Slashdot reader Artem S. Tashkinov writes: Mathy Vanhoef and Eyal Ronen have recently disclosed two new additional bugs impacting WPA3. The security researched duo found the new bugs in the security recommendations the WiFi Alliance created for equipment vendors in order to mitigate the initial Dragonblood attacks [found by the same two security researchers]. “Just like the original Dragonblood vulnerabilities from April, these two new ones allow attackers to leak information from WPA3 cryptographic operations and brute-force a WiFi network’s password,” reports ZDNet.
More from ZDNet:
“[The] Wi-Fi standard is now being updated with proper defenses, which might lead to WPA3.1,” Vanhoef said. “Although this update is not backwards-compatible with current deployments of WPA3, it does prevent most of our attacks,” the researchers said.
But besides just disclosing the two new Dragonblood vulnerabilities, the two researchers also took the chance to criticize the WiFi Alliance again for its closed standards development process that doesn’t allow for the open-source community to contribute and prevent big vulnerabilities from making it into the standard in the first place.
“This demonstrates that implementing Dragonfly and WPA3 without side-channel leaks is surprisingly hard,” the researchers said. “It also, once again, shows that privately creating security recommendations and standards is at best irresponsible and at worst inept.”
While these type of feedback might be ignored when coming from other researchers, it means more when it comes from Vanhoef. The Belgian researchers is the one who discovered the KRACK attack that broke the WPA2 WiFi authentication standard and forced the WiFi Alliance to develop the WPA3 standard, which it launched in June 2018.