TL;DR: AirSnitch, revealed on February 25, 2026 at NDSS, lets anyone on the same Wi-Fi network intercept your traffic: even on WPA3 enterprise networks. There's no firmware patch coming anytime soon; the flaw is baked into how Wi-Fi works. Your best defenses: always-on VPN, verifying HTTPS connections, VLAN segmentation at home, and treating every shared network as hostile. This guide covers exactly what to do, whether you're a home user, a road warrior, or an IT admin.

Quick Recap: Why You Should Care

Researchers from UC Riverside and KU Leuven tested 11 Wi-Fi routers from Cisco, Netgear, D-Link, ASUS, Ubiquiti, and others. Every one was vulnerable to at least one of three attacks that bypass client isolation: the feature that's supposed to keep users on the same network from spying on each other.[1]

The attacks work on WPA2, WPA3, enterprise networks, and Passpoint hotspots. No special hardware needed. Just a laptop on the same Wi-Fi network as you.

For the full technical breakdown, read: AirSnitch Breaks Every Wi-Fi Network Tested.

Now let's talk about what you can actually do about it.

For Everyone: The Basics That Actually Matter

1. Run a VPN. Always. On Every Device.

This is the single most effective defense against AirSnitch. Full stop.

A VPN creates an encrypted tunnel between your device and the VPN server. Even if an attacker uses AirSnitch to intercept your Wi-Fi traffic, all they get is encrypted noise. They can see that you're sending data, but not what's in it.[2]

Specifics:

  • Use WireGuard-based VPNs: faster and more secure than older OpenVPN protocols
  • Enable the kill switch: this blocks all internet traffic if the VPN drops, preventing accidental exposure
  • Turn it on before connecting to Wi-Fi: if your VPN connects after you join the network, there's a brief window where traffic flows unprotected
  • Set it to auto-connect on untrusted networks: most VPN apps let you designate trusted vs. untrusted Wi-Fi

Our picks: VPN comparison guide. Look for providers with a verified no-logs policy and WireGuard support.

2. Verify HTTPS on Every Site

HTTPS (the padlock in your browser) encrypts data between your browser and the website's server. AirSnitch can intercept packets, but it can't break TLS encryption.[3]

Rules to follow:

  • Never click through certificate warnings: a MitM attacker using AirSnitch might try to present a fake certificate. Your browser will warn you. Listen to it.
  • Use HTTPS-Only mode (Firefox) Settings → Privacy & Security → HTTPS-Only Mode → Enable in all windows. Chrome: Settings → Privacy → Always use secure connections.
  • Watch for HTTP on login pages: if you see a login form without HTTPS, close the tab. Someone may have injected a fake page.
  • Install an extension like HTTPS Everywhere: forces HTTPS connections where available (though most major browsers now do this natively)

3. Use Encrypted DNS

Even with HTTPS, your DNS queries (the lookups that translate website names to IP addresses) can reveal every site you visit. AirSnitch can intercept these.[1]

Switch to encrypted DNS:

  • DNS-over-HTTPS (DoH): Built into Firefox (Settings → Privacy → DNS over HTTPS → Max Protection) and Chrome (Settings → Privacy → Use secure DNS)
  • DNS-over-TLS (DoT): Supported natively on Android 9+ (Settings → Network → Private DNS → set to dns.quad9.net or one.one.one.one)
  • Good providers: Quad9 (9.9.9.9), Cloudflare (1.1.1.1), Mullvad DNS

If you're running a VPN, your DNS queries typically route through the VPN tunnel already. But belt-and-suspenders never hurts.

4. Don't Do Sensitive Stuff on Public Wi-Fi

This was good advice before AirSnitch. Now it's mandatory.

  • Banking and financial transactions: use cellular data instead
  • Entering passwords for critical accounts: wait until you're on a network you control
  • Accessing medical records or legal documents
  • Work email and corporate systems (unless VPN'd into your company network)

If you must do these things on Wi-Fi, make sure your VPN is active and the site is HTTPS. No exceptions.

For Home Users: Lock Down Your Router

5. Segment Your Network with VLANs

The researchers found that proper VLAN separation can neutralize several AirSnitch attack vectors.[3] VLANs create genuinely separate networks: not just the "client isolation" feature that AirSnitch defeats.

The goal: put different device types on different VLANs so even if one is compromised, it can't reach the others.

  • VLAN 1 (Trusted devices) your personal laptops, phones, desktops
  • VLAN 2 (IoT devices) smart TVs, cameras, thermostats, speakers. These are the most likely to be compromised and the least likely to get security updates.
  • VLAN 3 (Guest network) visitors and untrusted devices. Fully isolated from your main network.

Routers that support VLANs properly: most Ubiquiti UniFi gear, MikroTik, pfSense/OPNsense firewalls, and routers running OpenWrt (ironically, OpenWrt was vulnerable to AirSnitch's client isolation bypass, but proper VLANs are a different mechanism).

6. Update Your Router Firmware

Won't fix AirSnitch specifically: but it prevents attackers from stacking AirSnitch with other known vulnerabilities. Many routers run firmware that's months or years out of date.

  • Log into your router admin panel (usually 192.168.1.1 or 192.168.0.1)
  • Check for firmware updates: usually under Administration or System
  • Enable automatic updates if available
  • If your router hasn't received an update in over a year, consider replacing it

7. Limit Who's on Your Network

AirSnitch requires the attacker to be on the same Wi-Fi network. Fewer users means lower risk.

  • Use a strong, unique Wi-Fi password: at least 16 characters. Not the default one printed on the router.
  • Don't share your main Wi-Fi password: put guests on the guest network (on its own VLAN)
  • Disable WPS: Wi-Fi Protected Setup is a known attack vector for joining networks without the password
  • Consider MAC address filtering: not bulletproof (MAC addresses can be spoofed), but it adds a speed bump

For IT Admins and Businesses

8. Don't Trust Client Isolation. Period.

The AirSnitch paper is clear: client isolation, as currently implemented, doesn't work. Don't rely on it as a security boundary.[1]

What to do instead:

  • Require VPN for all corporate Wi-Fi access: even on internal networks. Treat Wi-Fi as an untrusted transport layer.
  • Segment with proper VLANs at the switch level: not just at the access point. Ensure VLAN tagging is enforced end-to-end.
  • Deploy 802.1X with per-user VLAN assignment: each authenticated user gets their own VLAN, reducing the attack surface.
  • Use WPA3-Enterprise with strong RADIUS shared secrets: not because it stops AirSnitch completely, but because it raises the bar for other attacks.[3]

9. Monitor for AirSnitch Indicators

Watch for these signs on your network:

  • Duplicate MAC address associations: a hallmark of the port stealing attack. Your wireless controller should alert on this.
  • Unusual ARP activity: AirSnitch involves ARP manipulation. Enable ARP inspection if your gear supports it.
  • Clients appearing on unexpected BSSIDs: the port stealing attack involves associating with different BSSIDs
  • Unexpected gateway traffic patterns: the gateway bouncing attack creates anomalous routing

10. Disable Unused SSIDs

Every active SSID is a potential attack surface. If you're running legacy SSIDs that nobody uses anymore, turn them off.[3]

For Mobile Users: Phone-Specific Advice

iPhone

  • Enable "Limit IP Address Tracking": Settings → Wi-Fi → tap the network → Limit IP Address Tracking. This uses Apple's iCloud Private Relay (if you have iCloud+) to encrypt DNS queries.
  • Use Private Wi-Fi Address: Settings → Wi-Fi → tap network → Private Wi-Fi Address. Randomizes your MAC address per network, making the port stealing attack harder to target you specifically.
  • Install a VPN app and set it to connect automatically on Wi-Fi.

Android

  • Enable Private DNS: Settings → Network & Internet → Private DNS → set to dns.quad9.net
  • Use randomized MAC addresses (enabled by default on Android 10+, but verify) Settings → Network → Wi-Fi → tap network → Privacy → Use Randomized MAC.
  • Install a VPN app with always-on VPN: Settings → Network → VPN → tap the gear icon → Always-on VPN.

Laptops

  • macOS: Enable "Limit IP address tracking" in Wi-Fi settings. Use a VPN.
  • Windows: Enable "Random hardware addresses" in Wi-Fi settings. Use a VPN. Enable DNS-over-HTTPS in network settings.
  • Linux: Use NetworkManager's MAC randomization (wifi.mac-address-randomization=2 in /etc/NetworkManager/NetworkManager.conf). Configure systemd-resolved for DNS-over-TLS.

Who's Most at Risk?

AirSnitch matters more for some people than others. Here's where the threat levels fall:

High Risk

  • People who regularly use public Wi-Fi (airports, hotels, coffee shops, coworking spaces)
  • Business travelers connecting to conference and hotel networks
  • Journalists and activists who could be targeted by state actors
  • Anyone on enterprise Wi-Fi networks where multiple employees share access

Medium Risk

  • Home users with guest networks or IoT devices
  • Small businesses with Wi-Fi accessible to customers
  • Students on university networks

Lower Risk

  • Home users with strong passwords and no guest access
  • People who already use VPNs consistently
  • Users who primarily use cellular data

The Bottom Line

AirSnitch didn't create new risks: it proved that protections we relied on were always broken. Client isolation was a security feature that never actually delivered security. Every router vendor implemented it differently, the IEEE never standardized it, and now we're paying the price.[1]

The fix requires changes to the 802.11 Wi-Fi standard itself. That's going to take years. In the meantime:

  1. VPN on every device, every time you use Wi-Fi. Non-negotiable.
  2. HTTPS-Only mode in your browser. Takes 10 seconds to enable.
  3. Encrypted DNS. Another 30 seconds.
  4. VLAN segmentation at home. A weekend project that pays off permanently.
  5. Treat every Wi-Fi network as hostile. Because now you know it is.

References

  1. NDSS Symposium (AirSnitch) Demystifying and Breaking Client Isolation in Wi-Fi Networks (February 2026)
  2. UC Riverside News: UCR Computer Scientists Reveal Wi-Fi Security Flaws (February 24, 2026)
  3. CyberInsider: New AirSnitch Attack Bypasses Client Isolation in Wi-Fi Networks (February 2026)
  4. Security Boulevard: Scientists Intro AirSnitch, Which Bypasses WiFi Isolation to Launch Attacks on Networks (February 2026)
  5. GitHub (vanhoefm/airsnitch) Testing Wi-Fi Client Isolation