back to article Bug-hunters punch huge holes in WPA3 standard for Wi-Fi security

Researchers have detailed a set of side-channel and downgrade attacks that potentially allow an attacker to compromise Wi-Fi networks equipped with WPA3 protections. Mathy Vanhoef, of New York University Abu Dhabi, and Eyal Ronen, of Tel Aviv University, have disclosed five different methods for breaking into or disrupting …

  1. YetAnotherJoeBlow

    Again?

    Maybe the standards bodies should run a new standard the way NIST does for encryption algorithms. Perhaps they wouldn't look so bad as someone always breaks it the way it is currently done. I mean really, after all this time it's that easy?

    1. Pascal Monett Silver badge

      Re: Again?

      Then again, it took all this time to discover the weaknesses. It's the glass half full problem.

      Security is a lot more difficult when you have to allow falling back to an insecure solution. It's almost like backdooring encryption, isn't it senators ?

      1. mj.jam

        Re: Again?

        It didn't take that long. This was only announced last summer, and given they have been working with WiFi Alliance and manufacturers on a responsible disclosure, then this is only a few months from release.

    2. DougS Silver badge

      Everyone saw this coming

      They rolled their own handshaking protocol and kept it secret, so no one with a clue was surprised to see it broken. Its almost as if that was their goal, so they can go to WPA4 and sell everyone new routers - though this happened so quickly hardly anyone has WPA3 routers yet.

    3. David Shaw
      Boffin

      Re: Again?

      a substantial number of the standards development engineers that I have encountered in communications technology standards development have apparently both overt and covert agendas; there be squirrels.

      I think it is even legal nowadays, but it wasn't when I first noticed the subversion.

  2. Bronek Kozicki Silver badge
    Thumb Up

    Good

    Now I know there is no reason for me to buy new, WPA3-compliant WiFi access points for my network. So I won't bother!

    1. Wellyboot Silver badge

      Re: Good

      Yup, we now save somecash waiting for 3.1 or whatever in howevermany more years..

      1. Anonymous Coward
        Anonymous Coward

        Re: Good

        So the way I read all that was, there are some very expensive and complex cracking methods that are just clickbait noise and unlikely to affect real people, and hidden there is a real one that makes WPA3 no more (or less) secure than WPA2...

        Is that about right?

    2. JohnFen Silver badge

      Re: Good

      Personally speaking. WiFi security has a long track record of being terrible, and I expect that won't change anytime soon. So I stopped relying on it a long time ago. What I do instead is run my WiFi AP as its own subnet, and the only thing you can do through it is to connect to the VPN server that I run.

      If any attackers break the WiFi security, it gets them nothing. They'll have to go on to break the VPN security as well.

      1. Anonymous Coward
        Anonymous Coward

        Re: Good

        "WiFi security has a long track record of being terrible"

        You really need to add "using pre-shared keys".

        If you are running a VPN server, use RADIUS and run one of the EAP solutions (EAP-TLS is recommended) as it allows you to rotate your session keys which significantly limits the available wifi attacks. And allows you to avoid any VPN packet header overhead issues.

        It's not quite as secure as the highest security VPN options (limited to AES128 but no PFS options) but should exceed most requirements. WPA3 adds perfect forward secrecy (PFS) and protected management frames which should provide a small bump in security, but I suspect it opens the way to WPA4 for AES256 with further improvements given how common AES-NI offload hardware has become.

        1. JohnFen Silver badge

          Re: Good

          Yes, I'm aware of that alternative. The problem is that when I use it and then pentest my setup, I can still break into it. Not as quickly, certainly, but if I'm running an always-on WiFi AP in a fixed location, the amount of time required to break it is not important.

          > And allows you to avoid any VPN packet header overhead issues.

          VPN overhead is not something that is a problem for me. It's plenty fast.

        2. Michael Wojcik Silver badge

          Re: Good

          run one of the EAP solutions

          As long as it's not EAP-PWD...

          I've seen the embargoed attack mentioned at the end of the article. There are caveats, but it's real.

  3. mj.jam

    Note that the client performs the same authentication procedure as the router. Therefore the side-channel methods also apply to the client. This means that observing the memory access patterns is far more of an issue on the client.

    The downgrade attacks also are against the client, not the router. The attacker spoofs the access point, and tells the client that it doesn't support WPA3, so the client tries WPA2.

    1. DougS Silver badge

      That should be easy to fix

      Clients that remember past associations as most do should refuse to downgrade the connection if it had previously connected with WPA3.

  4. adfh

    Oh for the love of ...

    Seriously, who keeps coming up with this crap? Is it down to cost optimisation on the hardware? Rules around encryption on consumer devices? The need to rush the next thing to market?

    1. Michael Wojcik Silver badge

      Cryptography is hard - in theory and even more so in implementation. Side channels are hard to eliminate or whiten.

      There are formal methods and automated systems which could be applied to the design and implementation of cryptographic protocols and would catch some of these issues, but they're expensive and difficult to use in practice, and expertise in them is scant.

      That said, wireless-communications crypto in particular has an unfortunate history, from WEP to the original Bluetooth spec to A5/1 to this set of vulnerabilities in WPA-3. The Wi-Fi Alliance and similar groups might want to think about some changes to their procedures.

  5. sitta_europea Bronze badge

    "... transition mode is designed to allow both newer WPA3 and older WPA2-only devices to use the same password ..."

    Some security wizard thought this was a good idea?

    1. Giovani Tapini Silver badge

      @sitta_europea

      does not need much wizardry, its a weakness of the old protocol really. If you change the process too much there will be no back compatibility for the billions of devices out there. This would probably mean the no adoption at all, even if better. This is a battle IT will never win, as backward compatibility protocol "downgrades" appear in all sorts of places.

    2. DMcDonnell

      At least give users the option to turn the downgrade function off.. Or better yet OFF by default.

      1. Steve 53

        Off by default? Have you met the general public?...

    3. Korev Silver badge

      I kind of agree; but for a network of any size, changing encryption overnight will be very complex. Moreover, there will be many clients & APs that can't be upgraded.

  6. Nano nano

    Timing based attack ?

    Not that "time taken to compute" issue again ? I thought anyone doing a hard sum that could leak info due to time taken, would have known to fuzz that by now.

  7. FlamingDeath Bronze badge

    WPA3™©®℗℠

    https://www.wi-fi.org/who-we-are/our-brands

    Haaaaaahahahahaha WHAT?

  8. EnviableOne Bronze badge

    Roll on WPA3.1

    and some offload ASICs for commit frame calculations

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019