U.S. Markets closed

WPA3, the third generation of Wi-Fi security, has one giant flaw: You

Jon Martindale
ASRock X10 IoT Router

Few people are overly concerned with Wi-Fi security, happy to connect to public wireless networks and do little to even protect their own home networks. As long as it has a password, we think we’re safe.

As usual, keeping yourself secure is never as easy as it seems. Password protection forms part of a system called Wi-Fi Protected Access, or WPA, which is about to get more secure in the form of WPA3. Despite the improvements it brings, WPA will never be a silver bullet.

There are some serious flaws in it that have been present since the very first WPA was initiated. Until we face those, our wireless networks will always have a gaping hole in their wall of protection.

Slaying dragons

Password and encryption protection were a major point of WPA2’s creation and proliferation and have ensured that most of us remain safe when connecting our myriad of contemporary devices to Wi-Fi networks. But WPA2 has serious flaws that WPA3 was designed to fix.

Where WPA2 uses a pre-shared key exchange and weaker encryption, WPA3 upgrades to 128-bit encryption and uses a system called Simultaneous Authentication of Equals (SAE), colloquially known as a Dragonfly handshake. It forces network interaction on a potential login, thereby making it so that hackers can’t try and dictionary hack a login by downloading its cryptographic hash and then running cracking software to break it, letting them then use other tools to snoop on network activity.

But Dragonfly and WPA3 itself are also vulnerable to some dangerous flaws of their own and some of the worst ones have been present in WPA protected networks since their inception. These exploits have been collected under the banner name of Dragonblood and unless addressed, they could mean that WPA3 isn’t that much more secure than WPA2, because the methods used to circumvent its protections haven’t really changed.

There are six problems highlighted by Mathy Vanhoef in his Dragonblood exposé, but almost all of them are made possible by an age-old Wi-Fi hacking technique called an evil twin.

You look so alike…

“The biggest flaw that’s been around in Wi-Fi for 20 years is that you, me, my sister (who isn’t technical) can all launch an evil twin attack just by using our cellphones,” Watchguard’s director of product management, Ryan Orsi, told Digital Trends. “[Let’s say] you have a smartphone and take it out of your pocket, walk in your office and it has a WPA3 password protected Wi-Fi network. You look at the name of that Wi-Fi network […] if you change your phone’s name to [the same name] and you turn on your hotspot, you have just launched an evil twin attack. Your phone is broadcasting the exact same Wi-Fi network.”

Ryan Orsi of Watchgard

Although users connecting to your spoofed, evil twin network are giving away a lot of their information by using it, they are potentially weakening their security even more. This attack could be carried out with a smartphone that only supports WPA2. Even if the potential victim can support WPA3 on their device, you’ve effectively downgraded them to WPA2 thanks to WPA3’s backwards compatibility.

It’s known as WPA3-Transition Mode, and allows a network to operate WPA3 and WPA2 protections with the same password. That’s great for encouraging the uptake to WPA3 without forcing people to do so immediately, and accommodates older client devices, but it’s a weak point in the new security standard which leaves everyone vulnerable.

“You’ve now launched the beginning of a Dragonblood attack,” Orsi continued. “You’re bringing in an evil twin access point that’s broadcasting a WPA2 version of the Wi-Fi network and victim devices don’t know the difference. It’s the same name. What’s the legitimate one and which is the evil twin one? It’s hard for a device or human being to tell.”

But WPA3’s Transition Mode isn’t its only weak point for potential downgrade attacks. Dragonblood also covers a security group downgrade attack which allows those using an evil twin attack to decline initial requests for WPA3 security protections. The client device will then attempt to connect again using a different security group. The fake network can simply wait until a connection attempt is made using inadequate security and accept it, weakening the victim’s wireless protections considerably.

As Orsi highlighted, evil twin attacks have been a problem with Wi-Fi networks for well over a decade, especially public ones where users may not be aware of the name of the network they’re planning to connect to ahead of time. WPA3 does little to protect against this, because the problem isn’t technically with the technology itself, but in the user’s ability to differentiate between legitimate networks and phony ones. There is nothing within device Wi-Fi menus that suggest which networks are safe to connect to and which aren’t.

According to Dragonblood author, Mathy Vanhoef, It can cost as little as $125 of Amazon AWS computing power – running a piece of password cracking software – to decode eight-character, lower-case passwords, and there are plenty of services that may even prove more competitive than that. If a hacker can then steal credit card or banking information, that investment is quickly recouped.

“If the evil twin is there, and a victim connects to it, the splash page pops up. The splash page on an evil twin is actually coming from the attacker’s laptop,” Orsi told Digital Trends. “That splash page can have malicious Javascript or a button and ‘click-here to agree, please download this software to connect to this hotspot.’”

Stay safe by being safe

“[WPA security] problems aren’t going to be solved until the general consumer can see on their device instead of a little padlock to mean password protected, there’s some other symbol or visual indicator that says this isn’t an evil twin,” Orsi said. “[We should] offer people a visual symbol that has strong technical roots but they don’t have to understand it. It should say, this is the one you can trust. Book your hotel with a credit card on this Wi-Fi because it’s the right one.”

Such a system would require the IEEE (Institute of Electrical and Electronics Engineers) to ratify it as part of a new Wi-Fi standard. The Wi-Fi Alliance, which owns the copyright for “Wi-Fi,” would then need to decide on an emblem and push out the update to manufacturers and software providers to make use of it. Making such a change to Wi-Fi as we know it would require a huge undertaking of many companies and organizations. That’s why Orsi and Watchguard want to sign people up to show their support to the idea of a new, trusted wireless system that gives a clear visual indicator to help people stay safe on Wi-Fi networks.

Until such a thing happens, there are still some steps you can take to protect yourself. The first piece of advice that Orsi gave us was to update and patch everything – especially if it adds WPA3 security. As much as it’s flawed, it’s still far better than WPA2 – that’s why so many of the Dragonblood attacks are focused on downgrading the security where possible.

That’s something Malwarebytes’ Jean-Philippe Taggart told Digital Trends too. As flawed as WPA3 might be, it’s still an upgrade. Making sure any WPA3 devices you do use are running the latest firmware too, is massively important. That could help mitigate some of the side-channel attacks that were present in early WPA3 releases.

If you’re a regular user of public Wi-Fi networks (or even if you’re not) Orsi also recommends taking steps to use a VPN, or virtual private network (here’s how to set one up). These add an additional layer of encryption and obfuscation to your connection by routing it through a third-party server. That can make it much harder for local attackers to see what you’re doing online, even if they do manage to gain access to your network. It also hides your traffic from remote attackers and possibly any three letter agencies that might be watching.

When it comes to securing your Wi-Fi at home, we’d recommend a strong network password too. The dictionary attacks and brute force hacks made possible by many of the Dragonblood exploits are useless if your password is complicated, long, and unique. Store it in a password manager if you’re not sure you’ll remember it (these are the best ones). Change it infrequently too. You never know whether your friends and family have been as secure with your Wi-Fi password as you have been.