2019年4月最新安全資訊

無論採用什麼技術,要相對於新出現的安全威脅保持領先優勢,可靠的安全研究都是必要的,這樣的安全研究偶爾會發現新的漏洞。安全研究人員在有限數量的WPA3™-Personal早期部署中發現了漏洞,並立即將其發現報告給了Wi-Fi®業界。目前沒有證據表明,漏洞已被惡意利用來攻擊Wi-Fi用戶。Wi-Fi Alliance®立即採取了措施,以確保用戶可以依靠WPA3-Personal提供更強大的安全保護。

  • 在我們的全球認證實驗室網路內, Wi-Fi CERTIFIED WPA3-Personal已增加了測試項,以鼓勵更多地採用推薦做法。
  • 當下正值業界開始向市場提供WPA3-Personal之際,因此Wi-Fi Alliance正在廣泛地向設備製造商傳達有關這些漏洞的詳細資訊和WPA3-Personal部署指南。

通過簡單的軟體更新就可以解決這些問題,就像Wi-Fi使用者在其移動設備上定期進行的軟體更新一樣。WPA3-Personal目前處於早期部署階段,受到影響的少量設備製造商已經開始提供修補軟體,以解決所發現的問題。這種軟體更新不需要做出影響Wi-Fi設備互通性的任何改變。使用者可以查閱其設備廠商的網站,以獲得更多資訊。

與往常一樣,Wi-Fi使用者應該確保安裝來自設備製造商的最新推薦更新軟體。安全問題始終處於動態變化之中,需要持續努力應對不斷出現的新問題。Wi-Fi Alliance將通過Wi-Fi CERTIFIED™計畫,繼續為Wi-Fi用戶提供強大的安全保護。

Wi-Fi Alliance的公開聲明:https://www.wi-fi.org/zh-hant/news-events/newsroom/wi-fi-alliance-6。

相關識別字:

  • CERT case ID: VU#871675;
  • CVE-2019-9494;
  • CVE-2019-9495;
  • CVE-2019-9496;
  • CVE-2019-9497;
  • CVE-2019-9498;
  • CVE-2019-9499。

相關研究

實施者指南:

Frequently Asked Questions

Are the identified vulnerabilities a WPA3™-Personal protocol issue or on issue related to specific device implementations?

When considering the question of whether a vulnerability is a protocol or implementation issue, the purpose is often to determine the vulnerability’s broader implications, such as the pervasiveness of the vulnerability, the ease of addressing the vulnerability, and the ability to maintain interoperability between patched and unpatched devices.

In this instance, the issues found in a limited number of early implementations of WPA3-Personal can be mitigated through software updates that retain interoperability across Wi-Fi devices. WPA3-Personal is in the early stages of deployment, and the small number of device manufacturers that are affected have already started deploying updates to their implementations of WPA3-Personal. Wi-Fi Alliance is broadly communicating implementation guidance to ensure vendors understand the relevant security considerations when developing their devices.

How will vulnerabilities in existing devices be fixed?

These issues can be resolved with a software update – much like users regularly perform on their Wi-Fi devices already. WPA3-Personal is in the early stages of deployment, and the small number of device manufacturers that are affected have already started distributing updates to their users. Wi-Fi CERTIFIED WPA3-Personal now includes additional testing to encourage greater adoption of recommended practices.

Will the fixes to address this vulnerability create interoperability issues between Wi-Fi devices?

The software updates do not require any changes that affect interoperability between Wi-Fi devices. Users can expect all their Wi-Fi devices, whether patched or unpatched, to continue working well together.

How will I know if my device is affected?

These issues affect a limited number of early implementations of WPA3-Personal, which devices have only recently begun supporting. Users should refer to their Wi-Fi device vendor’s website or security advisories to determine if their device has been affected and has an update available. As always, Wi-Fi users should ensure they have installed the latest recommended updates from device manufacturers.

What will Wi-Fi Alliance do to prevent these types of issues moving forward?

Security is and will always be a dynamic endeavor, and Wi-Fi CERTIFIED is an important tool in driving broad adoption of strong security protections in Wi-Fi devices. Wi-Fi Alliance regularly updates Wi-Fi CERTIFIED requirements and test coverage to address wireless security and privacy challenges as the threat landscape changes. Wi-Fi Alliance encourages responsible disclosure of any discovered security vulnerabilities to ensure the best possible outcome.

Does WPA3 remain secure?

WPA3-Personal provides security for private Wi-Fi networks based on a simple password credential. Wi-Fi users should continue to look for Wi-Fi CERTIFIED WPA3 in their devices to ensure they are receiving the strongest available Wi-Fi security. Wi-Fi CERTIFIED WPA3-Personal now includes additional testing within our global certification lab network to encourage greater adoption of recommended practices.