The latest Wi-Fi protocol, WPA3, launched last year to quite a bit of fanfare and excitement. In theory, the protocol is supposed to be significantly more secure than its predecessor, protecting internet users against hacks that can expose their network password and other sensitive data.
Of course, most tech enthusiasts know that when it comes to this industry, “new” doesn’t always mean “better.” As Ars Technica notes, this improved security was intended to come through “Dragonfly,” a “completely overhauled handshake” that is more resistant to password guessing attacks.
Unfortunately, it sounds like Dragonfly isn’t quite enough – security researchers working out of New York University and Tel Aviv University have published a lengthy security analysis that exposes two serious flaws in WPA3’s design.
“These attacks resemble dictionary attacks and allow an adversary to recover [network passwords] by abusing timing or cache-based side-channel leaks.”
“…we show that WPA3’s Simultaneous Authentication of Equals (SAE) handshake, commonly known as Dragonfly, is affected by password partitioning attacks,” the paper reads. “These attacks resemble dictionary attacks and allow an adversary to recover [network passwords] by abusing timing or cache-based side-channel leaks.”
By exploiting those two flaws, hackers within range of their victim’s Wi-Fi network can easily recover the individual’s network password, allowing them to swipe important or private information; including the contents of chat messages, passwords, emails, and more. Still, even with these breaches in mind, researchers seem to agree that WPA3 is still — as a whole — more secure than WPA2.
So, how can you protect yourself? Well, you may not have to. The Wi-Fi Alliance, the organization responsible for WPA certifications, says these vulnerabilities only apply to a “limited number” of devices running early implementations of WPA3 Personal.
However, if your device is affected (there’s no list to check as of writing), your best bet will be to wait for a patch. The Wi-Fi Alliance claims these fixes are already starting to roll out. In the interim, plugging in directly via an Ethernet cable, opting to use a VPN, and turning off Wi-Fi entirely can help to protect your data.