WiFi may well remain an extremely insecure connection mode: after discovering vulnerabilities around the WPA2 security protocol, its successor, WPA3, was to enhance the security of wireless networks - at a very slow cost transition. However, even before it could be generalized, researchers have discovered several flaws that allow an attacker to find the key to the WiFi network.
The security of WiFi networks is permanently dotted: in January 2017, a feat of the WPA2 security protocol, Krack, made headlines. And for good reason: this vulnerability opens the way for a whole family of attacks simplifying the unauthorized acquisition of WiFi keys by hackers, called Key Reinstallation Attacks. Only solution to remedy the problem: set up a new protocol. Thus, from 2018, the WiFi Alliance launches WPA3, a new version of the protocol that secures connections to wireless networks.
First problem: launching a new WiFi security protocol is not easy. Compatible routers must be available, and all devices, including smartphones and computers, have been updated - but obviously in many cases, this "update" means a change of hardware. But a new problem has surfaced: the first implementation of WPA3-Personal has critical vulnerabilities ... that allow an attacker to find the WiFi key as it was already the case with WPA2.
Security researchers Mathy Vanhoef and Eyal Ronen explain on the blog The Hacker News: "In practice, attackers can read information that WPA3 was supposed to encrypt securely. This can be exploited to steal sensitive information during their transmission, such as credit card numbers, passwords, waste messages, email etc. " The researchers point to the new handshake protocol to initiate the connection, called Dragonfly.
According to them, it comprises two types of faults per design. The first one allows an attacker to force the use of WPA2 - because the first implementations of the protocols include a hybrid mode to maximize compatibility with older devices. All that is required is to configure an access point that only accepts WPA2, then to carry out a KRACK attack on this protocol. The researchers also describe another type of attack that comes in two variants: cache-based and timing-based.
They say, "For our password partitioning attack, we need to register multiple handshakes with different MAC addresses. We can get handshakes with different MAC addresses by targeting multiple clients on the same network (eg, convince multiple users to download the same malicious application). If we could only attack a client, we could configure zombie APs with the same SSID and a spoofed MAC address. "
In addition, the researchers documented a Denial of Service attack that can be initiated by saturating an "access point by initiating a large amount of handshakes with a WPA3-compatible access point" - and bypassing the mechanism supposedly protect this protocol against such attacks. Not content with revealing these flaws, the researchers have developed four experimental tools to exploit them.
For its part, Wi-Fi Alliance ensures working with vendors to patch these flaws. The association is talking about case-by-case updates of vendors of WPA3-compatible hardware - these updates should not, however, impact the interoperability of compatible devices: "These updates do not require any changes that affect the device. interoperability between WiFi devices. Users can expect from all their WiFi devices, patched or unpatched, that they continue to work well together. "
If other flaws were to be discovered, it could at least have a positive effect: pushing the development of more secure alternative WiFi technologies, such as LiFi - much harder to attack since it relies on light and that this, until proven otherwise, does not cross the walls ...
WPA3 is already cracked
First problem: launching a new WiFi security protocol is not easy. Compatible routers must be available, and all devices, including smartphones and computers, have been updated - but obviously in many cases, this "update" means a change of hardware. But a new problem has surfaced: the first implementation of WPA3-Personal has critical vulnerabilities ... that allow an attacker to find the WiFi key as it was already the case with WPA2.
Security researchers Mathy Vanhoef and Eyal Ronen explain on the blog The Hacker News: "In practice, attackers can read information that WPA3 was supposed to encrypt securely. This can be exploited to steal sensitive information during their transmission, such as credit card numbers, passwords, waste messages, email etc. " The researchers point to the new handshake protocol to initiate the connection, called Dragonfly.
According to them, it comprises two types of faults per design. The first one allows an attacker to force the use of WPA2 - because the first implementations of the protocols include a hybrid mode to maximize compatibility with older devices. All that is required is to configure an access point that only accepts WPA2, then to carry out a KRACK attack on this protocol. The researchers also describe another type of attack that comes in two variants: cache-based and timing-based.
WiFi Alliance works with vendors to patch affected devices
They say, "For our password partitioning attack, we need to register multiple handshakes with different MAC addresses. We can get handshakes with different MAC addresses by targeting multiple clients on the same network (eg, convince multiple users to download the same malicious application). If we could only attack a client, we could configure zombie APs with the same SSID and a spoofed MAC address. "
In addition, the researchers documented a Denial of Service attack that can be initiated by saturating an "access point by initiating a large amount of handshakes with a WPA3-compatible access point" - and bypassing the mechanism supposedly protect this protocol against such attacks. Not content with revealing these flaws, the researchers have developed four experimental tools to exploit them.
For its part, Wi-Fi Alliance ensures working with vendors to patch these flaws. The association is talking about case-by-case updates of vendors of WPA3-compatible hardware - these updates should not, however, impact the interoperability of compatible devices: "These updates do not require any changes that affect the device. interoperability between WiFi devices. Users can expect from all their WiFi devices, patched or unpatched, that they continue to work well together. "
If other flaws were to be discovered, it could at least have a positive effect: pushing the development of more secure alternative WiFi technologies, such as LiFi - much harder to attack since it relies on light and that this, until proven otherwise, does not cross the walls ...
