Skip to main content

WPA3, the third generation of Wi-Fi security, has one giant flaw: You

ASRock X10 IoT Router
Image used with permission by copyright holder

Few people are overly concerned with Wi-Fi security, happy to connect to public wireless networks and do little to even protect their own home networks. As long as it has a password, we think we’re safe.

As usual, keeping yourself secure is never as easy as it seems. Password protection forms part of a system called Wi-Fi Protected Access, or WPA, which is about to get more secure in the form of WPA3. Despite the improvements it brings, WPA will never be a silver bullet.

Recommended Videos

There are some serious flaws in it that have been present since the very first WPA was initiated. Until we face those, our wireless networks will always have a gaping hole in their wall of protection.

Slaying dragons

Password and encryption protection were a major point of WPA2’s creation and proliferation and have ensured that most of us remain safe when connecting our myriad of contemporary devices to Wi-Fi networks. But WPA2 has serious flaws that WPA3 was designed to fix.

Where WPA2 uses a pre-shared key exchange and weaker encryption, WPA3 upgrades to 128-bit encryption and uses a system called Simultaneous Authentication of Equals (SAE), colloquially known as a Dragonfly handshake. It forces network interaction on a potential login, thereby making it so that hackers can’t try and dictionary hack a login by downloading its cryptographic hash and then running cracking software to break it, letting them then use other tools to snoop on network activity.

Trusted Wireless Environment Framework

But Dragonfly and WPA3 itself are also vulnerable to some dangerous flaws of their own and some of the worst ones have been present in WPA protected networks since their inception. These exploits have been collected under the banner name of Dragonblood and unless addressed, they could mean that WPA3 isn’t that much more secure than WPA2, because the methods used to circumvent its protections haven’t really changed.

There are six problems highlighted by Mathy Vanhoef in his Dragonblood exposé, but almost all of them are made possible by an age-old Wi-Fi hacking technique called an evil twin.

You look so alike…

“The biggest flaw that’s been around in Wi-Fi for 20 years is that you, me, my sister (who isn’t technical) can all launch an evil twin attack just by using our cellphones,” WatchGuard Technologies’ director of product management, Ryan Orsi, told Digital Trends. “[Let’s say] you have a smartphone and take it out of your pocket, walk in your office and it has a WPA3 password protected Wi-Fi network. You look at the name of that Wi-Fi network […] if you change your phone’s name to [the same name] and you turn on your hotspot, you have just launched an evil twin attack. Your phone is broadcasting the exact same Wi-Fi network.”

Ryan Orsi of Watchgard
Ryan Orsi, director of product management at WatchGuard. WatchGard

Although users connecting to your spoofed, evil twin network are giving away a lot of their information by using it, they are potentially weakening their security even more. This attack could be carried out with a smartphone that only supports WPA2. Even if the potential victim can support WPA3 on their device, you’ve effectively downgraded them to WPA2 thanks to WPA3’s backwards compatibility.

It’s known as WPA3-Transition Mode, and allows a network to operate WPA3 and WPA2 protections with the same password. That’s great for encouraging the uptake to WPA3 without forcing people to do so immediately, and accommodates older client devices, but it’s a weak point in the new security standard which leaves everyone vulnerable.

“You’ve now launched the beginning of a Dragonblood attack,” Orsi continued. “You’re bringing in an evil twin access point that’s broadcasting a WPA2 version of the Wi-Fi network and victim devices don’t know the difference. It’s the same name. What’s the legitimate one and which is the evil twin one? It’s hard for a device or human being to tell.”

But WPA3’s Transition Mode isn’t its only weak point for potential downgrade attacks. Dragonblood also covers a security group downgrade attack which allows those using an evil twin attack to decline initial requests for WPA3 security protections. The client device will then attempt to connect again using a different security group. The fake network can simply wait until a connection attempt is made using inadequate security and accept it, weakening the victim’s wireless protections considerably.

As Orsi highlighted, evil twin attacks have been a problem with Wi-Fi networks for well over a decade, especially public ones where users may not be aware of the name of the network they’re planning to connect to ahead of time. WPA3 does little to protect against this, because the problem isn’t technically with the technology itself, but in the user’s ability to differentiate between legitimate networks and phony ones. There is nothing within device Wi-Fi menus that suggest which networks are safe to connect to and which aren’t.

“It should say, this is the one you can trust. Book your hotel with a credit card on this Wi-Fi because it’s the right one.”

According to Dragonblood author, Mathy Vanhoef, It can cost as little as $125 of Amazon AWS computing power – running a piece of password cracking software – to decode eight-character, lower-case passwords, and there are plenty of services that may even prove more competitive than that. If a hacker can then steal credit card or banking information, that investment is quickly recouped.

“If the evil twin is there, and a victim connects to it, the splash page pops up. The splash page on an evil twin is actually coming from the attacker’s laptop,” Orsi told Digital Trends. “That splash page can have malicious Javascript or a button and ‘click-here to agree, please download this software to connect to this hotspot.’”

Stay safe by being safe

“[WPA security] problems aren’t going to be solved until the general consumer can see on their device instead of a little padlock to mean password protected, there’s some other symbol or visual indicator that says this isn’t an evil twin,” Orsi said. “[We should] offer people a visual symbol that has strong technical roots but they don’t have to understand it. It should say, this is the one you can trust. Book your hotel with a credit card on this Wi-Fi because it’s the right one.”

Wi-Fi Threat Category: "Evil Twin" Access Point

Such a system would require the IEEE (Institute of Electrical and Electronics Engineers) to ratify it as part of a new Wi-Fi standard. The Wi-Fi Alliance, which owns the copyright for “Wi-Fi,” would then need to decide on an emblem and push out the update to manufacturers and software providers to make use of it. Making such a change to Wi-Fi as we know it would require a huge undertaking of many companies and organizations. That’s why Orsi and WatchGuard want to sign people up to show their support to the idea of a new, trusted wireless system that gives a clear visual indicator to help people stay safe on Wi-Fi networks.

Until such a thing happens, there are still some steps you can take to protect yourself. The first piece of advice that Orsi gave us was to update and patch everything – especially if it adds WPA3 security. As much as it’s flawed, it’s still far better than WPA2 – that’s why so many of the Dragonblood attacks are focused on downgrading the security where possible.

Many of the tactics dragonblood exploits imploy are useless if your password is complicated, long, and unique.

That’s something Malwarebytes’ Jean-Philippe Taggart told Digital Trends too. As flawed as WPA3 might be, it’s still an upgrade. Making sure any WPA3 devices you do use are running the latest firmware too, is massively important. That could help mitigate some of the side-channel attacks that were present in early WPA3 releases.

If you’re a regular user of public Wi-Fi networks (or even if you’re not) Orsi also recommends taking steps to use a VPN, or virtual private network (here’s how to set one up). These add an additional layer of encryption and obfuscation to your connection by routing it through a third-party server. That can make it much harder for local attackers to see what you’re doing online, even if they do manage to gain access to your network. It also hides your traffic from remote attackers and possibly any three letter agencies that might be watching.

When it comes to securing your Wi-Fi at home, we’d recommend a strong network password too. The dictionary attacks and brute force hacks made possible by many of the Dragonblood exploits are useless if your password is complicated, long, and unique. Store it in a password manager if you’re not sure you’ll remember it (these are the best ones). Change it infrequently too. You never know whether your friends and family have been as secure with your Wi-Fi password as you have been.

Jon Martindale
Jon Martindale is a freelance evergreen writer and occasional section coordinator, covering how to guides, best-of lists, and…
Intel’s promised Arrow Lake autopsy details up to 30% loss in performance
The Core Ultra 9 285K socketed into a motherboard.

Intel's Arrow Lake CPUs didn't make it on our list of the best processors when they released earlier this year. As you can read in our Core Ultra 9 285K review, Intel's latest desktop offering struggled to keep pace with last-gen options, particularly in games, and showed strange behavior in apps like Premiere Pro. Now, Intel says it has fixed the issues with its Arrow Lake range, which accounted for up to a 30% loss in real-world performance compared to Intel's in-house testing.

The company identified five issues with the performance of Arrow Lake, four of which are resolved now. The latest BIOS and Windows Updates (more details on those later in this story) will restore Arrow Lake processors to their expected level of performance, according to Intel, while a new firmware will offer additional performance improvements. That firmware is expected to release in January, pushing beyond the baseline level of performance Intel expected out of Arrow Lake.

Read more
You can get this 40-inch LG UltraWide 5K monitor at $560 off if you hurry
A woman using the LG UltraWide 40WP95C-W 5K monitor.

If you need a screen to go with the upgrade that you made with desktop computer deals, and you're willing to spend for a top-of-the-line display, then you may want to set your sights on the LG 40WP95C-W UltraWide curved 5K monitor. From its original price of $1,800, you can get it for $1,240 from Walmart for huge savings of $560, or for $1,275 from Amazon for a $525 discount. You should complete your purchase quickly if you're interested though, as there's no telling when the offers for this monitor will expire.

Why you should buy the LG 40WP95C-W UltraWide curved 5K monitor
5K monitors are highly recommended for serious creative professionals, such as graphic designers and filmmakers, for their extremely sharp details and precise colors, and the LG 40WP95C-W UltraWide curved 5K monitor is an excellent choice. We've tagged it as the best ultrawide 5K monitor in our roundup of the best 5K monitors, with its huge 40-inch curved screen featuring 5120 x 2160 resolution, 98% coverage of the DCI-P3 spectrum, and support for HDR10 providing striking visuals that you won't enjoy from most of the other options in the market.

Read more
Generative-AI-powered video editing is coming to Instagram
Instagram on iPhone against a colorful background.

Editing your Instagram videos will soon be as simple as typing out a text prompt, thanks to a new generative AI tool the company hopes to release in 2025, CEO Adam Mosseri announced Thursday.

The upcoming tool, which leverages Meta's Movie Gen model, will enable users to "change nearly any aspect of your videos," Mosseri said during his preview demonstration. Those changes range from subtle modifications, like adding a gold chain to his existing outfit or a hippo in the background, to wholesale alterations including swapping his wardrobe or giving himself a felt, Muppet-like appearance.

Read more