Major vulnerabilities found in new WiFi standard

News
By published

Dragonblood vulnerabilities could allow hackers to recover user's Wi-Fi passwords

Image Credit: Flickr (Image credit: Image Credit: Chris Oakley / Flickr)

The WiFi Alliance's recently launched WPA3 Wi-Fi security and authentication standard could potentially allow hackers to infiltrate user's networks by exploiting a new group of vulnerabilities discovered by two security researchers.

The vulnerabilities discovered by the researchers, collectively referred to as Dragonblood, would allow a potential attacker within range of a victim's network to recover their Wi-Fi passwords and infiltrate the target's network.

In total, the researchers discovered five vulnerabilities: a denial of service attack, two downgrade attacks and two side-channel information leaks.

The denial of service attack is a less severe vulnerability as it only leads to crashing any WPA3-compatible access points but the other four could be used to recover user passwords.

Dragonblood vulnerabilities

The researchers have called the vulnerabilities they discovered Dragonblood since both downgrade attacks and both the side-channel leaks take advantage of design flaws in the WPA3 standard's Dragonfly key exchange.

The downgrade attacks work by putting pressure on WIFI WPA3-capable networks to use an older and less secure password exchange system that could allow hackers to retrieve network passwords using older flaws.

Side-channel information leak attacks on the other hand, work by tricking devices on WiFI WPA3-capable networks into using weaker algorithms that leak small amounts of information about the network password. Over time and with repeated attacks though, the full password can be recovered.

Following the release of information on these vulnerabilities, the WiFi Alliance reassured users that they had not been exploited by cybercriminals yet in a press release, saying:

“These issues can all be mitigated through software updates without any impact on devices’ ability to work well together. There is no evidence that these vulnerabilities have been exploited.”

Via ZDNet

Anthony Spadafora
Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home. 

Latest in Security
Data Breach
Thousands of healthcare records exposed online, including private patient information
China
Juniper patches security flaws which could have let hackers take over your router
Representational image depecting cybersecurity protection
GitLab has patched a host of worrying security issues
Ai tech, businessman show virtual graphic Global Internet connect Chatgpt Chat with AI, Artificial Intelligence.
AI agents can be hijacked to write and send phishing attacks
China
Volt Typhoon threat group had access to American utility networks for the best part of a year
Abstract image of cyber security in action.
MassJacker malware targets those looking for pirated software
Latest in News
A super close up image of the Google Gemini app in the Play Store
It's official: Google Assistant will be retired for phones this year, with Gemini taking over
Quordle on a smartphone held in a hand
Quordle hints and answers for Sunday, March 16 (game #1147)
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Sunday, March 16 (game #378)
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Sunday, March 16 (game #644)
Three iPhone 16 handsets on show
Apple could launch an iPhone 17 Ultra this year – but we've heard these rumors before
Super Mario Odyssey
ChatGPT is the ultimate gaming tool - here's 4 ways you can use AI to help with your next playthrough
More about security
Email

Over 90% of Americans demand a "right-to-disconnect" law which would protect them from out-of-hours work communication
A hand holding an iPhone with the iCloud logo on screen.

"I have nothing to hide" - our readers react to Apple getting secret hearing in appeal against UK government
Half man, half AI.

Generative AI has a long way to go as siloed data and abuse of its capacity remain a downside – but it does change the game for security teams
See more latest
Most Popular
Half man, half AI.
Generative AI has a long way to go as siloed data and abuse of its capacity remain a downside – but it does change the game for security teams
diamond gemstone
Diamond set to become mainstream coolant for AI GPU servers as world’s best thermal conductor promises 25% better overclocking, and 'double performance per watt'
Zuckerberg Meta AI
Meta powers ahead with conscious chip uncoupling with Nvidia as it tests its first in-house training AI-PU
Email
Over 90% of Americans demand a "right-to-disconnect" law which would protect them from out-of-hours work communication
A super close up image of the Google Gemini app in the Play Store
It's official: Google Assistant will be retired for phones this year, with Gemini taking over
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Sunday, March 16 (game #378)
Quordle on a smartphone held in a hand
Quordle hints and answers for Sunday, March 16 (game #1147)
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Sunday, March 16 (game #644)
Gachapon Capsure Station
Somewhere in Japan is a dispenser where you can buy toy rack servers complete with cute Dell PowerEdge 2U servers
An angry Mark Grayson flying towards the camera in Invincible season 3 episode 7
Invincible season 4: everything we know so far about the hit Prime Video show's next chapter