The WPA3 security standard enhances the security of Wi-Fi access points by safeguarding passwords against offline dictionary attacks. However, researchers have identified a man-in-the-middle vulnerability that exploits user behavior during reconnection attempts. In this scenario, if a user loses their Wi-Fi connection and is prompted to re-enter their password, they risk exposing their credentials. Researchers from the University of the West Indies demonstrated this by setting up a rogue WPA3 access point. They employed a captive portal—similar to the login pages commonly seen at hotels, airports, or corporate networks—to steal user passwords.
Additionally, the researchers showed that attackers could initiate a downgrade attack, forcing a network to revert to the less secure WPA2 protocol. This allows attackers to capture portions of the handshake critical step where devices and routers exchange authentication details. Using this captured data, hackers can verify passwords and later create a rogue “evil twin” access point. This fake network mimics the legitimate one, tricking users into connecting to it automatically.
WPA3, the latest Wi-Fi security standard, incorporates Simultaneous Authentication of Equals (SAE), which makes offline password dictionary attacks nearly impossible. Unlike WPA2, WPA3 does not allow the handshake to be captured in a way that enables offline cracking. However, researchers exploited vulnerabilities in WPA3’s transition mode, which is backward compatible with WPA2. When a WPA2-compatible device connects to a WPA2/3 access point, the network adjusts to the older protocol, making it vulnerable to downgrade attacks.
The first step in such an attack involves deauthentication, where devices are forcibly disconnected from the Wi-Fi network. This can be achieved using denial-of-service techniques, prompting users to reconnect. Tools like Wireshark can then intercept parts of the handshake during the reconnection process. Hackers can use the captured data to create a rogue WPA2 access point with the same network name (SSID) and a captive portal, where unsuspecting users are tricked into entering their passwords.
Deauthentication attacks increase the likelihood that users will choose the fraudulent network. The researchers noted that the captive portal could be designed to mimic a router’s homepage or a company’s network interface for added credibility. Although their experimental portal was kept simple, they suggested that phishing efforts could be made more convincing by replicating legitimate network branding.
The research aimed to intercept communication between a WPA3 client and a WPA2-PSK/WPA3-SAE transition network by exploiting downgrade vulnerabilities. While the researchers were unable to execute a full deauthentication attack during testing—possibly due to script compatibility issues—they demonstrated that network passwords could be retrieved using social engineering techniques via a rogue captive portal. This highlights the potential risks associated with WPA3’s transition mode and its backward compatibility.