WPA3, the third generation of Wi-Fi security, has one giant flaw: You

ASRock X10 IoT Router

Few people are overly concerned with Wi-Fi security, happy to connect to public wireless networks and do little to even protect their own home networks. As long as it has a password, we think we’re safe.

As usual, keeping yourself secure is never as easy as it seems. Password protection forms part of a system called Wi-Fi Protected Access, or WPA, which is about to get more secure in the form of WPA3. Despite the improvements it brings, WPA will never be a silver bullet.

There are some serious flaws in it that have been present since the very first WPA was initiated. Until we face those, our wireless networks will always have a gaping hole in their wall of protection.

Slaying dragons

Password and encryption protection were a major point of WPA2’s creation and proliferation and have ensured that most of us remain safe when connecting our myriad of contemporary devices to Wi-Fi networks. But WPA2 has serious flaws that WPA3 was designed to fix.

Where WPA2 uses a pre-shared key exchange and weaker encryption, WPA3 upgrades to 128-bit encryption and uses a system called Simultaneous Authentication of Equals (SAE), colloquially known as a Dragonfly handshake. It forces network interaction on a potential login, thereby making it so that hackers can’t try and dictionary hack a login by downloading its cryptographic hash and then running cracking software to break it, letting them then use other tools to snoop on network activity.

But Dragonfly and WPA3 itself are also vulnerable to some dangerous flaws of their own and some of the worst ones have been present in WPA protected networks since their inception. These exploits have been collected under the banner name of Dragonblood and unless addressed, they could mean that WPA3 isn’t that much more secure than WPA2, because the methods used to circumvent its protections haven’t really changed.

There are six problems highlighted by Mathy Vanhoef in his Dragonblood exposé, but almost all of them are made possible by an age-old Wi-Fi hacking technique called an evil twin.

You look so alike…

“The biggest flaw that’s been around in Wi-Fi for 20 years is that you, me, my sister (who isn’t technical) can all launch an evil twin attack just by using our cellphones,” WatchGuard Technologyies’ director of product management, Ryan Orsi, told Digital Trends. “[Let’s say] you have a smartphone and take it out of your pocket, walk in your office and it has a WPA3 password protected Wi-Fi network. You look at the name of that Wi-Fi network […] if you change your phone’s name to [the same name] and you turn on your hotspot, you have just launched an evil twin attack. Your phone is broadcasting the exact same Wi-Fi network.”

Ryan Orsi of Watchgard
Ryan Orsi, director of product management at WatchGuard. WatchGard

Although users connecting to your spoofed, evil twin network are giving away a lot of their information by using it, they are potentially weakening their security even more. This attack could be carried out with a smartphone that only supports WPA2. Even if the potential victim can support WPA3 on their device, you’ve effectively downgraded them to WPA2 thanks to WPA3’s backwards compatibility.

It’s known as WPA3-Transition Mode, and allows a network to operate WPA3 and WPA2 protections with the same password. That’s great for encouraging the uptake to WPA3 without forcing people to do so immediately, and accommodates older client devices, but it’s a weak point in the new security standard which leaves everyone vulnerable.

“You’ve now launched the beginning of a Dragonblood attack,” Orsi continued. “You’re bringing in an evil twin access point that’s broadcasting a WPA2 version of the Wi-Fi network and victim devices don’t know the difference. It’s the same name. What’s the legitimate one and which is the evil twin one? It’s hard for a device or human being to tell.”

But WPA3’s Transition Mode isn’t its only weak point for potential downgrade attacks. Dragonblood also covers a security group downgrade attack which allows those using an evil twin attack to decline initial requests for WPA3 security protections. The client device will then attempt to connect again using a different security group. The fake network can simply wait until a connection attempt is made using inadequate security and accept it, weakening the victim’s wireless protections considerably.

As Orsi highlighted, evil twin attacks have been a problem with Wi-Fi networks for well over a decade, especially public ones where users may not be aware of the name of the network they’re planning to connect to ahead of time. WPA3 does little to protect against this, because the problem isn’t technically with the technology itself, but in the user’s ability to differentiate between legitimate networks and phony ones. There is nothing within device Wi-Fi menus that suggest which networks are safe to connect to and which aren’t.

“It should say, this is the one you can trust. Book your hotel with a credit card on this Wi-Fi because it’s the right one.”

According to Dragonblood author, Mathy Vanhoef, It can cost as little as $125 of Amazon AWS computing power – running a piece of password cracking software – to decode eight-character, lower-case passwords, and there are plenty of services that may even prove more competitive than that. If a hacker can then steal credit card or banking information, that investment is quickly recouped.

“If the evil twin is there, and a victim connects to it, the splash page pops up. The splash page on an evil twin is actually coming from the attacker’s laptop,” Orsi told Digital Trends. “That splash page can have malicious Javascript or a button and ‘click-here to agree, please download this software to connect to this hotspot.’”

Stay safe by being safe

“[WPA security] problems aren’t going to be solved until the general consumer can see on their device instead of a little padlock to mean password protected, there’s some other symbol or visual indicator that says this isn’t an evil twin,” Orsi said. “[We should] offer people a visual symbol that has strong technical roots but they don’t have to understand it. It should say, this is the one you can trust. Book your hotel with a credit card on this Wi-Fi because it’s the right one.”

Such a system would require the IEEE (Institute of Electrical and Electronics Engineers) to ratify it as part of a new Wi-Fi standard. The Wi-Fi Alliance, which owns the copyright for “Wi-Fi,” would then need to decide on an emblem and push out the update to manufacturers and software providers to make use of it. Making such a change to Wi-Fi as we know it would require a huge undertaking of many companies and organizations. That’s why Orsi and WatchGuard want to sign people up to show their support to the idea of a new, trusted wireless system that gives a clear visual indicator to help people stay safe on Wi-Fi networks.

Until such a thing happens, there are still some steps you can take to protect yourself. The first piece of advice that Orsi gave us was to update and patch everything – especially if it adds WPA3 security. As much as it’s flawed, it’s still far better than WPA2 – that’s why so many of the Dragonblood attacks are focused on downgrading the security where possible.

Many of the tactics dragonblood exploits imploy are useless if your password is complicated, long, and unique.

That’s something Malwarebytes’ Jean-Philippe Taggart told Digital Trends too. As flawed as WPA3 might be, it’s still an upgrade. Making sure any WPA3 devices you do use are running the latest firmware too, is massively important. That could help mitigate some of the side-channel attacks that were present in early WPA3 releases.

If you’re a regular user of public Wi-Fi networks (or even if you’re not) Orsi also recommends taking steps to use a VPN, or virtual private network (here’s how to set one up). These add an additional layer of encryption and obfuscation to your connection by routing it through a third-party server. That can make it much harder for local attackers to see what you’re doing online, even if they do manage to gain access to your network. It also hides your traffic from remote attackers and possibly any three letter agencies that might be watching.

When it comes to securing your Wi-Fi at home, we’d recommend a strong network password too. The dictionary attacks and brute force hacks made possible by many of the Dragonblood exploits are useless if your password is complicated, long, and unique. Store it in a password manager if you’re not sure you’ll remember it (these are the best ones). Change it infrequently too. You never know whether your friends and family have been as secure with your Wi-Fi password as you have been.


Hackers conduct prolonged cyberattack against phone network, says security firm

A security company says a prolonged cyberattack against global phone networks, where hackers have apparently collected data related to phone conversations and even the physical location of the device, has taken place.
Movies & TV

The best shows on Netflix right now (June 2019)

Looking for a new show to binge? Lucky for you, we've curated a list of the best shows on Netflix, whether you're a fan of outlandish anime, dramatic period pieces, or shows that leave you questioning what lies beyond.
Smart Home

Protect yourself with the best home security cameras of 2019

When it comes to the best home security cameras, the choice often comes down to the one that simply knows how to stay out of your way. Here are some of our favorites, both indoor and outdoor.
Smart Home

Hate messy wires? Check out the best wireless home security cameras

Home security cameras can give you piece of mind, but if they have wires, you are limited in where you can put them. We've rounded up the best battery-operated home security cameras to give you flexibility along with your security.

Powerful upgrades turn 4th-gen Raspberry Pi into a more capable $35 desktop

The Raspberry Pi 4 is the most powerful Raspberry Pi incarnation to date, making it an even more capable alternative to your desktop PC. Equipped with a more powerful processor, this desktop could be yours starting at $35.

The MacOS Catalina public beta is live. Here’s how to download it

Apple's latest MacOS update, known as Catalina, is finally available for developer preview, which means if you're willing to pay a little for the privilege, you can be one of the first to try it out.

Apple has a plan to save Mac gaming, but it’s not the one you want

The Mac isn’t known for being a game-friendly platform, but Apple hopes to change that in the coming months and years. The thing is, its plan may not be quite what you were hoping for if you’re a Mac gamer.

MacOS Catalina has arrived. Here are the 5 best features you can use right now

As of Monday, June 24, Apple has released the public beta of its newest MacOS, Catalina. Here are the five best features to expect from MacOS Catalina, including the trio of apps expected to replace iTunes.

Apple iPad with Wi-Fi and cellular gets $80 price cut on Amazon ahead of Prime Day

Apple iPads are getting a piece of the Amazon Prime Day action in the weeks leading up to July 15. Now on Amazon ahead of Prime Day, score your 32GB Apple iPad (Wi-Fi + cellular) for just $379, down from $459.

Amazon’s back-to-college store drops deals on refurbished items before Prime Day

Buying refurbished is a great way to save money, and Amazon has a ton of deals right now. While there's hundreds of Amazon refurbished items on the site, we've found 20 items that we think both college students and parents might be…

The Dell G5587 Nvidia GTX 1060 gaming laptop just dropped to $799 at Walmart

Gone are the days when you had to spend a grand or more to get a great gaming laptop. PC makers like Dell are cranking out some excellent and affordable machines today like the Dell G5587, which is on sale right now for just $799.

Amazon Prime Day 2019: Official start date and the best deals so far

Amazon Prime Day 2019 is going to be on July 15 and July 16. We've been taking a look at the best discounts from previous Prime Days to give you our predictions of what this massive 2-day event will entail.

The Surface Centaurus might run Android apps, but is that a good idea?

A new leak hints that Microsoft's rumored Project Centaurus is a dual-screen device that will run Android apps. Is this what Microsoft needs to save its desperately-ignored Windows tablet mode?

Create apocalyptic A.I. world with this camera app that removes people from pics

What would the shots in your camera roll look like without any people? Bye Bye Camera is a new iOS app that uses artificial intelligence to remove all people from the photo., but it's not designed for practical applications.