New Vulnerabilities Found In WPA3 WiFi Standard (zdnet.com) 58
Slashdot reader Artem S. Tashkinov writes: Mathy Vanhoef and Eyal Ronen have recently disclosed two new additional bugs impacting WPA3. The security researched duo found the new bugs in the security recommendations the WiFi Alliance created for equipment vendors in order to mitigate the initial Dragonblood attacks [found by the same two security researchers]. "Just like the original Dragonblood vulnerabilities from April, these two new ones allow attackers to leak information from WPA3 cryptographic operations and brute-force a WiFi network's password," reports ZDNet.
More from ZDNet: "[The] Wi-Fi standard is now being updated with proper defenses, which might lead to WPA3.1," Vanhoef said. "Although this update is not backwards-compatible with current deployments of WPA3, it does prevent most of our attacks," the researchers said.
But besides just disclosing the two new Dragonblood vulnerabilities, the two researchers also took the chance to criticize the WiFi Alliance again for its closed standards development process that doesn't allow for the open-source community to contribute and prevent big vulnerabilities from making it into the standard in the first place.
"This demonstrates that implementing Dragonfly and WPA3 without side-channel leaks is surprisingly hard," the researchers said. "It also, once again, shows that privately creating security recommendations and standards is at best irresponsible and at worst inept."
While these type of feedback might be ignored when coming from other researchers, it means more when it comes from Vanhoef. The Belgian researchers is the one who discovered the KRACK attack that broke the WPA2 WiFi authentication standard and forced the WiFi Alliance to develop the WPA3 standard, which it launched in June 2018.
More from ZDNet: "[The] Wi-Fi standard is now being updated with proper defenses, which might lead to WPA3.1," Vanhoef said. "Although this update is not backwards-compatible with current deployments of WPA3, it does prevent most of our attacks," the researchers said.
But besides just disclosing the two new Dragonblood vulnerabilities, the two researchers also took the chance to criticize the WiFi Alliance again for its closed standards development process that doesn't allow for the open-source community to contribute and prevent big vulnerabilities from making it into the standard in the first place.
"This demonstrates that implementing Dragonfly and WPA3 without side-channel leaks is surprisingly hard," the researchers said. "It also, once again, shows that privately creating security recommendations and standards is at best irresponsible and at worst inept."
While these type of feedback might be ignored when coming from other researchers, it means more when it comes from Vanhoef. The Belgian researchers is the one who discovered the KRACK attack that broke the WPA2 WiFi authentication standard and forced the WiFi Alliance to develop the WPA3 standard, which it launched in June 2018.
People keep calling me crazy for demanding sources (Score:1)
I don't want the source code for the driver. I want the source code for EVERYTHING. I want the source code for the wifi firmware, I want the source code for the driver, I want the source code for my router, my management engine firmware, my printer, my hard drive, my everything.
Without sources I can't be reasonably confident that we have a chance at fixing the problems that exist or securing the systems I've been fraudulently sold. When you sell an item you are giving up control of that item. However that i
Re: (Score:1)
Make no mistake the N$A has their hooks in all that firmware.
Re: People keep calling me crazy for demanding sou (Score:3, Funny)
It's not just enough to have the source code to drivers. The drivers need to be written in an ultra safe programming language, too. Only one programming language meets that criteria today: Rust.
I think we'll only see truly secure systems when we finally have full stack Rust software, meaning that the only code that's running on a given computer is written in Rust.
Re: (Score:1)
It's not just enough to have the source code to drivers. The drivers need to be written in an ultra safe programming language, too. Only one programming language meets that criteria today: Rust.
I think we'll only see truly secure systems when we finally have full stack Rust software, meaning that the only code that's running on a given computer is written in Rust.
And at that point someone will still find a security vulnerability.
For example a quick check of the vulnerabilities in the report show that none of them would have been mitigated by using Rust.
unless you go back to basically 486 days or leave x86 your dream will most likely never become true but it's a nice idea.
Re: People keep calling me crazy for demanding so (Score:2, Funny)
Re: (Score:2)
I don't think the AC you're replying to believes Rust is a panacea for security issues. The meme has taken on a life of its own and now gets posted as a joke.
Re: (Score:2)
I don't think it was meant to be funny (even though it is), for some time now I've been seeing some very low level PR campaign on /. about RUST in the form of "Title: A Rocket Failed - comment: if it had been programmed in RUST it wouldn't have failed" - not sure if it's a good sign or bad for this language though.
Not to be offtopic, going back to the article: ... "It also, once again, shows that privately creating security recommendations and standards is at best irresponsible and at worst inept." - th
Re: (Score:2, Funny)
Re: People keep calling me crazy for demanding sou (Score:2)
Sooo... (Score:2)
We should hold off on buying that new AP we've been coveting.
Re: (Score:1)
I recommend leaving your wifi open, without a password, and using HTTPS to keep your traffic hidden.
Re: (Score:2, Insightful)
Re: (Score:2)
It doesn't really matter, if you haven't been using WPA2 enterprise, you probably aren't super concerned about security on your wifi access point anyway.
I've never seen a WPA2 enterprise deployment I would consider to be secure.
Backend transport of encryption keys is a total mess.
Very few clients are properly configured to sufficiently constrain certificate issuers and identity. Most of the popular supplicants have extraordinarily dangerous default behavior.
Re: Sooo... (Score:2)
Re: (Score:2)
Re: Sooo... (Score:2)
Re: (Score:2)
My advice was to normal people, not heartless people like you who want to hoard bandwidth.
Re: Sooo... (Score:2)
Re: (Score:2)
Furthermore you ignored the main point, which is that if you aren't using WPA2 enterprise or something similar, you don't care about security enough to research how to secure a wireless LAN anyway. That probably matches you, which is why you are so irrationally upset.
Re: (Score:2)
That isn't even remotely believable.
You are an idiot. WPA2 Personal is more than sufficient to keep people out in 99.9% of all cases. You need to learn to shut the fuck up when it comes to how security works. You are the same idiot that says "unless you are wilin
Re: (Score:2)
You are an idiot. WPA2 Personal is more than sufficient to keep people out in 99.9% of all cases
So is WEP. I don't think you have a point.
Re: (Score:2)
Re: (Score:1)
We should hold off on buying that new AP we've been coveting.
Well, why buy it when you can p0wn it?
Re: Sooo... (Score:2)
That's it, I'm going back to WEP (Score:4, Funny)
Re:That's it, I'm going back to WEP (Score:5, Funny)
If they are going to crack everything that comes out, might as well go back to the simplest.
Also be sure to set your WEP password to match your network's SSID.
Re: (Score:2, Funny)
Re: (Score:2)
Why would anyone use 7 asterisks as a password?
Re: (Score:2)
Nah, frak security. Go open all the way! :P
I wonder (Score:2)
My (aging but still chugging along) Apple Airport Extreme was not affected by the original Dragonfly attacks. I suspect these new variants won't impact my equipment either.
It's really too bad Apple stopped making wifi equipment. I found it to be pretty robust compared to the D-Link and Linksys hardware I'd previously owned.
Re: (Score:2)
Re: (Score:3)
Apple released patches for its hardware against KRACK back in 2017 - first on the client side, then later on their routers. Despite discontinuing the hardware, they've pushed a few firmware updates for their base stations during the past few years.
Re: (Score:2)
Re: (Score:2)
It's really too bad Apple stopped making wifi equipment. I found it to be pretty robust compared to the D-Link and Linksys hardware I'd previously owned.
There are a lot better choices in the middle of the road between the two - especially Asus and Netgear on the consumer side.
The Airport devices were very prone to overheating and then losing their configuration.
Oh great. (Score:2)
I'll have to buy the White Album again.
https://www.youtube.com/watch?... [youtube.com]
Implementation vs specification bugs (Score:5, Insightful)
Cache/timing side channels are IMPLEMENTATION bugs.
Asserting this crap represents a vulnerability in WPA3 standards is like saying RFC791 is vulnerable to crashing systems because Microsoft fucked up their implementation (ping of death).
Downgrade attacks were obvious to all out of the gate. The only way to win is not to allow it in the first place.
WPA is at the wrong layer (Score:3)
Meh. WPA is at the wrong layer for security. It's a nice-to-have. Your device needs to be secured along with end-to-end encryption. Period. Full stop. Network security is so 80s.