It is hard to come to any other conclusion. Dragonblood vulnerabilities disclosed in WiFi WPA3 standard. This story is actually about a week old – or more – but I only just pried free some time to delve into it.
EVERY security protocol developed by the WiFi Alliance has sucked. The new one, WPA3, (Wi-Fi Protected Access version 3) is broken, and you can barely buy any products that support it.
The WiFi Alliance continues to insist on developing everything in secret, and they continue to get things wrong. They could have gotten this one right if they only opened up to some cryptographers before they finalized the protocols, instead of doing everything in darkness. You might almost conclude they are a subsidiary of the NSA, or one of the other three-letter-acronym agencies.
Two security researchers disclosed details today about a group of vulnerabilities collectively referred to as Dragonblood that impact the WiFi Alliance’s recently launched WPA3 Wi-Fi security and authentication standard.
The original whitepaper (see the link below) is 16 pages or so. But the people behind it are top notch.
The people who did the original study had this to say, about what is arguably the most important security protocol of the decade. Dragonblood: A Security Analysis of WPA3’s SAE Handshake.
In light of our presented attacks, we believe that WPA3 does not meet the standards of a modern security protocol. Moreover, we believe that our attacks could have been avoided if the Wi-Fi Alliance created the WPA3 certification in a more open manner.
What’s more, they don’t believe that a simple fix is possible. There are fundamental design flaws, which are (almost) impossible to fix after the fact, and in this case probably are impossible to fix after the fact.
If anyone falls victim to these problems, I hope they sue the Alliance, because actually costing them money is probably the only way to convince them that in 2019 and beyond, they should give security some consideration.