WPA3, the third generation of Wi-Fi security, has one giant flaw: You

ASRock X10 IoT Router

Few people are overly concerned with Wi-Fi security, happy to connect to public wireless networks and do little to even protect their own home networks. As long as it has a password, we think we’re safe.

As usual, keeping yourself secure is never as easy as it seems. Password protection forms part of a system called Wi-Fi Protected Access, or WPA, which is about to get more secure in the form of WPA3. Despite the improvements it brings, WPA will never be a silver bullet.

There are some serious flaws in it that have been present since the very first WPA was initiated. Until we face those, our wireless networks will always have a gaping hole in their wall of protection.

Slaying dragons

Password and encryption protection were a major point of WPA2’s creation and proliferation and have ensured that most of us remain safe when connecting our myriad of contemporary devices to Wi-Fi networks. But WPA2 has serious flaws that WPA3 was designed to fix.

Where WPA2 uses a pre-shared key exchange and weaker encryption, WPA3 upgrades to 128-bit encryption and uses a system called Simultaneous Authentication of Equals (SAE), colloquially known as a Dragonfly handshake. It forces network interaction on a potential login, thereby making it so that hackers can’t try and dictionary hack a login by downloading its cryptographic hash and then running cracking software to break it, letting them then use other tools to snoop on network activity.

But Dragonfly and WPA3 itself are also vulnerable to some dangerous flaws of their own and some of the worst ones have been present in WPA protected networks since their inception. These exploits have been collected under the banner name of Dragonblood and unless addressed, they could mean that WPA3 isn’t that much more secure than WPA2, because the methods used to circumvent its protections haven’t really changed.

There are six problems highlighted by Mathy Vanhoef in his Dragonblood exposé, but almost all of them are made possible by an age-old Wi-Fi hacking technique called an evil twin.

You look so alike…

“The biggest flaw that’s been around in Wi-Fi for 20 years is that you, me, my sister (who isn’t technical) can all launch an evil twin attack just by using our cellphones,” WatchGuard Technologies’ director of product management, Ryan Orsi, told Digital Trends. “[Let’s say] you have a smartphone and take it out of your pocket, walk in your office and it has a WPA3 password protected Wi-Fi network. You look at the name of that Wi-Fi network […] if you change your phone’s name to [the same name] and you turn on your hotspot, you have just launched an evil twin attack. Your phone is broadcasting the exact same Wi-Fi network.”

Ryan Orsi of Watchgard
Ryan Orsi, director of product management at WatchGuard. WatchGard

Although users connecting to your spoofed, evil twin network are giving away a lot of their information by using it, they are potentially weakening their security even more. This attack could be carried out with a smartphone that only supports WPA2. Even if the potential victim can support WPA3 on their device, you’ve effectively downgraded them to WPA2 thanks to WPA3’s backwards compatibility.

It’s known as WPA3-Transition Mode, and allows a network to operate WPA3 and WPA2 protections with the same password. That’s great for encouraging the uptake to WPA3 without forcing people to do so immediately, and accommodates older client devices, but it’s a weak point in the new security standard which leaves everyone vulnerable.

“You’ve now launched the beginning of a Dragonblood attack,” Orsi continued. “You’re bringing in an evil twin access point that’s broadcasting a WPA2 version of the Wi-Fi network and victim devices don’t know the difference. It’s the same name. What’s the legitimate one and which is the evil twin one? It’s hard for a device or human being to tell.”

But WPA3’s Transition Mode isn’t its only weak point for potential downgrade attacks. Dragonblood also covers a security group downgrade attack which allows those using an evil twin attack to decline initial requests for WPA3 security protections. The client device will then attempt to connect again using a different security group. The fake network can simply wait until a connection attempt is made using inadequate security and accept it, weakening the victim’s wireless protections considerably.

As Orsi highlighted, evil twin attacks have been a problem with Wi-Fi networks for well over a decade, especially public ones where users may not be aware of the name of the network they’re planning to connect to ahead of time. WPA3 does little to protect against this, because the problem isn’t technically with the technology itself, but in the user’s ability to differentiate between legitimate networks and phony ones. There is nothing within device Wi-Fi menus that suggest which networks are safe to connect to and which aren’t.

“It should say, this is the one you can trust. Book your hotel with a credit card on this Wi-Fi because it’s the right one.”

According to Dragonblood author, Mathy Vanhoef, It can cost as little as $125 of Amazon AWS computing power – running a piece of password cracking software – to decode eight-character, lower-case passwords, and there are plenty of services that may even prove more competitive than that. If a hacker can then steal credit card or banking information, that investment is quickly recouped.

“If the evil twin is there, and a victim connects to it, the splash page pops up. The splash page on an evil twin is actually coming from the attacker’s laptop,” Orsi told Digital Trends. “That splash page can have malicious Javascript or a button and ‘click-here to agree, please download this software to connect to this hotspot.’”

Stay safe by being safe

“[WPA security] problems aren’t going to be solved until the general consumer can see on their device instead of a little padlock to mean password protected, there’s some other symbol or visual indicator that says this isn’t an evil twin,” Orsi said. “[We should] offer people a visual symbol that has strong technical roots but they don’t have to understand it. It should say, this is the one you can trust. Book your hotel with a credit card on this Wi-Fi because it’s the right one.”

Such a system would require the IEEE (Institute of Electrical and Electronics Engineers) to ratify it as part of a new Wi-Fi standard. The Wi-Fi Alliance, which owns the copyright for “Wi-Fi,” would then need to decide on an emblem and push out the update to manufacturers and software providers to make use of it. Making such a change to Wi-Fi as we know it would require a huge undertaking of many companies and organizations. That’s why Orsi and WatchGuard want to sign people up to show their support to the idea of a new, trusted wireless system that gives a clear visual indicator to help people stay safe on Wi-Fi networks.

Until such a thing happens, there are still some steps you can take to protect yourself. The first piece of advice that Orsi gave us was to update and patch everything – especially if it adds WPA3 security. As much as it’s flawed, it’s still far better than WPA2 – that’s why so many of the Dragonblood attacks are focused on downgrading the security where possible.

Many of the tactics dragonblood exploits imploy are useless if your password is complicated, long, and unique.

That’s something Malwarebytes’ Jean-Philippe Taggart told Digital Trends too. As flawed as WPA3 might be, it’s still an upgrade. Making sure any WPA3 devices you do use are running the latest firmware too, is massively important. That could help mitigate some of the side-channel attacks that were present in early WPA3 releases.

If you’re a regular user of public Wi-Fi networks (or even if you’re not) Orsi also recommends taking steps to use a VPN, or virtual private network (here’s how to set one up). These add an additional layer of encryption and obfuscation to your connection by routing it through a third-party server. That can make it much harder for local attackers to see what you’re doing online, even if they do manage to gain access to your network. It also hides your traffic from remote attackers and possibly any three letter agencies that might be watching.

When it comes to securing your Wi-Fi at home, we’d recommend a strong network password too. The dictionary attacks and brute force hacks made possible by many of the Dragonblood exploits are useless if your password is complicated, long, and unique. Store it in a password manager if you’re not sure you’ll remember it (these are the best ones). Change it infrequently too. You never know whether your friends and family have been as secure with your Wi-Fi password as you have been.


Critical Bluetooth security bug discovered. Protect yourself with a quick update

Researchers have discovered a major new security flaw in Bluetooth, which could leave millions of devices at risk of a malicious hack. The attack allows a hacker to “break” Bluetooth security without anyone knowing.

Best cell phone plans for small businesses

There's no single cell phone plan that will suit every small company, but with numerous high quality plans from a variety of major carriers, you will find one that suits your needs. We pick some plans and outline what you need to know.

How to stop your Mac from freezing

A Mac that keeps freezing can be an incredibly annoying thing to deal with, but fixing it doesn’t have to be a pain. There are six main things you should try, which we got through in this guide to help you fix the issue once and for all.

Notepad has a major security flaw that leaves Windows PCs vulnerable to hackers

A Google Project Zero security researcher has discovered a major security flaw involving Windows PCs and Notepad. The flaw can allow hackers to take over entire computers. Microsoft has released a patch for the flaw.

HyperX gives the Fury DDR4 memory line a face-lift and adds RGB lighting

HyperX has refreshed the popular Fury DDR4 line up with a new look and added LED lighting to the Fury DDR4 RGB. The memory is plug-and-play ready and has predefined Intel XMP profiles for optimal performance.

Alienware’s new monitors and gaming peripherals complement new Aurora R9 design

Alienware unveiled a variety of gaming monitors, mice, and keyboards to match the black-and-white styling found on the Aurora R9 desktop and the Alienware laptops. These peripherals also come with more responsive performance.

Exclusive: How Alienware dared to ditch black, boxy designs for something radical

A new gaming Legend is born this year. Alienware unveiled its new Aurora R9 desktop with the Legend design language. Join us as Alienware designers talk about Legend was conceived and what the new design means for gaming.

Alienware’s redesigned Aurora R9 brings stunning, sci-fi-inspired aesthetics

The Alienware Aurora R9 looks unlike any other gaming desktop you may have seen. This year's black-and-white-themed desktop takes inspiration from airplanes and jet engines, giving it a more modern aesthetic than last year's R8.

Minecraft, Watch Dogs, Call of Duty boost ray-traced games list to a handful

The list of games that support Nvidia's RTX-driven ray tracing technology are closing in on 10, thanks to a number of new announcements at Gamescom 2019. One of the big ones is that ray tracing is officially coming to Minecraft.

Google Stadia: Everything we know so far

Google Stadia could be the game streaming service that finally does it right. High-resolution, HDR gaming, at high-frame rates for anyone in the world on almost any device? It's a tall order, but if anyone can do it, it's Google.

Best Labor Day sales: Amazon, Walmart, and Home Depot drop early deals

Labor Day 2019 lands on Monday, September 2 this year. We've gathered all of the information you need to prepare yourself for the many sales to come, from REI to Walmart and everything in between.

Walmart drops $150 off the Samsung Galaxy Tab S4 with S Pen included

The Samsung Galaxy Tab S4 10.5-inch Tablet with S Pen is available in 64GB and 256GB models and Walmart is giving $150 off to both variants, selling it now for $498 and $598, respectively.

The best Chromebook deals available in August 2019

Whether you want a compact laptop to enjoy some entertainment on the go, or you need a no-nonsense machine for school or work, we've smoked out the best cheap Chromebook deals -- from full-sized laptops to 2-in-1 convertibles -- that won't…

The 2018 Apple iPad Pro Wi-Fi tablet gets a huge $124 discount on Amazon

If you have been holding off on buying the Apple iPad Pro because of its price, now is the time. The best tablet for 2019 gets a $124 discount on Amazon today. This deal is more affordable than the one we previously found.