The WPA3 security protocol for WiFi has a new set of problems – and this is an even bigger problem for everyone from equipment developers all the way to you as the end user.
A team of Belgian researchers, Mathy Vanhoef and Eyal Ronen, has found two more problems in WAP3 – the latest, most up-to-date security protocol and certification program for routers. These latest “Dragonblood” issues can allow attackers to leak information from WPA3 cryptographic operations and do a brute-force attack to get a WiFi network password. This comes on the heels of their first round of five bugs discovered back in April.
These researchers are no headline chasing hacks — they come with a respected history. Vanhoef is the guy who uncovered the WPA2 KRACK attack that broke the previous standard for WiFi and pushed the Wi-FI Alliance into developing WPA3. For the full technical report on their latest discoveries, just look at their blog.
The news was released after the WiFi Alliance was informed and the standards are being updated to a more secure protocol, reported the researchers. However, this update is not backwards compatible with current WPA 3 deployments but does prevent most attacks.
WPA3 and the Wi-Fi Alliance in review
The WPA3 security protocol from the Wi-Fi Alliance is quite new, launching in mid 2018. As the first major improvement to WiFi in over a decade, it brought in a set of guidelines for better protection for simple passwords, individualized encryption for both personal and open networks, and extra encryption for company networks.
The Wi-Fi Alliance itself is a nonprofit that promotes and certifies Wi-Fi products for conformity to certain standards and levels of interoperability. You know this organization visually because of its trademarked Ying-Yang inspired logo trademark which is attached to most routers. Interoperability means that you can expect that all devices – old and new – bearing the Wi-Fi logo will be able to play together on your network.
The problem of running a closed shop
The problem with WPA3 – and the Wi-Fi Alliance itself – is that the standards are privately selected from within. That is substantially different from open source, where the design can be openly picked apart by about everyone to root out vulnerabilities and weaknesses. Some of the more known open source products on the market are Linux, the Mozilla Firefox and Chromium browsers, and LibreOffice. And as the researchers pointed out in their report: “It also, once again, shows that privately creating security recommendations and standards is at best irresponsible and at worst inept.” They also pointed out that there had been criticisms and suggestions of less vulnerable options suggested by developers to the Alliance.
What should I do with my WPA3 router?
There is no need to throw out your router — yet. Just remember that this device is a de facto computer. It will likely have an array of vulnerabilities exposed over its lifetime that need to be patched. The best security practice is to regularly check for firmware updates to the device – and apply them.