The WiFi Alliance’s recently launched WPA3 Wi-Fi security and authentication standard could potentially allow hackers to infiltrate user’s networks by exploiting a new group of vulnerabilities discovered by two security researchers.
The vulnerabilities discovered by the researchers, collectively referred to as Dragonblood, would allow a potential attacker within range of a victim’s network to recover their Wi-Fi passwords and infiltrate the target’s network.
In total, the researchers discovered five vulnerabilities: a denial of service attack, two downgrade attacks and two side-channel information leaks.
The denial of service attack is a less severe vulnerability as it only leads to crashing any WPA3-compatible access points but the other four could be used to recover user passwords.
The researchers have called the vulnerabilities they discovered Dragonblood since both downgrade attacks and both the side-channel leaks take advantage of design flaws in the WPA3 standard’s Dragonfly key exchange.
The downgrade attacks work by putting pressure on WIFI WPA3-capable networks to use an older and less secure password exchange system that could allow hackers to retrieve network passwords using older flaws.
Side-channel information leak attacks on the other hand, work by tricking devices on WiFI WPA3-capable networks into using weaker algorithms that leak small amounts of information about the network password. Over time and with repeated attacks though, the full password can be recovered.
Following the release of information on these vulnerabilities, the WiFi Alliance reassured users that they had not been exploited by cybercriminals yet in a press release, saying:
“These issues can all be mitigated through software updates without any impact on devices’ ability to work well together. There is no evidence that these vulnerabilities have been exploited.”