You are now subscribed
Your newsletter sign-up was successful
Want to add more newsletters?
Every Friday
GamesRadar+
Your weekly update on everything you could ever want to know about the games you already love, games we know you're going to love in the near future, and tales from the communities that surround them.
Every Thursday
GTA 6 O'clock
Our special GTA 6 newsletter, with breaking news, insider info, and rumor analysis from the award-winning GTA 6 O'clock experts.
Every Friday
Knowledge
From the creators of Edge: A weekly videogame industry newsletter with analysis from expert writers, guidance from professionals, and insight into what's on the horizon.
Every Thursday
The Setup
Hardware nerds unite, sign up to our free tech newsletter for a weekly digest of the hottest new tech, the latest gadgets on the test bench, and much more.
Every Wednesday
Switch 2 Spotlight
Sign up to our new Switch 2 newsletter, where we bring you the latest talking points on Nintendo's new console each week, bring you up to date on the news, and recommend what games to play.
Every Saturday
The Watchlist
Subscribe for a weekly digest of the movie and TV news that matters, direct to your inbox. From first-look trailers, interviews, reviews and explainers, we've got you covered.
Once a month
SFX
Get sneak previews, exclusive competitions and details of special events each month!
Security researchers say they have discovered several flaws in the Wi-Fi Protected Access 3 (WPA3) protocol that could allow an attacker to crack a user's password and ultimately access encrypted traffic. What's equally disturbing is that it can supposedly be done relatively fast and cheap.
WPA3 was designed in part to address a major vulnerability in WPA2 (and WPA) that had been widely used to protect wireless networks at home and in some workplaces. That specific flaw, dubbed KRACK—Key Reinstallation Attack—could allow an attacker to snoop on what is supposed to be encrypted traffic between computers and wireless access points.
The newer security protocol addressed that vulnerability and added a bunch of other protections, but it may not be as secure as we thought. In a research paper titled Dragonblood (PDF), researchers Mathy Vanhoef and Eyal Ronen say that WPA3's Simultaneous Authentication of Equals (SAE) handshake, commonly known as Dragonfly, is affected by password partitioning attacks.
"These attacks resemble [brute-force] dictionary attacks and allow an adversary to recover the password by abusing timing or cache-based side-channel leaks," the paper states.
Brute-force dictionary attacks work by attempting to guess all possible passwords and passphrases until the correct one is found, through specialized software. In this case, one of the flaws could allow an attacker to brute-force an eight-character, lowercase password.
That's worrying in and of itself, but according to the researchers, an attacker would only need $125 worth of Amazon EC2 cloud resources to pull this off. Depending on the target, that is a small price to pay.
It is just one of several flaws highlighted by the researchers.
"In light of our presented attacks, we believe that WPA3 does not meet the standards of a modern security protocol. Moreover, we believe that our attacks could have been avoided if the Wi-Fi Alliance created the WPA3 certification in a more open manner," the researchers say.
The Wi-Fi Alliance downplayed the paper's findings, saying the issues identified only exist in a "limited number of early implementations of WPA3" and "can all be mitigated through software updates." Furthermore, the Wi-Fi Alliance says there is no evidence that the vulnerabilities outlined in the research paper have actually been exploited.
What this means for you is that you should ensure your router is updated to the latest firmware, which is a good security practice regardless.
