Are all the known WPA3 security flaws fixed now?

[torstein]

With Merlins asuswrt release 382.6-firmware it says Fragattack security issue fixed.

1) Was this the last known security issue from Mathy Vanhoefs Dragonblood-issues?
2) Is WPA3-only mode (not wpa3/wpa2 compatibility) finally recommended now, security wise?

I apologize in advance if this was posted in wrong forum. I made a search and couldn't find similar threads, and also i'm far from an expert on wireless security, so sorry if these are stupid questions with obvious answers.

UPDATED 1/7/21: I contacted VanHoef on twitter, and he recommends wpa3 over wpa2. See screenshots below. Thanks for the discussion, guys. Link to twitter-conversation with vanHoef

 

[RMerlin]

WPA3 has design flaws that will never be resolved.

 

[akb]

WPA3 has design flaws that will never be resolved.

Is it better to run wpa2 only mode or wpa2/wpa3 compatibility mode as almost everyone has mixed devices still.

 

[nickie]

WPA3 has design flaws that will never be resolved.

But isn't it more secure than wpa2?

 

[RMerlin]

Yes, WPA3 is still better than WPA2. However it's not 100% secure, it also has its own security flaws.

 

[torstein]

Yes, WPA3 is still better than WPA2. However it's not 100% secure, it also has its own security flaws.

Thanks for your reply.

1) I read WiFi Alliance's response to Dragonfly from 2019, where they downlplayed it saying that wpa3 will be patched in software, but has it been patched yet? There are so little news around this. Just a ton from 2019 when the flaws was discovered and then almost silence for two years.
2) What other flaws are there, and why will they never be fixed? What exactly are the flaws?
3) Are they maybe working on WPA4 already, if WPA3 is inherently broken?
4) Do you guys run WPA3 or do you run WPA2?

 

[mcmxmk19]

WPA3 is more secure than WPA2. I would not worry about something that requires “master” level skills and for someone with those skills to be within range of your WiFi to exploit. The odds of these two things coming together and on top of that picking your WiFi randomly to exploit is so unlikely that I would not lose any sleep over it.

from the article -
“Fortunately, as a result of our research, both the Wi-Fi standard and EAP-pwd are being updated with a more secure protocol. Although this update is not backwards-compatible with current deployments of WPA3, it does prevent most of our attacks.”

WPA3 received an update around December 2020. Now, the deployment for that update is dependent on the vendor (in our case ASUS). From my understanding if you bought a WPA3 certified router, then it will be capable of doing a software update. Otherwise you would have to buy a new router to take advantage of the update. That being said it’s almost July and there hasn’t been any news or any updates. Unless ASUS released the updates under the radar (doubtful).

 

[torstein]

@mcmxmk19 thanks for your response. I have the AX58U-router, it's not WiFi6-certified, but it is one of the WiFi-6 draft routers... I don't really understand what that means for my situation with wpa3.

1) was the AX58U a work-in-progress-router when I bought it, and will be "certified" once Asus releases all the WiFi6-updates to enable features in it? Or is the AX58U always gonna be a "beta"-product, and never become "Certified"?

2) If it is forever just gonna be an unfinished WiFi6 / WPA3- "draft" router, will Asus release the Dragonblood-fixes for it, or is it only for the 100% finished and certified Asus-routers such as the AX68U. (Typing it out, it seems unlikely they would just abandon all their routers which aren't certified, but you never know, especially since this is taking so long)

3) @RMerlin was the frag-attack one of the Dragonblood-flaws, or did Asus fix the dragonblood but did so under the radar? And also, if you could elaborate on "has design-flaws that will never be resolved" it would be an interesting read

 

[RMerlin]

was the frag-attack one of the Dragonblood-flaws, or did Asus fix the dragonblood but did so under the radar?

I don't have any further detail to share, sorry.

 

[mcmxmk19]

1) was the AX58U a work-in-progress-router when I bought it, and will be "certified" once Asus releases all the WiFi6-updates to enable features in it? Or is the AX58U always gonna be a "beta"-product, and never become "Certified"?

@torstein you should reach out to ASUS customer support and find out about your particular model.

The issue here is the WiFi Alliance is closed source. I’m going to safely assume RMerlin is left in the dark just like the general public.

2) If it is forever just gonna be an unfinished WiFi6 / WPA3- "draft" router, will Asus release the Dragonblood-fixes for it, or is it only for the 100% finished and certified Asus-routers such as the AX68U. (Typing it out, it seems unlikely they would just abandon all their routers which aren't certified, but you never know, especially since this is taking so long)

From my understanding, that seems to be the case yes. They would “abandon” those routers. Meaning the updates are not backwards compatible. So, any routers that are not WPA3 certified would not be be able to receive the software updates and would need to become certified. ASUS, and all other manufacturers would most not re-certify any models out in the wild as it’s apparently a hardware related issue (don’t quote me on that.)

 

[mcmxmk19]

I’ve found the link where to check to see what products are certified. Specifically checking for WPA3, the models include: RT-AX88U, ROG RAPTURE GT-AXE11000, and AX6600 Tri Band WiFi Router XT8.

https://www.wi-fi.org/product-finder-results?sort_by=company&sort_order=asc&categories=4&capabilities=628&companies=197

 

[torstein]

I’ve found the link where to check to see what products are certified. Specifically checking for WPA3, the models include: RT-AX88U, ROG RAPTURE GT-AXE11000, and AX6600 Tri Band WiFi Router XT8.

https://www.wi-fi.org/product-finder-results?sort_by=company&sort_order=asc&categories=4&capabilities=628&companies=197

Hmmm that’s odd. Isn’t the AX86U newer than AX88U? Then why would an older router be wpa3 certified but a newer one not?

 

[mcmxmk19]

Hmmm that’s odd. Isn’t the AX86U newer than AX88U? Then why would an older router be wpa3 certified but a newer one not?

I looked up the the AX86U and honestly my initial assumption is again hardware. That’s the only thing I could think of as to why the AX86U is not certified. I have the AX88U, I bought it around 3/2020; out of the box WPA3 was not available, only after a software update was it available for me. I believe the AX88U launched 12/2019.

Based on price point I paid the same amount the AX86U costs now. If I was you I’d reach out to ASUS and try to get more information. I believe many manufacturers are silent on this due to advertising WPA3 capable routers, however due to the WiFi Alliance mishaps manufacturers released routers that aren’t able to support the updates. So, that would probably explain why there is not much news about it.

I’ll try to do a deeper dive into this since you’ve given me another model to work off of.

 

[mcmxmk19]

After doing some research and comparing the RT-AX88U and AX86U, they’re pretty much the same router. I confirmed they have the same quad-core 1.8GHz Broadcom BCM4908 (ARM Cortex A53) CPU. As for the vulnerabilities, those were most likely patched during manufacturing of the RT-AX86U. And I’m going to go ahead and assume the hardware can support updates as I did not see anything that would indicate otherwise.

The only other thing I can think of is protected management frames (PMF):

WiFi Alliance PMF explanation.

Here’s a link to ASUS’s website explaining what PMF is and where to find it.

My final input in regard to WPA3 certification is it’s more or less fluff. It’s a sticker on a box. There is not much information because the WiFi Alliance is closed source and does not share much information, and manufacturers try everything possible to avoid having to recall devices already sold.

To answer your original question, personally I would not yet do WPA3 only. The reason is the possible incompatibility of devices and well the small degree of uncertainty. There’s nothing wrong with using WPA3/WPA2 plus PMF for added protection.

 

[itpp20]

PMF/wpa2 will do nicely without the other specific patches, even the most advanced will have a hard time getting around that. For those with PMF issues get an ASUS USB-AC53 Nano.

 

[torstein]

@mcmxmk19 thanks for the research you did! I'll read about PMF. All the devices I have supports WPA3, so as such, I assume I can safely use WPA3-only with PMF and not be at risk of anything securitywise? (required anyways on my AX58U when doing WPA3 only)

Or asked in a different way; if compatibility is not an issue, is it as of today, safer to have WPA3-only or WPA2-only?

 

[mcmxmk19]

I assume I can safely use WPA3-only with PMF and not be at risk of anything securitywise?

I have to give you an honest answer here. Based on available information vulnerabilities still do exist with WPA3. There just isn’t enough information to conclude what the vulnerabilities are, if they have been patched, and what routers those patches apply to. If anyone wants to provide any insight, please do. However, I’ve always thought about it like this: it took a team of researches to exploit WPA3. They were in a building and that was their goal. “Master level hackers.” Not your average person is capable of getting through WPA3. If you have a team trying to get into your network, you have bigger problems and no amount of security is going to keep them out.

Or asked in a different way; if compatibility is not an issue, is it as of today, safer to have WPA3-only or WPA2-only?

I would run WPA3/WPA2 mixed if it’s an option or WPA2 only. Just make sure you’ve set PMF to required regardless of what option you choose. I would not run WPA3 only. At least not yet.

 

[nickie]

I have a ac86u running the official asus firmware, and there is no WPA3 option. I also have an ax55 as a node, but do not know if it is capable of using WPA3. Given the discussion above, I assume none of these devices will have WPA3 enabled in the future by Asus (just guessing). However, I have a tp-link 1043nd v3, that is probably 7 or 8 years old, running ddwrt and it is able to use WPA3, This was introduced possibly one year ago or so. If such a basic device is able to use WPA3 I assume more powerful devices as the ac86u and the ax55, ac88, ax86 should be able to also run it. It's just a matter of wanting to implement. By the way, does the Merlin fw have WPA3 support?

 

[mcmxmk19]

However, I have a tp-link 1043nd v3, that is probably 7 or 8 years old, running ddwrt and it is able to use WPA3

At a quick glance, it seems you’re running the first WPA3 deployment without the updates. Do you know which chipset the your TP-Link is using?

If such a basic device is able to use WPA3 I assume more powerful devices as the ac86u and the ax55, ac88, ax86 should be able to also run it. It's just a matter of wanting to implement.

It’s because WPA3 was not secure. The updates were not backwards compatible and took time to release. It would of been a marketing nightmare for ASUS. It was easier to not deploy the feature as opposed to deal with the headache.

By the way, does the Merlin fw have WPA3 support?

Based on what I’ve seen, I believe Merlin does not interfere with WPA3 and leaves it to ASUS to decide what devices have it and which don’t. There are plenty of other security benefits that I’ve read about that you could use with the Merlin fw. I run QUAD9 as my DNS for example, easy setup with the fw. That’s about it lol, I enjoy Merlin fw for the stability.

 

[mcmxmk19]

@torstein I made a mistake by recommending running WPA3/WPA2 mixed. Only run this mode if you have a “certified” router (still, only do it at your own risk). Which again can be found in the link.

This is from the original article you posted:

Is the downgrade attack against transition mode a flaw in WPA3?​

Yes. We expect that most WPA3 networks will operate in transition mode for many years to come. This means that, unless our downgrade attack is mitigated, WPA3 will not prevent dictionary attacks.

Please see this article about transition disable from WiFi Alliance.

My assumption is that if there are so few ASUS devices “certified” it means either the certification is crap and out of date. Or the certification is legit and majority of the current devices out in the wild can’t deploy the December 2020 update. It’s possible COVID slowed deployment down.

In summary WPA2 only with PMF is your best option.