{"id":10804,"date":"2019-05-14T10:27:21","date_gmt":"2019-05-14T14:27:21","guid":{"rendered":"https:\/\/www.thesslstore.com\/blog\/?p=10804"},"modified":"2023-04-10T13:00:05","modified_gmt":"2023-04-10T17:00:05","slug":"what-dragonblood-tells-us-about-wifi-security","status":"publish","type":"post","link":"https:\/\/www.thesslstore.com\/blog\/what-dragonblood-tells-us-about-wifi-security\/","title":{"rendered":"What Dragonblood Tells Us About WiFi Security"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\" id=\"h-wpa3-stumbles-out-the-gate-thanks-to-a-familiar-vulnerability\">WPA3 stumbles out the gate thanks to a familiar vulnerability.<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">When the long-awaited WPA3 rolled out at the\nend of last year, the last thing anyone expected was for vulnerabilities in the\nshiny new WiFi security protocol to be discovered before the paint was even\ndry.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">In a cruel irony, the security flaws &#8211; <a href=\"https:\/\/wpa3.mathyvanhoef.com\/\">dubbed\nDragonblood<\/a> &#8211; were identified by the same duo of researchers behind\nthe discovery of KRACK, the critical vulnerability in WPA2 that was the final\nnail in the coffin for WPA3\u2019s 14-year-old predecessor and prompt for its\nreplacement.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">While the WiFi Alliance have released a change\nin specification for the WPA3 standard, and hardware\/software vendors have\nimplemented the appropriate patches, the discovery of major security flaws in\nsuch quick succession is an unwelcome reminder that we should not blindly trust\nWiFi networks, even when they are supposedly \u201csecure\u201d. After all, who\u2019s to say\nwhen the next weakness will be found or who might find it?<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-the-key-difference-between-wpa2-and-wpa3\"><strong>The Key Difference between WPA2 and WPA3<\/strong><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/us.norton.com\/internetsecurity-emerging-threats-what-to-do-about-krack-vulnerability.html\">WPA2<\/a> &#8211; currently\nthe most widely used security protocol despite it being phased out by WPA3 &#8211;\nhad been around for 14 years.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">It was exposed in 2017\nas having critical flaws that could be exploited through a hacking method known\nas KRACK, which allowed malicious attackers to decrypt network traffic. This\nmeant that any information shared over the network, such as credit card\ndetails, passwords or private messages, could be read by an attacker and used\nfor criminal activity. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The <a href=\"https:\/\/us.norton.com\/internetsecurity-emerging-threats-what-to-do-about-krack-vulnerability.html\">WPA3 protocol<\/a>\npromised a distinct improvement due to its replacement of WPA2\u2019s 4-way\nhandshake with a Simultaneous Authentication of Equals (SAE) handshake,\ncommonly known as Dragonfly. <\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-a-recap-of-wpa2-vulnerabilities\"><strong>A Recap of WPA2 Vulnerabilities <\/strong><\/h2>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"alignright\"><img loading=\"lazy\" decoding=\"async\" width=\"283\" height=\"261\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/05\/WPA-Dragonblood.png\" alt=\"\" class=\"wp-image-10808\"\/><\/figure>\n<\/div>\n\n\n<p class=\"wp-block-paragraph\">Research led by Matty\nVanhoef and Eyal Ronen exposed <a href=\"https:\/\/www.krackattacks.com\/#changepw\">critical\nsecurity flaws in the WPA2 protocol<\/a>.\nThese flaws allowed attackers to decrypt a user\u2019s connection, making their\ninternet traffic visible as well as any personal information they shared\nonline. Data could also be manipulated or injected into the network with the\naim of inserting ransomware or other malware into a website. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">To manipulate these WPA2\nflaws, attackers would have had to be within range of the victim and launch a\nseries of key reinstallation attacks (KRACK). To protect against these attacks,\nusers were recommended to keep all devices up-to-date and install patches once\nthey were made available. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Following the discovery\nof KRACK, many believed WPA3 would present a significant improvement in WiFi\nsecurity.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-dragonblood-vulnerabilities-discovered-in-wpa3\"><strong>Dragonblood Vulnerabilities Discovered in WPA3<\/strong><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Shortly after its\nrelease, vulnerabilities were once again discovered in WPA3 by Vanhoef and\nRonen, raising concerns about what other flaws may be uncovered in the future. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">These flaws were largely\nrelated to the new Dragonfly handshake protocol. Crucially, this is used in\nnetworks that require password-based authentication.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Vanhoef and Ronent\ndiscovered five types of attack that could be successfully executed on WPA3,\ncollectively known as Dragonblood. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Four of these attacks were based on the exploitation of\nvulnerabilities in the Dragonfly handshake protocol. These were as follows: <\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Security group downgrade attacks<\/li>\n\n\n\n<li>Timing-based side-channel attacks<\/li>\n\n\n\n<li>Cache-based side-channel attacks <\/li>\n\n\n\n<li>Resource consumption attacks.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">As well as flaws in the\nhandshake protocol, researchers found that downgrade attacks against the\nWPA3-Transition mode could lead to dictionary attacks, enabling the recovery of\na network\u2019s password. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">These vulnerabilities\nwould have allowed an attacker within range of the victim to recover the\npassword of a network, monitor network traffic and steal sensitive information\nif no further website protection such as HTTPS was used. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Soon after the discovery\nof Dragonblood, the WiFi alliance alerted manufacturers and released patches to\nensure that those already using WPA3 were protected against possible attacks. <\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-don-t-rely-on-your-network-for-security\"><strong>Don\u2019t Rely On Your Network For Security&nbsp;&nbsp; <\/strong><\/h2>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"alignright\"><img loading=\"lazy\" decoding=\"async\" width=\"268\" height=\"268\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/05\/WPA3-2.png\" alt=\"\" class=\"wp-image-10807\"\/><\/figure>\n<\/div>\n\n\n<p class=\"wp-block-paragraph\">Though the WiFi alliance\nhave now patched WPA3, the discovery of Dragonblood weaknesses so soon after\nits release is concerning. The fact that these flaws were found less than two\nyears after the discovery of KRACK suggests that it\u2019s only a matter of time\nbefore more weaknesses are discovered and highlights how even password\nprotected networks fail to offer complete security. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Head of Research at Top10VPN <a href=\"https:\/\/www.top10vpn.com\/news\/privacy\/researchers-uncover-vulnerabilities-in-wpa3-security-standard\/\">Simon Migliano says<\/a> \u2018Considering that the\npaint was barely dry on WPA3 before serious security flaws were discovered,\nit\u2019s not unrealistic to expect that further vulnerabilities may yet be\ndiscovered in time.\u2019 <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Migliano recommends users\ntake extra security measures such as using a VPN \u2018for all sensitive\ncommunications.\u2019 VPNs work by encrypting a user\u2019s internet connection via a\nremote server, ensuring that anyone spying on the network is unable to read any\ntraffic sent between a device and the server.<\/p>\n\n\n<span style=\"--tl-form-height-m:150.25px;--tl-form-height-t:121.4583px;--tl-form-height-d:121.4583px;\" class=\"tl-placeholder-f-type-shortcode_12753 tl-preload-form\"><span><\/span><\/span>\n\n\n<h2 class=\"wp-block-heading\" id=\"h-conclusion\"><strong>Conclusion<\/strong><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Dragonblood\nvulnerabilities in WPA3 have demonstrated that WiFi networks alone should not\nbe relied upon for the security and protection of your data. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The discovery of KRACK\nweaknesses in WPA2 led consumers to believe that the development of WPA3\npromised a vast improvement to WiFi security. However, the recent Dragonblood\ndiscovery has so far proved that this is not the case. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">With that in mind,\nconsumers should ensure they use extra measures, such as a VPN, to limit the\nchances of falling victim to an attack on their network. Simply relying on your\nWiFi protocol for security is likely never to be enough. <\/p>\n","protected":false},"excerpt":{"rendered":"<p>WPA3 stumbles out the gate thanks to a familiar vulnerability. When the long-awaited WPA3 rolled out at the end of last year, the last thing anyone expected was for vulnerabilities&#8230;<\/p>\n","protected":false},"author":20,"featured_media":10806,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":"","tve_updated_post":"","tve_custom_css":"","tve_user_custom_css":"","tve_globals":{},"tcb2_ready":0,"tcb_editor_enabled":0,"tve_landing_page":"","_tve_header":"","_tve_footer":""},"categories":[16],"tags":[174,4666,10346],"class_list":["post-10804","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hashing-out-cyber-security","tag-vulnerabilities","tag-wifi","tag-wpa3","post-with-tags"],"views":8487,"jetpack_featured_media_url":"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/05\/Dragonblood-Feature.png","_links":{"self":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/10804","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/users\/20"}],"replies":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/comments?post=10804"}],"version-history":[{"count":0,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/10804\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media\/10806"}],"wp:attachment":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media?parent=10804"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/categories?post=10804"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/tags?post=10804"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}