Skip to main content
  1. Home
  2. Computing
  3. Features

WPA3, the third generation of Wi-Fi security, has one giant flaw: You

By
ASRock X10 IoT Router
Image used with permission by copyright holder

Few people are overly concerned with Wi-Fi security, happy to connect to public wireless networks and do little to even protect their own home networks. As long as it has a password, we think we’re safe.

As usual, keeping yourself secure is never as easy as it seems. Password protection forms part of a system called Wi-Fi Protected Access, or WPA, which is about to get more secure in the form of WPA3. Despite the improvements it brings, WPA will never be a silver bullet.

Recommended Videos

There are some serious flaws in it that have been present since the very first WPA was initiated. Until we face those, our wireless networks will always have a gaping hole in their wall of protection.

Slaying dragons

Password and encryption protection were a major point of WPA2’s creation and proliferation and have ensured that most of us remain safe when connecting our myriad of contemporary devices to Wi-Fi networks. But WPA2 has serious flaws that WPA3 was designed to fix.

Where WPA2 uses a pre-shared key exchange and weaker encryption, WPA3 upgrades to 128-bit encryption and uses a system called Simultaneous Authentication of Equals (SAE), colloquially known as a Dragonfly handshake. It forces network interaction on a potential login, thereby making it so that hackers can’t try and dictionary hack a login by downloading its cryptographic hash and then running cracking software to break it, letting them then use other tools to snoop on network activity.

Trusted Wireless Environment Framework

But Dragonfly and WPA3 itself are also vulnerable to some dangerous flaws of their own and some of the worst ones have been present in WPA protected networks since their inception. These exploits have been collected under the banner name of Dragonblood and unless addressed, they could mean that WPA3 isn’t that much more secure than WPA2, because the methods used to circumvent its protections haven’t really changed.

There are six problems highlighted by Mathy Vanhoef in his Dragonblood exposé, but almost all of them are made possible by an age-old Wi-Fi hacking technique called an evil twin.

You look so alike…

“The biggest flaw that’s been around in Wi-Fi for 20 years is that you, me, my sister (who isn’t technical) can all launch an evil twin attack just by using our cellphones,” WatchGuard Technologies’ director of product management, Ryan Orsi, told Digital Trends. “[Let’s say] you have a smartphone and take it out of your pocket, walk in your office and it has a WPA3 password protected Wi-Fi network. You look at the name of that Wi-Fi network […] if you change your phone’s name to [the same name] and you turn on your hotspot, you have just launched an evil twin attack. Your phone is broadcasting the exact same Wi-Fi network.”

Ryan Orsi of Watchgard
Ryan Orsi, director of product management at WatchGuard. WatchGard

Although users connecting to your spoofed, evil twin network are giving away a lot of their information by using it, they are potentially weakening their security even more. This attack could be carried out with a smartphone that only supports WPA2. Even if the potential victim can support WPA3 on their device, you’ve effectively downgraded them to WPA2 thanks to WPA3’s backwards compatibility.

It’s known as WPA3-Transition Mode, and allows a network to operate WPA3 and WPA2 protections with the same password. That’s great for encouraging the uptake to WPA3 without forcing people to do so immediately, and accommodates older client devices, but it’s a weak point in the new security standard which leaves everyone vulnerable.

“You’ve now launched the beginning of a Dragonblood attack,” Orsi continued. “You’re bringing in an evil twin access point that’s broadcasting a WPA2 version of the Wi-Fi network and victim devices don’t know the difference. It’s the same name. What’s the legitimate one and which is the evil twin one? It’s hard for a device or human being to tell.”

But WPA3’s Transition Mode isn’t its only weak point for potential downgrade attacks. Dragonblood also covers a security group downgrade attack which allows those using an evil twin attack to decline initial requests for WPA3 security protections. The client device will then attempt to connect again using a different security group. The fake network can simply wait until a connection attempt is made using inadequate security and accept it, weakening the victim’s wireless protections considerably.

As Orsi highlighted, evil twin attacks have been a problem with Wi-Fi networks for well over a decade, especially public ones where users may not be aware of the name of the network they’re planning to connect to ahead of time. WPA3 does little to protect against this, because the problem isn’t technically with the technology itself, but in the user’s ability to differentiate between legitimate networks and phony ones. There is nothing within device Wi-Fi menus that suggest which networks are safe to connect to and which aren’t.

“It should say, this is the one you can trust. Book your hotel with a credit card on this Wi-Fi because it’s the right one.”

According to Dragonblood author, Mathy Vanhoef, It can cost as little as $125 of Amazon AWS computing power – running a piece of password cracking software – to decode eight-character, lower-case passwords, and there are plenty of services that may even prove more competitive than that. If a hacker can then steal credit card or banking information, that investment is quickly recouped.

“If the evil twin is there, and a victim connects to it, the splash page pops up. The splash page on an evil twin is actually coming from the attacker’s laptop,” Orsi told Digital Trends. “That splash page can have malicious Javascript or a button and ‘click-here to agree, please download this software to connect to this hotspot.’”

Stay safe by being safe

“[WPA security] problems aren’t going to be solved until the general consumer can see on their device instead of a little padlock to mean password protected, there’s some other symbol or visual indicator that says this isn’t an evil twin,” Orsi said. “[We should] offer people a visual symbol that has strong technical roots but they don’t have to understand it. It should say, this is the one you can trust. Book your hotel with a credit card on this Wi-Fi because it’s the right one.”

Wi-Fi Threat Category: "Evil Twin" Access Point

Such a system would require the IEEE (Institute of Electrical and Electronics Engineers) to ratify it as part of a new Wi-Fi standard. The Wi-Fi Alliance, which owns the copyright for “Wi-Fi,” would then need to decide on an emblem and push out the update to manufacturers and software providers to make use of it. Making such a change to Wi-Fi as we know it would require a huge undertaking of many companies and organizations. That’s why Orsi and WatchGuard want to sign people up to show their support to the idea of a new, trusted wireless system that gives a clear visual indicator to help people stay safe on Wi-Fi networks.

Until such a thing happens, there are still some steps you can take to protect yourself. The first piece of advice that Orsi gave us was to update and patch everything – especially if it adds WPA3 security. As much as it’s flawed, it’s still far better than WPA2 – that’s why so many of the Dragonblood attacks are focused on downgrading the security where possible.

Many of the tactics dragonblood exploits imploy are useless if your password is complicated, long, and unique.

That’s something Malwarebytes’ Jean-Philippe Taggart told Digital Trends too. As flawed as WPA3 might be, it’s still an upgrade. Making sure any WPA3 devices you do use are running the latest firmware too, is massively important. That could help mitigate some of the side-channel attacks that were present in early WPA3 releases.

If you’re a regular user of public Wi-Fi networks (or even if you’re not) Orsi also recommends taking steps to use a VPN, or virtual private network (here’s how to set one up). These add an additional layer of encryption and obfuscation to your connection by routing it through a third-party server. That can make it much harder for local attackers to see what you’re doing online, even if they do manage to gain access to your network. It also hides your traffic from remote attackers and possibly any three letter agencies that might be watching.

When it comes to securing your Wi-Fi at home, we’d recommend a strong network password too. The dictionary attacks and brute force hacks made possible by many of the Dragonblood exploits are useless if your password is complicated, long, and unique. Store it in a password manager if you’re not sure you’ll remember it (these are the best ones). Change it infrequently too. You never know whether your friends and family have been as secure with your Wi-Fi password as you have been.

Editors’ Recommendations

Topics
Jon Martindale
Jon Martindale
Evergreen writer
Jon Martindale is a freelance evergreen writer and occasional section coordinator, covering how to guides, best-of lists, and…
Understandably, Stalker 2 is a bit of a mess on PC
Key art for Stalker 2. A character in a lit-up gas mask and a gun on their back.

Stalker 2 is one of those games I never thought would actually release. Originally announced 14 years ago, the project was shelved after developer GSC Game World closed its doors, only to be reignited in 2018. Then, as the originally announced 2022 release of the game approached, Ukraine, where the developer was based, was invaded by Russia.

There are plenty of games that suffer in development hell, but they pale in comparison to the struggles Stalker 2 has gone through. The fact that the game is even here is nothing short of a miracle. Like other titles stuck in development hell, though, Stalker 2 is far from perfect, particularly when it comes to PC performance.

Read more
Nvidia may keep producing one RTX 40 GPU, and it’s not the one we want
The Alienware m16 R2 on a white desk.

The last few weeks brought us a slew of rumors about Nvidia potentially sunsetting most of the RTX 40-series graphics cards. However, a new update reveals that one GPU might remain in production long after other GPUs are no longer being produced. Unfortunately, it's a GPU that would struggle to rank among Nvidia's best graphics cards. I'm talking about the RTX 4050 -- a card that only appears in laptops.

The scoop comes from a leaker on Weibo and was first spotted by Wccftech. The leaker states that the RTX 4050 is "the only 40-series laptop GPU that Nvidia will continue to supply" after the highly anticipated launch of the RTX 50-series. Unsurprisingly, the tipster also reveals that the fact that both the RTX 4050 and the RTX 5050 will be readily available at the same time will also impact the pricing of the next-gen card.

Read more
Valve adds DLSS 3 to SteamOS backend, but don’t expect an Nvidia Steam Deck
Ghost of Tsushima running on the Steam Deck.

Valve has made a significant update to its Proton compatibility layer, which is the basis of the Linux-based SteamOS operating system on the Steam Deck. The update brings several improvements and bug fixes, but it also adds support for Nvidia's coveted DLSS 3 Frame Generation.

The update for Proton Experimental rolled out on November 12, and it was spotted by Wccftech. Proton is the bedrock for gaming on Linux, and up to this point, Nvidia users haven't had access to some of the best features of Team Green's latest graphics cards on Linux. The latest update not only supports DLSS 3 Frame Generation, but also Nvidia's Optical Flow API. Optical Flow is critical for DLSS 3 Frame Generation, though the dedicated hardware for the feature has been around since Nvidia's Turing GPUs.

Read more