between clients. |
| Post-MitM application attacks | Not addressed. DNS poisoning, DHCP manipulation, cookie theft, and TLS downgrade attacks can still be attempted once an attacker achieves MitM positioning. |
Net assessment: Certificate-based authentication via EasyRadius + EasyScep eliminates AirSnitch's most dangerous enterprise escalation path — the one that compromises your entire authentication infrastructure. The underlying client isolation bypass remains an industry-wide architectural problem that requires standards-level fixes across access points and client operating systems.
Recommended mitigations for EasyRadius customers
These steps reduce exposure to AirSnitch's residual risks, regardless of authentication method:
-
Use strong RADIUS shared secrets. Configure at least 32 random characters between each access point and EasyRadius. Even if a packet is intercepted, a strong secret is not practically brute-forceable. Change secrets if you suspect they were ever exposed.
-
Enforce per-user VLAN assignment. Configure 802.1X policies in EasyRadius to assign authenticated users to specific VLANs. This provides Layer 3 isolation in addition to Layer 2 isolation, significantly limiting lateral movement.
-
Separate guest and corporate WiFi infrastructure. If an attacker connects to a guest network, they should have no path to intercept traffic on corporate AP uplinks. Physical or logical separation of guest and enterprise SSIDs is the most effective mitigation.
-
Enable Protected Management Frames (PMF / 802.11w). Required for WPA3, and available on most modern WPA2 equipment. PMF prevents certain management frame injection attacks that can support MitM positioning.
-
Keep AP firmware current. Cisco, Ubiquiti, LANCOM, and other vendors are actively evaluating patches in response to the AirSnitch disclosure. Review your vendor's security advisories.
-
Require HTTPS and VPN for sensitive communications. Defense-in-depth at the application layer limits the damage an attacker can do even after achieving MitM positioning.
-
Monitor for anomalous MAC associations. Duplicate MAC addresses or unexpected changes in client association patterns in your RADIUS logs or AP management system can be early indicators of port stealing attempts.
Background and references
- Research paper: AirSnitch: Demystifying and Breaking Client Isolation in Wi-Fi Networks — NDSS Symposium 2026
- Authors: Xin'an Zhou, Zhiyun Qian, Zhaowei Tan, Srikanth V. Krishnamurthy (UC Riverside); Mathy Vanhoef (KU Leuven)
- Related: Blast-RADIUS (CVE-2024-3596, July 2024) — a separate RADIUS protocol forgery attack that also does not affect EAP-based authentication, reinforcing the pattern that EAP-TLS sidesteps an entire class of RADIUS vulnerabilities
For questions about how AirSnitch affects your specific EasyRadius deployment, contact support@just-software.com.