Security researchers disclose WPA3 security flaws that allow attackers to swipe sensitive...


Posts: 2,847   +575
Staff member

The latest Wi-Fi protocol, WPA3, launched last year to quite a bit of fanfare and excitement. In theory, the protocol is supposed to be significantly more secure than its predecessor, protecting internet users against hacks that can expose their network password and other sensitive data.

Of course, most tech enthusiasts know that when it comes to this industry, "new" doesn't always mean "better." As Ars Technica notes, this improved security was intended to come through "Dragonfly," a "completely overhauled handshake" that is more resistant to password guessing attacks.

Unfortunately, it sounds like Dragonfly isn't quite enough - security researchers working out of New York University and Tel Aviv University have published a lengthy security analysis that exposes two serious flaws in WPA3's design.

"These attacks resemble dictionary attacks and allow an adversary to recover [network passwords] by abusing timing or cache-based side-channel leaks."

"...we show that WPA3’s Simultaneous Authentication of Equals (SAE) handshake, commonly known as Dragonfly, is affected by password partitioning attacks," the paper reads. "These attacks resemble dictionary attacks and allow an adversary to recover [network passwords] by abusing timing or cache-based side-channel leaks."

By exploiting those two flaws, hackers within range of their victim's Wi-Fi network can easily recover the individual's network password, allowing them to swipe important or private information; including the contents of chat messages, passwords, emails, and more. Still, even with these breaches in mind, researchers seem to agree that WPA3 is still -- as a whole -- more secure than WPA2.

So, how can you protect yourself? Well, you may not have to. The Wi-Fi Alliance, the organization responsible for WPA certifications, says these vulnerabilities only apply to a "limited number" of devices running early implementations of WPA3 Personal.

However, if your device is affected (there's no list to check as of writing), your best bet will be to wait for a patch. The Wi-Fi Alliance claims these fixes are already starting to roll out. In the interim, plugging in directly via an Ethernet cable, opting to use a VPN, and turning off Wi-Fi entirely can help to protect your data.

Permalink to story.



Posts: 677   +180
So if were at a stage where we know what could potentially mitigate this by deploying longer and harsher passwords why has no one bothered to release a revised stricter password policy for their devices??

Uncle Al

Posts: 8,001   +6,775
Woops .... I'll bet they didn't see this one coming! Strangely, back in the day many of these companies actually employed hackers (by contract and reward systems) to test their systems and recommend improvements. it was VERY successful, but now with so much reward available through illegal channels, the legitimate hackers are being swayed away for the bigger bucks. Ordinarily this would be combated with stiffer laws to protect end users that could be enacted on either the manufacturer or the hacker. Knowing the risk to the manufacturer, they would or could issue bounties for the capture/conviction of hackers that betrayed their trust.

It's all complicated but until the penalties are equal to or greater than the potential rewards there is little, if any, motivation to improve the situation .....