Vulnerabilities of WPA3 Giving Hackers an Easy Way to Steal Passwords

Compromised WPA3 (Wi-Fi Protected Access 3) internet security standards could let hackers get Wi-Fi passwords easily. WPA3 was launched in January 2018 and to improve the Wi-Fi network security, Advanced Encryption Standard (AES) was used. New research by Mathy Vanhoef and Eyal Ronen suggests that the protocol is not secure enough as it might appear.

WPA3 had claimed to be better than WPA2 in various ways like protecting from offline dictionary attacks and forward secrecy, and WPA3 certification also was aiming at making Wi-Fi network more secure. Whereas, the study revealed that there have been many design flaws in WPA3 and these flaws have been analyzed theoretically as well as empirically.

To obtain the password of the Wi-Fi network, hackers can either leverage cache-based side channel leak or the timing. According to researchers, this technique can be used to steal other sensitive information that is transmitted including the passwords, emails, chat messages or even credit card numbers.

These password attacks can affect the dragonfly or Simultaneous Authentication of Equals (SAE) handshake of WPA3. These attacks are of similar to the dictionary attacks, and allow the hackers to steal passwords by abusing the cache-based side-channel leaks or the timing.

The password encoding method of the protocol is targeted through the side-channel attacks, as SAE's hash-to-curve algorithm is exploited through the cache-based attack.

The denial-of-service attack has also been discovered by the researchers in which various handshakes are initiated through WPA3 enabled Access Point.

These vulnerabilities can be judged by users themselves and for it, four proof-of-concept tools have been introduced by the researchers on GitHub.

Researchers said that all their attacks have been against the hash-to-group and hash-to-curve algorithm, the password encoding method of SAE, which can easily be prevented just by a slightest change in the algorithms.
In response to the issue, the Wi-Fi alliance clarified that all these vulnerabilities can be resolved through a simple and regular software update, as people usually perform on their mobile apps.

The WPA-Personal is still in its early stages of deployment, but the device manufacturers which are effected with this have already started to make efforts to resolve these issues.

The interoperability between devices will not require any kind of changes when the software updates, however, the assistance of the websites of device providers can be taken in case users want further information.

Photo: Ten One Design

Read next: Google Turns Android 7+ Devices into Authentication Keys
Previous Post Next Post