7

When WPA3 has a reasonable level of market penetration, one of its key selling points is Opportunistic Wireless Encryption (OWE). In other words, a Starbucks can have a network without a password, and each WPA3 device that connects to it will still have its connection encrypted.

I'm concerned about how I will know that I'm connecting to the right Starbucks WiFi SSID. With WPA2 PSK (and some forms of Enterprise), I could tell whether the server also knew the right password. I suspect that many businesses are only using a PSK for their public WiFi because that's the only way to encrypt data with WPA2. If they stop using a PSK once OWE is available, how do I know that I'm not connecting to an Evil Twin?

Is there a trust-after-first-use certificate pinning? Is there a way to type in a certificate fingerprint for TOFU? Is there any other mitigation at all? There's some speculation in the comments on this answer, but it's not what I was hoping to hear.

Michael
  • 2,432
  • 2
  • 20
  • 37
  • I imagine TOFU or optional fingerprint verification are compatible with the specification at least, even if they are not mandated. That is, a vendor could use TOFU or allow a user to input a fingerprint before connecting, but there is no way to know if vendors _are_ going to do that. – forest Jun 30 '18 at 06:16
  • No, unfortunately it does not protect against Evil Twin attacks, although it does have an encryption to secure your data during your connection. There is no "AP to client authentication". I have found a nice post about it, you can read; https://blog.mojonetworks.com/wpa3-security-enhancements – Pilfility Jul 02 '18 at 09:33
  • Wait, your Starbucks has a password? Mine has a simple open network with click through captive portal (or last I checked, which admittedly has been a while since I don't use it). Most places with free WiFi don't even use a PSK. Too much of an inconvenience to the customer; who cares about security. – YLearn Dec 13 '18 at 01:28
  • @ylearn No, not Starbucks. But other local places do. I'd prefer not to name them, because, you know, "security." – Michael Dec 13 '18 at 03:50
  • ...although the idea that even the _legitimate_ network is automatically trustworthy is false (say, [Verizon or AT&T inserting a tracking header](https://security.stackexchange.com/questions/71834/isps-are-now-adding-unique-header-identifiers-to-web-traffic-can-this-be-avoide), and some shop networks want to do similar tricks). So... **don't trust the network**. Period. HTTPS means the trustworthiness of the network is (mostly) irrelevant. You have to trust _somebody_, but it's best to make that as few parties as possible. – Clockwork-Muse Dec 15 '18 at 07:33

3 Answers3

4

Short answer: No, they never left

OWE is not meant to replace PSK, it's meant to enhance open networks by encrypting them, but doesn't provide authentication. For that you still need a PSK or Enterprise configuration. As such, you have the same problem with "evil twins", aka MitMs, in WPA3 OWE networks as you have in unprotected networks.

Niklas Holm
  • 140
  • 6
3

OWE does not do authentification, "only" encryption. As such, it does not protect against evil-twin attacks. However, WPA3-certification does require Protected Management Frames, which makes it more difficult for an attacker to force a victim to disconnect.

Protection against evil-twin attacks requires the victim to authenticate the network it's connecting to, which requires either WPA3-Personal or WPA3-Enterprise.

Note: WPA3-Personal (and IIRC WPA3-Enterprise but I'm not sure), unlike previous standards, does not use PSK exchange but instead uses SAE (Simultaneous Authentication of Equals)

Sources:

2

With WPA2 PSK (and some forms of Enterprise), I could tell whether the server also knew the right password, but that doesn't exist anymore.

Hold on, why does that not exist anymore?

In WPA2, if a password is known, a device will typically not connect to an open network with the same name. While I don't own a WPA3 device to test with, I would assume that it does the same: if it knows a key, an access point with the same name and OWE should not be considered a known access point.

Additionally, as Martin Sundhaug mentioned already, they fixed the deauthentication attack. The best an attacker can now do is jam the frequency which is not only harder, but in most places also more illegal than deauth attacks.

If there is no password (so OWE is used), I think it very likely that an evil twin attack will work. If the device would save and check the key, owners would have to somehow synchronise keys between their access points, even though it does not have a password set. They are probably, by design, not going to make it so complicated. If that is what you meant, I would not call it "the return of" the evil twin attack, but rather "nothing changed regarding the evil twin attack".

Luc
  • 32,378
  • 8
  • 75
  • 137
  • It's the _"if it knows a key"_ that's the important bit. Does your device save a key or fingerprint for open networks? If you know the answer one way or the other, that would be significant. – Michael Dec 12 '18 at 16:29
  • 1
    @Michael Ah, now I understand what you're really asking. I thought it was about evil twin in general, not just between open networks. I'm reasonably sure that, between open networks, you can do an evil twin by design because otherwise any place with multiple APs and no password will need to somehow synchronise their keys. I'll add this to my answer. – Luc Dec 12 '18 at 18:28
  • Thanks! I understand how you interpreted it that way. I've made a small edit to the question to make it more clear to any future visitors as well. – Michael Dec 12 '18 at 19:24