With the new august 2019 release of the Analysis document by Mathy Vanhoef and Eyal Ronen, it shows companies should be careful with the creation of SSID’s. Underneath the hood of WPA3 DragonFly handshake is assuring the security of the standard, it is supposed to be impossible to crack and find the password of the network.
Because a lot of the clients in the field will only support WPA2, the wireless network should support the new WPA3 standard but also be backwards compatible with the older WPA2. This compatibility mode is called transition mode. In transition mode the network will provide a WPA3 SSID but also a hidden WPA2-PSK network, these attacks are trying to make the WPA3 client shift to the more insecure WPA2 network and retrieve the password of the network. Other attacks are trying to make WPA3 DragonFly handshake pick a more insecure security group.
All these vulnerabilities are located in WPA3-Personal (SAE) or in WPA3-Enterprise with a weak EAP-pwd implementation. This is why we advise to implement certificate based authentication for company assets instead of WPA3 – Personal. It will be also of critical importance to upgrade the wifi clients as soon as possible to support WPA3 and try to make the time you run in transition mode as short as possible. Just as with other Wi-Fi standards it will depend on older devices like handterminals for warehouse who still require WPA2 or even WPA. Until the WPA3 protocol is released, we keep following the changes done in the protocol to provide our customers the best possible solution and deliver a secure network.
