Serious flaws leave WPA3 vulnerable

SFB

Weaksauce
Joined
Feb 21, 2011
Messages
73
Serious flaws leave WPA3 vulnerable to hacks that steal Wi-Fi passwords
Next-gen standard was supposed to make password cracking a thing of the past. It won't.

Link--> arstechnica.com <--
 
It is naive to believe that any security implementation will remain secure for any amount of time in the wild. Security is a constant arms race that requires neverending maintenance.

This should be taken into consideration in designing it. A software implementation that updates itself OTA is really needed. Make the wifi moduler separate from anything else and u iversal across all devices such that even cheap IOT devices use the WiFi standard to autoupdaye themselves, even if the device itself does that get updates
 
Last edited:
When are we going to have entangled point to point communications with no observed communication? I'm feeling that one is still a ways off.
 
Wireless is a continual crap shoot, I neither use it or recommend it.
If only those setting standards would put security above getting a product out.
You cannot put faith/trust in it.
 
Wireless is a continual crap shoot, I neither use it or recommend it.
If only those setting standards would put security above getting a product out.
You cannot put faith/trust in it.

I prefer to use wired Ethernet for everything, but that is kid of inconvenient on phones, tablets and to a lesser extent, laptops
 
When are we going to have entangled point to point communications with no observed communication? I'm feeling that one is still a ways off.

Exactly. Nothing except a quantum computer can be 100% safe.
 
Number 1: Routers need to update themselves via OTA for things like this.

Number 2: The WiFi Alliance needs to be abolished and WiFi become a completely open standard so that crap like this doesn't happen. There's not enough eyeballs on new WPA standards for my taste. Allow the security community to poke holes into the new stuff while it's being developed. That'll make it far stronger upon release than the garbage the WiFi Alliance constantly drops on us.
 
Not surprised. 15 months is a long time in the cyber security world. The best we could hope for is it is better then the previous versions. The real disappointment is the ability to cause it to revert to WPA2 type authentication and then exploit with many already known methods.

OTA updates are only a good fix IF you can 100% trust the OTA update method to never be comprised. One slip up and you risk having millions of IOT gizmos under control of the bad folks.
 
When are we going to have entangled point to point communications with no observed communication? I'm feeling that one is still a ways off.
https://astroengineer.wordpress.com/2010/04/07/a-curiosity-of-spirit-full-document/
Nothing new. Tesla was working on this a hundred years ago.

Exactly. Nothing except a quantum computer can be 100% safe.
Nope. Any information ever created can be accessed in that scheme of things, nothing is secure and never will be. You can only make it harder to do so.
 
It is naive to believe that any security implementation will remain secure for any amount of time in the wild. Security is a constant arms race that requires neverending maintenance.

This should be taken into consideration in designing it. A software implementation that updates itself OTA is really needed. Make the wifi moduler separate from anything else and u iversal across all devices such that even cheap IOT devices use the WiFi standard to autoupdaye themselves, even if the device itself does that get updates
And that would potentially open up a very big security concern. If you were able to breach that, you’d have access to all devices using that protocol.

There is a reason this is not done.
 
And that would potentially open up a very big security concern. If you were able to breach that, you’d have access to all devices using that protocol.

There is a reason this is not done.

Nothing is 100% secure, but there are ways to design a proper update system to minimize these risks:

1.) Have all update requests originate from the device itself, never have an open port

2.) Use some sort of RSA Private Key / Public Key pair such that it will not connect to any update server which is not authenticated with its private key, and Connect only to a known host operated by the IEEE 802.11 Wireless Working Group

3.) Use similar authentication on the update payload such that no binary blob is installed unless it matches the private key of the IEEE Working group


Computer systems across the world both in Unix, Linux and Windows use update schemes like these. Apart from the recent Asus exploit (and they aren't necessarily known for network security) I cannot remember a single time in all of internet history when a proper OS based package manager or update system was the source of an attack.

Any thing you do has the potential of adding an attack vector, so it winds up being a matter of a risk benefit analysis. Does what we are adding remove more risk than it adds? Every time this assessment has been done, the answer has been a resounding YES. This is why Windows, OS X, and all major flavors of Linux and Unix all have some form of package manager or OS update system that delivers security patches.
 
The laws of physics prevent it, as crazy as that might sound:

https://en.wikipedia.org/wiki/Quantum_cryptography

I guess we'll see.

As recently as 1939, Albert Einstein published a paper calling the concept of the existence of black holes ridiculous, so we know that our understanding of these things change with time, and Quantum Mechanics is notoriously difficult to understand, so I wouldn't be surprised if current assumptions don't hold up over time.
 
Back
Top