Security Update April 2019

As with any technology, the robust security research necessary to remain ahead of emerging threats will occasionally uncover new vulnerabilities. Security researchers identified vulnerabilities in a limited number of early implementations of WPA3™-Personal and immediately brought their discovery to the Wi-Fi^® industry. There is no evidence of the vulnerability being used against Wi-Fi users maliciously, and Wi-Fi Alliance^® has taken immediate steps to ensure users can count on WPA3-Personal to deliver even stronger security protections.

Wi-Fi CERTIFIED WPA3-Personal now includes additional testing within our global certification lab network to encourage greater adoption of recommended practices
Wi-Fi Alliance is broadly communicating details on these vulnerabilities and implementation guidance to device vendors as the industry begins to bring WPA3-Personal to market

These issues can be resolved through a straightforward software update – a process much like the software updates Wi-Fi users regularly perform on their mobile devices. WPA3-Personal is in the early stages of deployment, and the small number of device manufacturers that are affected have already started deploying patches to resolve the issue. The software updates do not require any changes that affect interoperability between Wi-Fi devices. Users can refer to their device vendors’ websites for more information.

As always, Wi-Fi users should ensure they have installed the latest recommended updates from device manufacturers. Security is and always will be a dynamic endeavor, and Wi-Fi Alliance will continue to maintain strong security protections for Wi-Fi users through its Wi-Fi CERTIFIED™ program.

Wi-Fi Alliance public statement: https://www.wi-fi.org/news-events/newsroom/wi-fi-alliance-security-update-april-2019

Relevant Identifiers:

CERT case ID: VU#871675
CVE-2019-9494
CVE-2019-9495
CVE-2019-9496
CVE-2019-9497
CVE-2019-9498
CVE-2019-9499

Relevant research:

Research Website Link: https://wpa3.mathyvanhoef.com

Guidance for implementers:

WPA3™ Security Considerations Link: https://www.wi-fi.org/file/wpa3-security-considerations

Frequently Asked Questions

Are the identified vulnerabilities a WPA3™-Personal protocol issue or on issue related to specific device implementations?

When considering the question of whether a vulnerability is a protocol or implementation issue, the purpose is often to determine the vulnerability’s broader implications, such as the pervasiveness of the vulnerability, the ease of addressing the vulnerability, and the ability to maintain interoperability between patched and unpatched devices.

In this instance, the issues found in a limited number of early implementations of WPA3-Personal can be mitigated through software updates that retain interoperability across Wi-Fi devices. WPA3-Personal is in the early stages of deployment, and the small number of device manufacturers that are affected have already started deploying updates to their implementations of WPA3-Personal. Wi-Fi Alliance is broadly communicating implementation guidance to ensure vendors understand the relevant security considerations when developing their devices.

How will vulnerabilities in existing devices be fixed?

These issues can be resolved with a software update – much like users regularly perform on their Wi-Fi devices already. WPA3-Personal is in the early stages of deployment, and the small number of device manufacturers that are affected have already started distributing updates to their users. Wi-Fi CERTIFIED WPA3-Personal now includes additional testing to encourage greater adoption of recommended practices.

Will the fixes to address this vulnerability create interoperability issues between Wi-Fi devices?

The software updates do not require any changes that affect interoperability between Wi-Fi devices. Users can expect all their Wi-Fi devices, whether patched or unpatched, to continue working well together.

How will I know if my device is affected?

These issues affect a limited number of early implementations of WPA3-Personal, which devices have only recently begun supporting. Users should refer to their Wi-Fi device vendor’s website or security advisories to determine if their device has been affected and has an update available. As always, Wi-Fi users should ensure they have installed the latest recommended updates from device manufacturers.

What will Wi-Fi Alliance do to prevent these types of issues moving forward?

Security is and will always be a dynamic endeavor, and Wi-Fi CERTIFIED is an important tool in driving broad adoption of strong security protections in Wi-Fi devices. Wi-Fi Alliance regularly updates Wi-Fi CERTIFIED requirements and test coverage to address wireless security and privacy challenges as the threat landscape changes. Wi-Fi Alliance encourages responsible disclosure of any discovered security vulnerabilities to ensure the best possible outcome.

Does WPA3 remain secure?

WPA3-Personal provides security for private Wi-Fi networks based on a simple password credential. Wi-Fi users should continue to look for Wi-Fi CERTIFIED WPA3 in their devices to ensure they are receiving the strongest available Wi-Fi security. Wi-Fi CERTIFIED WPA3-Personal now includes additional testing within our global certification lab network to encourage greater adoption of recommended practices.