According to a recent research paper WPA3, a WiFi security protocol launched by the WiFi Alliance in 2018 is in practice not any more secure than WPA2. Authors Mathy Vanhoef and Eyal Ronen wrote quoted by Ars Technica:
“In light of our presented attacks, we believe that WPA3 does not meet the standards of a modern security protocol,
A technology dubbed “Dragonfly,” more formally Simultaneous Authentication of Equals is used by WPS3. Thus we can see some improvements in a previous four-way “handshake” with a Pairwise Master Key as well as “forward secrecy.” Consequently, the idea was that WPA3 would be more resistant to password guessing attacks.
Unfortunately, WPA3 exploits involve a transition mode that lets WPA3-ready devices work in backward compatibility with those that aren’t connected. In another set side-channel leaks which gives info about the passwords being used is also involved.
Researchers, Vanhoef and Ronen said, the association failed to listen to suggestions about moving away from hash-to-group and hash-to-curve password encoding.
The result is a group of “Dragonblood” proof-of-concept exploits. Those exploits will also work against networks equipped with the Extensible Authentication Protocol, or EAP, so long as they have EAP-pwd enabled. It’s said in fact that with EAP-pwd, an attacker could impersonate any user without knowing the person’s password.
The organization has responded that :
The paper “identified vulnerabilities in a limited number of early implementations of WPA3-Personal,” and that WPA3-Personal is not only “in the early stages of deployment,” but that “the small number of device manufacturers that are affected have already started deploying patches to resolve the issues.”
The identifier of any “Dragonblood” exploits being used by real-world hackers has not been done by either Alliance or researchers. WPA3 threats can be lessened by the Mac, iPhone, and iPad owners by updating compatible Wi-Fi routers to the latest available firmware. Unique, ideally randomly-generated router passwords that are at least 13 characters long must be used by them.