UCR computer scientists reveal Wi-Fi security flaws

UC Riverside computer scientists have identified major security weaknesses in the Wi-Fi networks we rely on at work, at home, in airports, and in coffee shops, among other locations. Even the most advanced “enterprise-grade” encryption systems used by universities and corporations were found to be vulnerable.

In the paper, “AirSnitch: demystifying and breaking client isolation in Wi-Fi networks,” the UCR authors describe how a security feature designed to keep users safe from one another can be bypassed. Their findings show that attackers connected to the same wireless network can secretly spy on other users, intercept data, and manipulate traffic — even when modern security measures are in place.

The researchers will present their findings on Wednesday, Feb. 25, at the Network and Distributed System Security (NDSS) Symposium 2026 in San Diego. They are urging the tech industry to address the vulnerabilities, but acknowledge that fixes will require more than simple software patches. The weaknesses, they say, stem in part from hardware designs that have not kept pace with increasingly sophisticated hacking techniques.

Mitigation strategies proposed by the researchers include stronger separation of encryption keys and better synchronization of device identities across network layers. They have also shared their findings with vendors in advance of publication.

“The biggest concern is for enterprise environments,” said Xin’an Zhou, the paper’s lead author, who conducted the research as a doctoral student at UCR and now works for Palo Alto Networks in the San Francisco Bay Area. “Enterprise systems usually protect their networks using the most advanced encryption. So that means enterprises are seemingly relying on a fake sense of security.”

Enterprise Wi-Fi networks — such as those used at UCR and many businesses — require users to log in with personal credentials, like a NetID and password, and use what is called WPA3 (Wi-Fi Protected Access, version 3) enterprise encryption. That system differs from home Wi-Fi networks, where everyone typically shares the same passphrase.

The vulnerability lies in a feature known as “client isolation,” Zhou explained. Vendors introduced client isolation years ago to prevent one Wi-Fi user from attacking another on the same network. But the feature is not standardized, and its protections vary widely among manufacturers.

In tests of home routers and enterprise-style networks, the researchers found that every system examined was vulnerable to at least one type of attack. They repeatedly demonstrated how a malicious user connected to the same Wi-Fi network could position their device between a victim and the internet — a classic “man-in-the-middle” attack.

“Every ‘man in the middle’ attack tries to intercept and modify some traffic in transit,” Zhou said.

The paper identifies three root causes behind the weaknesses.

First, Wi-Fi systems rely on shared encryption keys to protect broadcast traffic. In many cases, all clients on a network receive the same group key. That key can be abused to inject malicious traffic, bypassing client isolation.

Second, many Wi-Fi manufacturers enforce isolation at only one layer of the “network stack” — the system of layers that controls how data moves between devices. In many systems, protection is applied at one layer but not both. That gap allows attackers to craft small bundles of digital information that slip past internal routing rules and reach other users on the network.

Third, the researchers found that Wi-Fi systems often fail to tightly link a device’s identity across layers of the network. By spoofing another device’s address, an attacker can intercept data intended for a victim, even when both are connected to enterprise networks.

The attacks work not only in small home networks but also in complex enterprise systems with multiple access points and network names, the paper reports. In some cases, attackers can intercept both incoming and outgoing traffic, achieving full bidirectional control.

The implications extend beyond casual web browsing. Once positioned as a man-in-the-middle, an attacker could exploit additional software flaws to decrypt sensitive communications or compromise internal systems.

Co-authors Zhiyun Qian, Zhaowei Tan, Srikanth V. Krishnamurthy and Mathy Vanhoef.

Public Wi-Fi networks at airports and coffee shops, Zhou noted, are easier targets because they often require no password, and vulnerabilities in those environments could serve as stepping stones into more secure enterprise systems run by the same entity. For example, accessing free Wi-Fi at an airport could be a step toward breaking into the enterprise system used by the airport’s employees.

The research was conducted by Zhou under the guidance of UCR computer science professors Zhiyun Qian, Srikanth V. Krishnamurthy, and Zhaowei Tan. Zhou also collaborated with Mathy Vanhoef, a professor at KU Leuven, a research university in Leuven, Belgium. UCR doctoral students Juefei Pu and Zhutian Liu are also co-authors

For now, Zhou hopes the research will prompt the tech industry to strengthen a system that billions of people use every day.

Enterprise networks “thought they should be doing well,” he said. “But actually it is not so.”