Why this work is in the frame
A frame that forgets how it found something cannot be audited. These are the routes that admitted this work.
Bibliographic record
Abstract
WPA3 (Wi-Fi Protected Access 3) is a certification that augments its predecessor WPA2 with protection mechanisms, such as resistance against password dictionary attacks through SAE (Simultaneous Authentication of Equals) handshake, MFP (Management Frame Protection) against management frame spoofing, and forward secrecy to prevent an attacker from decrypting old packets if it manages to crack the network key in the future. The mechanism is still under implementation by various device vendors. WPA3-capable devices are supposed to be on the market by the end of this year (2019) or early next year (2020). In this work, we describe a vulnerability that we have discovered in WPA3 authentication protocol. This vulnerability, named bad-token, can be exploited by an attacker in a race condition to cause a denial of service to Wi-Fi clients. The attacker sends fake authentication messages that contain a bad token (WPA3 authentication confirm value) during the WPA3 authentication and prevents legitimate clients from connecting to a WPA3 network. We also present two denial of service attacks related to WPA2, but can be inherited by WPA3. We start by presenting the WPA3-SAE mechanism and then introduce the bad-token vulnerability. We implement an attack that exploits the vulnerability using the Linux software utilities hostapd-2.7 and wpa_supplicant-2.7 on Raspberry Pis and show the impact of the attack on a legitimate WPA3 network. We provide a countermeasure to mitigate the attack. Finally, we present the two WPA2-related attacks that can occur on WPA3 if certain security measures are not applied. We experimentally show the feasibility of these two attacks and propose countermeasures to mitigate them and direct device vendors to better implement security in their future devices.
Fetched live from OpenAlex and de-inverted. Abstracts are not stored in this database: the inverted indexes are 8.6 GB of the frame’s 9.3 GB of text, and the host has 13 GB free.
Full frame distilled prediction
Teacher imitationNot calibrated prevalence, not ground truth. Human validation pending. Learned from the 10,348 direct Codex labels and 10,348 direct Gemma labels. Candidate is the union of thresholded teacher heads; consensus is their intersection. These outputs are machine_predicted_unvalidated and are not human labels or direct frontier model labels.
Codex and Gemma teacher scores by category
| Category | Codex | Gemma |
|---|---|---|
| Metaresearch | 0.000 | 0.000 |
| Meta-epidemiology (narrow) | 0.000 | 0.000 |
| Meta-epidemiology (broad) | 0.000 | 0.000 |
| Bibliometrics | 0.000 | 0.000 |
| Science and technology studies | 0.000 | 0.000 |
| Scholarly communication | 0.000 | 0.000 |
| Open science | 0.001 | 0.000 |
| Research integrity | 0.000 | 0.000 |
| Insufficient payload (model declined to judge) | 0.000 | 0.004 |
Machine scores (provisional)
The two teacher heads of the student model, read on this work. A score orders the frame for review; it never asserts a category, and the validation status ships verbatim with every row.
Baseline scores from an immature model (maturity gate not passed, 7 training rounds). Scores rank; they never assert a category.
score_only:v0-immature-baseline · verbatim from the scoring run: score_only means the number may rank works, and no category label ships from it