We've moved! Check out the new Juniper Mist Documentation
  1. Documentation
  3. Security Alerts
  5. AirSnitch Overview

AirSnitch Overview

Modified on

What is AirSnitch?

In February 2026, security researchers at the Network and Distributed System Security (NDSS) Symposium presented a research paper entitled “AirSnitch: Demystifying and Breaking Client Isolation in Wi-Fi Networks.”  AirSnitch is a collection of attacks meant to defeat client isolation.  There are several distinct attacks relying on protocol level behavior or assistance from the wired network.  These attacks are defeated in enterprise networks by simply following security best practices, such as utilizing network segmentation.  Simply by placing corporate and guest users or trusted and untrusted users on different VLANs thwarts almost all the attacks (except for GTK abuse).  The research claims by combining the attacks it would be possible to have full bidirectional MITM control over a victim.  In practice, that is unlikely or impossible in enterprise networks with standard layered security.

Client isolation is a prerequisite for the AirSnitch attacks, as usually the expectation is clients cannot communicate with each other.

There are broadly two flavors of attacks

  • W-Fi GTK behavior:

    • This targets protocol level behavior in which the attacker uses the BSSID GTK (group key) to send one way broadcast frames with unicast IP received by the victim directly.  This attack requires the attacker to briefly connect to the same WLAN and be on the same AP / BSSID as the victim to learn the GTK.  This would technically be possible if the attacker is able to provide valid credentials to connect to the network and is in physical proximity to the victim.  This behavior has been pointed out in previous research. In practice, the exposure from this behavior is expected to be minimal.

  • Wired network:

    • Most of the attacks rely on assistance from wired network behavior. Including gateway bouncing, uplink and downlink port stealing, and broadcast reflection which involve various forms of spoofing the client, gateway or AP MAC address and/IP address.

Applicability to Mist APs?

The AirSnitch attacks may be successful against a network with Mist APs when standard security and vendor best practices are not followed.

Mitigations

Standard layered security practices mitigate the AirSnitch attacks to ensure client isolation.

  • This includes leveraging network segmentation, for example separating trusted and untrusted users onto different VLANs
  • Enable broadcast, multicast, and ARP filters on the WLAN
  • Enable “same subnet” client isolation on the WLAN
  • Enable WxLAN policies to deny guest users in internal subnets
  • Leverage encrypted traffic

Conclusion

We expect there is no action required for the majority of our customers.  Customers should continue to design networks leveraging security in layers.  These attacks require physical proximity and, in some cases, valid credentials for the network.

Please reach out to Mist support with questions or comments.