WPA2 security flaw enables WiFi password compromise

Routers with Pairwise Master Key Identifiers feature enabled under renewed threat

A new security flaw found in the WPA/WPA2 security protocols could enable an attacker to crack WiFi passwords and compromise routers.

The security flaw was found by accident, by security researcher Jens Steube while conducting tests on the forthcoming WPA3 security protocol; in particular, on differences between WPA2's Pre-Shared Key exchange process and WPA3's Simultaneous Authentication of Equals, which will replace it. WPA3 will be much harder to attack because of this innovation, he added.

In a technical blog posting, published over the weekend, Steube outlined how the attack works.

Most attack methods against WiFi networks involve waiting until a user connects and capturing information from the ‘handshake' procedure between user and network, before conducting a brute-force attack for the password.

Steube's attack method, though, doesn't require an end user. Instead, it targets the Robust Security Network Information Element of a single EAPOL frame.

"At this time, we do not know for which vendors or for how many routers this technique will work, but we think it will work against all 802.11i/p/q/r networks with roaming functions enabled (most modern routers)," wrote Steube.

It is not the first security flaw uncovered in WPA2. Wikipedia, for example, lists a series of security flaws that have been identified since WPA2 was introduced in September 2004. The most high profile, perhaps, was the Key Reinstallation AttaCK or KRACK attack identified last year.

Neither WPA nor WPA2 provide forward secrecy, either, making pre-shared keys especially vulnerable.

WPA3 was announced in January. It uses 128-bit encryption in personal mode and 192-bit encryption in enterprise mode. It also replaces the Pre-Shared Key exchange process with Simultaneous Authentication of Equals and should, therefore, avoid the insecurity Steube uncovered in WPA2.

The Wi-Fi Alliance also claims that WPA3 will mitigate security issues posed by weak passwords and simplify the process of setting up devices with no display interface.