A group of vulnerabilities dubbed as ‘Dragonblood’ has been disclosed by a couple of security researchers in the recently announced WPA3 Wi-Fi security standard. According to ZDNet, the discovery has been made by the same researcher who had discovered the KRACK attack on WPA2.
The researchers, Mathy Vanhoef and Eyal Ronen, have identified a total of five vulnerabilities as part of the Dragonblood ensemble i.e. a denial of service attack, two downgrade attacks, and two side-channel information leaks. Exploiting the vulnerabilities would allow an attacker to steal the Wi-Fi password and infiltrate the target’s network.
Furthermore, the Dragonblood vulnerabilities also impact the EAP-pwd (Extensible Authentication Protocol) that is supported in the previous WPA and WPA2 WiFi authentication standards.
“We […] discovered serious bugs in most products that implement EAP-pwd,” the research duo said. “These allow an adversary to impersonate any user, and thereby access the Wi-Fi network, without knowing the user’s password.”
The WiFi Alliance has already announced a security update for the WPA3 standard following today’s public disclosure of the Dragonblood flaws in a press release.
“These issues can all be mitigated through software updates without any impact on devices’ ability to work well together,”
Vendors of WiFi products will now have to roll out firmware updates to integrate these changes into their products.