WPA3 is not as secure as you may think it is.
Back in June 2018, the Wi-Fi Alliance released the WPA3 as a more secure successor to the WPA2. Like it’s predecessor, the new security protocol is designed to protect Wi-fi networks from intruders.
However, recent reports reveal that WPA3 is not the safety blanket we believe it to be.
Two security researchers – Mathy Vanhoef and Eyal Ronen -have identified vulnerabilities in the WPA3-Personal protocol. With this security flaw, not only would intruders be able to crack Wi-Fi passwords, but they’ll also have access to encrypted traffic sent between a user’s device.
But, how is this possible?
The Security Flaw in WPA3- Personal Protocol
Unlike its predecessor – with the Pre-shared Key (PSK), WPA3 comes with a secure method of authentication called Simultaneous Authentication of Equals (SAE).
Simply put, the new method of authentication provides a “dragonfly” handshake, which is supposed to make it nearly impossible to crack users password. And it works, but only in theory.
Now, here is the reality. WPA3 or not, an attacker within range of a victim can still collect the Wi-FI network’s password.
Attackers can abuse two security flaws – side channel leaks or downgrade attacks – to recover their victim’s password. Aside from the passwords, other sensitive information at risk includes emails, chat messages, and credit card numbers.
Some Wi-fi networks, which requires username and password, also use the Dragonfly handshake for access control – the EAP-pwd protocol. According to the security researchers, that may not be a good idea.
One of the security researchers said;
“Unfortunately, our attacks against WPA3 also work against EAP-pwd, meaning an adversary can even recover a user’s password when EAP-pwd is used.”
That means an attacker would be able to impersonate any user. And as a result, they can access the WI-FI password without knowing the user’s password.
What is Being Done to Fix It?
Wi-Fi Alliance released a statement to acknowledge the existence of security flaws.
According to the report, there’s no evidence that attackers have exploited the vulnerabilities yet. Also, users can solve security issues with a simple software update.
In the statement, the WiFi Alliance wrote;
“WPA3-Personal is in the early stages of deployment, and the small number of device manufacturers that are affected have already started deploying patches to resolve the issues.”
Update or not, the cybersecurity expert at ESET, Jake Moore believes it’s better to be safe than sorry.
You can either use a VPN or turn off the Wi-Fi and only plug in via ethernet, he said. This is exceptionally useful when transferring the most sensitive data.
Try Ginger Now
To leak confidential information such as password is a serious flaw.
To leak confidential information such as a password is a serious flaw.