The Wi-Fi encryption standard WPA3 was adopted in June 2018 as a supplement to the existing WPA2 standard.
The WPA3 implementation, as used by LANCOM Systems among others, features the WPA2/WPA3 mixed mode. This ensures that not only WPA3-Personal™ enabled Wi-Fi clients are able to operate the latest Wi-Fi, but also that clients that only support the WPA2 standard are also able to access the Wi-Fi using WPA2 encryption.
However, this mixed mode is vulnerable to so-called downgrade & dictionary attacks:
If a wireless client and a (LANCOM) access point use the WPA2/WPA3 mixed mode, a potential attacker could set up a rogue access point that supports WPA2 only. Here, even WPA3-enabled wireless clients are forced to connect using WPA2 with the potential threat from dictionary attacks.
Although the Wi-Fi client would detect the “downgrade to WPA2 attack”, this is already too late if the legitimate (LANCOM) access point sends message 3 of the 4-way handshake. The 4-way handshake messages that were exchanged before the downgrade was detected can be misused to launch a dictionary attack on the network.
This is a vulnerability in the standard itself, and is not manufacturer-specific. The described behavior can ultimately only be resolved by further development of WPA3-Personal™.
What can I do to avoid being attacked?
- The most effective method is to avoid operating the WPA2/WPA3 mixed mode and use WPA3 encryption only. Since there are currently only small numbers of WPA3-compatible Wi-Fi clients (as of: April 2019), this approach may not be appropriate.
- Instead of operating the WPA2/WPA3 mixed mode, you should operate one SSID that solely uses WPA3 encryption and another SSID that solely uses WPA2 encryption.
The vulnerabilities were discovered by security researcher Mathy Vanhoef and described in his paper “Dragonblood: A Security Analysis of WPA3’s SAE Handshake”.