Network security researchers Mathy Vanhoef and Eyal Ronen have disclosed five vulnerabilities, collectively named “Dragonblood”, that affect the WiFi WPA3 standard. Four of the five are considered to be a severe threat to online security.
WPA3 (Wi-Fi Protected Access 3) is the latest version of the WiFi security certification program developed by the Wi-Fi Alliance, which says it provides “cutting-edge security protocols” and “the latest security methods” to keep users safe online.
The technology aimed to protect against various types of attacks that jeopardize users’ online security and privacy, but after its initial release in late 2018 design flaws have already been discovered.
“Unfortunately, we found that even with WPA3, an attacker within range of a victim can still recover the password of the Wi-Fi network. Concretely, attackers can then read information that WPA3 was assumed to safely encrypt,” says Vanhoef and Ronen’s website.
“This can for example be abused to steal sensitive information such as credit cards, passwords, chat messages, emails, and so on, if no extra protection such as HTTPS is used.”
The pair have named these vulnerabilities “Dragonblood”, a reference to the WPA3’s “Dragonfly” handshake, which is the process of negotiation between two devices to establish a secure communication in order to access a WiFi network.
Their research, which involved attacks against home networks that use WPA3-Personal, revealed weaknesses in the handshake that “can be abused to recover the password of the Wi-Fi network, launch resource consumption attacks, and force devices into using weaker security groups”.
Prior to releasing the paper, Vanhoef and Ronen collaborated with the Wi-Fi Alliance to resolve the discovered issues.
The Wi-Fi Alliance stated in a press release: “WPA3-Personal is in the early stages of deployment, and the small number of device manufacturers that are affected have already started deploying patches to resolve the issues,
“These issues can all be mitigated through software updates without any impact on devices’ ability to work well together. There is no evidence that these vulnerabilities have been exploited.”
However, Head of Research at Top10VPN.com Simon Migliano says even though the latest vulnerability has been patched, WiFi users should always take extra measures to protect their privacy. He strongly recommends the use of a VPN “for all sensitive communications” even on familiar, password-protected networks.
VPNs encrypt traffic between your device and the off-network VPN server, ensuring that potential hackers on your WiFi network can’t steal sensitive information.
“Considering that the paint was barely dry on WPA3 before serious security flaws were discovered, it’s not unrealistic to expect that further vulnerabilities may yet be discovered in time,” Migliano said.
“The takeaway for consumers should be that WiFi can’t ever be trusted completely, despite its convenience . . . It’s better to be safe than sorry.”