Posted on Friday, April 12 2019 @ 10:31 CEST by Thomas De Maesschalck
The WiFi Alliance announced an update to WPA3 as security researchers discovered that some implementations are vulnerable to an attack that can expose the password. At the moment, there aren't a lot of devices that use WPA3. Details about the attack can be found in this
Dragonblood whitepaper (PDF) from Mathy Vanhoef.
Wi-Fi Alliance® provides trusted security to billions of Wi-Fi® devices and continues to support Wi-Fi users, as we have done for twenty years.
Recently published research identified vulnerabilities in a limited number of early implementations of WPA3™-Personal, where those devices allow collection of side channel information on a device running an attacker’s software, do not properly implement certain cryptographic operations, or use unsuitable cryptographic elements. WPA3-Personal is in the early stages of deployment, and the small number of device manufacturers that are affected have already started deploying patches to resolve the issues. These issues can all be mitigated through software updates without any impact on devices’ ability to work well together. There is no evidence that these vulnerabilities have been exploited.
Security is and will always be a dynamic endeavor, and Wi-Fi Alliance regularly updates Wi-Fi CERTIFIED™ requirements to address wireless security and privacy challenges as the threat landscape changes. WPA3-Personal raised the bar with next generation security for private Wi-Fi networks based on a simple password credential. Wi-Fi Alliance has taken immediate steps to ensure users can count on WPA3-Personal to deliver even stronger security protections. Wi-Fi CERTIFIED WPA3-Personal now includes additional testing based on elements of the latest research, and Wi-Fi Alliance is broadly communicating implementation guidance to ensure vendors understand the relevant security considerations. As always, Wi-Fi users should ensure they have installed the latest recommended updates from device manufacturers.
As with any technology, robust security research that pre-emptively identifies potential vulnerabilities is critical to maintaining strong protections. Wi-Fi Alliance thanks Mathy Vanhoef of New York University Abu Dhabi and Eyal Ronen of Tel Aviv University and KU Leuven for discovering and responsibly reporting these issues, allowing industry to proactively prepare updates ahead of widespread industry deployment of WPA3-Personal.
