UPDATED 22:43 EST / APRIL 11 2019

SECURITY

Security researchers uncover vulnerabilities in ‘unhackable’ new Wi-Fi standard

The next generation of Wi-Fi security launched in June 2018 with a claim to be the safest, most secure iteration of WiFi, but now two security researchers have found it’s hackable after all.

The find comes from Mathy Vanhoef of New York University Abu Dhabi and Eyal Ronen of Tel Aviv University, who disclosed Wednesday that they had found not one but five different methods that can be used to hack the next-gen WPA3 standard.

The methods involve intercepting and taking over the WPA3 handshake system, dubbed “Dragonblood.” A handshake in this context is the automated process of negotiation between a person wanting to connect to a Wi-Fi access point and the router hosting it — essentially the connection process when a user attempts to log into a Wi-Fi access point.

In WPA3’s case, the researchers found that the protocol contains design flaws that allow for downgrade attacks and side-channel leaks that can be exploited for attacks. As detailed by the researchers, WPA3 is open to downgrade attack as networks using the standard can be coerced into using an older and less secure password exchange system, allowing attackers to retrieve network passwords using older flaws.

On the side-channel side, an attacker can trick a device into using weaker algorithms that leak small amounts of information about the network password. Over time with repeated attacks, the flaw ultimately allows an attacker to obtain a full password.

“Unfortunately, we found that even with WPA3, an attacker within range of a victim can still recover the password of the network,” the researchers noted. “This allows the adversary to steal sensitive information such as credit cards, password, emails, and so on, when the victim uses no extra layer of protection such as HTTPS.”

Surprisingly, the Wi-Fi Alliance, the body behind the standard, took a defensive stance, claiming in a statement that the vulnerability only pertains to a limited number of early implementations of WPA3 standard.

‘WPA3-Personal is in the early stages of deployment and the small number of device manufacturers that are affected have already started deploying patches to resolve the issues,” the alliance said. “These issues can all be mitigated through software updates without any impact on devices’ ability to work well together. There is no evidence that these vulnerabilities have been exploited.”

Photo: PublicDomainPictures

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU