According to Ars Technica, researchers disclosed several serious design flaws in WPA3 and raised troubling new questions about the future of wireless security and the IoT.
To be fair, WPA3 was better than Wired Equivalent Privacy and the WPA protocols. WPA2 (in use since the mid-2000s) had the four-way handshake which contained a hash of the network password which meant anyone within range of a device connecting to the network could record this handshake.
WPA3’s “Dragonfly” was an overhauled handshake that its architects thought was resistant to the types of password guessing attack. Dragonfly augments the four-way handshake with a Pairwise Master Key that has much more entropy than network passwords. It also had a feature known as forwarding secrecy that protects past sessions against future password compromises.
A research paper titled Dragonblood: A Security Analysis of WPA3’s SAE Handshake disclosed several vulnerabilities in WPA3 that open users to many of the same attacks that threatened WPA2 users.
The researchers warned that some of the flaws are likely to persist for years, particularly in lower-cost devices. They also criticized the WPA3 specification and the process that led to its formalisation by the Wi-Fi Alliance industry group.
Mathy Vanhoef of New York University said in the report that WPA3 does not meet the standards of a modern security protocol,. Moreover, we believe that our attacks could have been avoided if the Wi-Fi Alliance created the WPA3 certification in a more open manner.
Had the alliance heeded a recommendation made early in the process to move away from so-called hash-to-group and hash-to-curve password encoding, most of the Dragonblood proof-of-concept exploits wouldn't have worked.
“Now that the Dragonfly is finished, the only option is to mitigate the damage using countermeasures that at best will be "non-trivial" to carry out and may be impossible on resource-constrained devices”, the report said.
Writing in their bog, the researchers warned their exploits also work against networks using the Extensible Authentication Protocol. Attackers can exploit the vulnerabilities to recover user passwords when the EAP-pwd option is used.
They also discovered serious bugs that allow an adversary to impersonate any user, and thereby access the Wi-Fi network, without knowing the user’s password. Although we believe that EAP-pwd is used fairly infrequently, this still poses serious risks for many users, and illustrates the risks of incorrectly implementing Dragonfly. Enterprise networks that don't use EAP-pwd aren't vulnerable to any of the attacks described in the paper.