The explosive growth over the past several years of the Internet of Things (IoT) has made wireless networks an attractive target for bad actors and has put a premium on protecting WiFi and similar networks.

According to market research firm IoT Analysis, the number of connected home and commercial IoT devices is expected to grow from 18.5 billion in 2024 to 39 billion in 2030, and then to more than 50 billion five years after that.

Securing those connections is critical, given that they are creating what Zscaler researchers call “sprawling, interdependent attack surface that threat actors are exploiting with increasing speed and sophistication.” WiFi networks are particularly attractive targets, with Nozomi Networks noting, for example, that 94% of them lack protection against deauthentication attacks.

Organizations and device vendors rely heavily on encryption to protect WiFi networks for businesses and users, with WPA2 being the most widely used and the newer WPA3 being even stronger.

However, scientists at the University of California, Riverside say a security feature being overlooked in WiFi security is how they’re designed to isolate devices on the same network to keep them safe from each other. In a research paper presented this week at the Network and Distributed System Security Symposium 2026 in San Diego, they wrote about fundamental ways that the isolation feature in WiFi networks can be bypassed, allowing devices connected to the same network can still intercept data from other devices.

Enter AirSnitch

They place all these weaknesses under the name “AirSnitch” and said the vulnerability arises from the fact that, while such networks offer client isolation, there are no standards for the feature and the feature can be bypassed. They identified the root causes of the weaknesses and developed attacks that create machine-in-the-middle (MitM) and other threats in networks.

The AirSnitch vulnerabilities would allow attackers connected to a network to capture data, manipulate network traffic, and spy on others on the same network, even those protected by modern encryption with full client isolation capabilities in place.

“Although client isolation effectively mitigates legacy attacks like ARP [Address Resolution Protocol] spoofing, which has long been considered the only universal method for achieving machine-in-the-middle positioning in local area networks, our attack introduces a general and practical alternative that restores this capability, even in the presence of client isolation,” the six scientists wrote.

Lack of Standardization

Noting that client isolation “seemingly offers strong security benefits, it is not a properly standardized feature of the IEEE 802.11 standards,” they wrote. “Thus, the exact policy and enforcement mechanisms in real-world Wi-Fi networks are largely unexplored. In light of this, we ask: ‘Does client isolation protect clients from attacking each other on Wi-Fi networks as intended, across different implementations?’”

The attacks are able to bypass client isolation protections because of root causes in different layers of the network stack, including that WiFi systems use shared encryption keys to protect traffic, and often clients on the same network receive the same group key, which can be exploited by attackers to inject malicious traffic.

WiFi device vendors also often enforce the isolation at the Layer 2 “MAC and link” layer of the stack, but not at the IP layer, or Layer 3. This creates a gap that lets bad actors develop data that can bypass rules for routing and connect to others on the network. They also found that WiFi systems don’t routinely tie a devices identity tightly across all network layers, which allows attacks to spoof the MAC addresses of other devices and intercept data intended for other users.

Every System is Vulnerable

In developing their attacks on both home routers and complex enterprise networks – which tend to include user IDs and passwords as well as encryption via WPA2 or WPA3 – they were able to intercept traffic sent to the internet by others on the network, manipulate traffic from victims’ clients, and used a combination of both to run MitM attacks.

“Once a MitM is established, the attacker can intercept all link-layer traffic, facilitating higher-layer attacks,” they wrote. “For instance, recent vulnerabilities in unpatched (D)TLS implementations can then be abused to decrypt HTTPS connections and compromise sensitive user information.”

Every system they tested was vulnerable to at least one of the four attacks, they wrote. The scientists tested 11 WiFi devices, including those from such vendors as Cisco Systems, Netgear, D-Link, Asus and Ubiquiti.

Could Lead to Advanced Attacks

Xin’an Zhou, the lead author of the research paper, told Ars Technica in an interview that while AirSnitch “breaks worldwide Wi-Fi encryption, and it might have the potential to enable advanced cyberattacks. Advanced attacks can build on our primitives to [perform] cookie stealing, DNS and cache poisoning.”

The scientists’ research “physically wiretaps the wire altogether so these sophisticated attacks will work,” he added. “It’s really a threat to worldwide network security.”