2

WPA3 for Wi-Fi systems is generally acknowledged to be more secure than WPA2. For example, it introduces SAE with the Dragonfly handshake, in an attempt to close the door on the kind of brute force dictionary attacks that WPA2 could be susceptible to. However, even WPA3 has its vulnerabilities. Perhaps the most risky of these include:

  1. WPA3 Transition Mode, meant to support a transition period where some devices are not yet WPA3-capable and so, could be exploited to perform downgrade attacks. One canonical way to do this would be with a rogue AP that forces WPA3-capable devices to downgrade to use WPA2 with the rogue AP (by taking advantage of the genuine AP's use of WPA3 Transition Mode).
  2. Side-channel attacks on Dragonfly.

Here's a recent paper that analyzes the security vulnerabilities in WPA3.

While IEEE SA and the Wi-Fi Alliance are working on fixes, together with the vendors, what do we do in the meantime, for the following two cases?

  • I have a WPA3 capable Wi-Fi device/phone
  • I administer a Wi-Fi network in a small office/home environment. All the APs are WPA3-capable.
auspicious99
  • 493
  • 3
  • 17
  • If there is a rogue AP that knows the PSK, they could already trick clients into connecting, allowing monitoring of all traffic without attacking WPA3 at all. – multithr3at3d May 29 '20 at 17:10
  • We need to divide the clients into those that have previously connected to the genuine AP, and those that haven't. For those that previously haven't, all bets are off, sure. For those that have previously connected, typically they would remember the parameters broadcast in the beacon of that AP before. So, if it had been broadcasting support for WPA3 only, the clients should only be trying WPA3 (if they still allow themselves to be tricked into connecting with WPA2, that's another downgrade attack based on that client issue, not related to WPA3 Transition Mode). – auspicious99 May 30 '20 at 06:44
  • However, despite this normal behavior of clients, now if we consider the case of WPA3 Transition Mode, support for both WPA3 and WPA2 would be broadcast by the genuine AP's beacon, so even normal clients who have stored these details, in the future, may try to connect with WPA2. So a rogue AP could get enough of the WPA2 4-way handshake to then mount a dictionary attack, *without* having prior knowledge of the PSK. – auspicious99 May 30 '20 at 06:46
  • Since WPA3 Transition Mode may be in common use for years, it becomes a non-trivial concern. – auspicious99 May 30 '20 at 06:48
  • Amazing paper! As they say inside the paper: "Dragonfly supports Elliptic Curve Cryptography (ECC) with elliptic curves over a prime field (ECP groups), and Finite Field Cryptography (FFC) with multiplicative groups modulo a prime (MODP groups)." Can those protocols be compromised since they are used by Dragonfly and not alone?? I mean something between the handshakes and the ECC realizations? – just_learning Jun 05 '22 at 10:25
  • 1
    @just_learning I am not aware of specific compromises related to these, although poor choice of ECP groups or MODP groups may be risky. – auspicious99 Jun 05 '22 at 16:12
  • Is there any other way that makes WPA-3 vulnerable to attacks?? – just_learning Jun 05 '22 at 16:28
  • @just_learning This question is perhaps more suitable for its own question post. Would you like to write a question for it and post the question? – auspicious99 Jun 06 '22 at 03:11

0 Answers0