Presented at
DEF CON 33 (2025),
Aug. 10, 2025, 11:30 a.m.
(45 minutes).
Wi-Fi Easy Connect is a protocol introduced by the Wi-Fi Alliance as the core replacement for Wi-Fi Protected Setup (WPS). It is designed to simplify device provisioning using user-friendly methods such as QR code scanning or short-range wireless technologies like NFC and Bluetooth. In this paper, we present a comprehensive security and privacy assessment of Wi-Fi Easy Connect (version 3.0).
Our analysis uncovered several security issues, including aspects of the protocol’s design that may unintentionally expand the attack surface compared to WPS. Notably, we found that design choices intended to enhance usability can compromise security. All identified issues were disclosed to the Wi-Fi Alliance, and we incorporated their feedback regarding mitigations and risk acceptance into our evaluation.
This work underscores the critical balance between usability and security in protocol design and the dangers of prioritizing ease-of-use at the expense of robust security guarantees.
References:
1. Wi-Fi Alliance.Wi-Fi Protected Setup (WPS) Specification version 1.0h. 2006. [link](https://www.wi-fi.org/discover-wi-fi/wi-fi-protectedsetup) (2015)
2. Viehbck, S.: Wi-Fi Protected Setup online pin brute force vulnerability (2011)
3. Wi-Fi Alliance. Device provisioning protocol (dpp) specification, Technical Specification, Wi-Fi Alliance, Latest Version. [link](https://www.wi-fi.org/discover-wi-fi/device-provisioning-protocol) (2025). Accessed 02 Jan 2025
4. Wi-Fi Alliance. Wi-Fi Alliance product finder. [link](https://www.wi-fi.org/product-finder). Accessed 07 Jan 2023
5. Group, N.: Ble proximity authentication vulnerable to relay attacks. Available: [link](https://www.nccgroup.com/us/research-blog/technical-advisory-ble-proximity-authentication-vulnerable-torelay-attacks/) (2023). Accessed 02 Jan 2025
6. Nobles, P.: Vulnerability of IEEE802.11 WLANs to MAC layer DoS attacks. In: IET Conference Proceedings, pp. 14–14(1). [link](https://digital-library.theiet.org/content/conferences/10.1049/ic.2004.0670) (2004)
7. Bernstein D.J., Hamburg, M., Krasnova, A., Lange, T.: Elligator: elliptic-curve points indistinguishable from uniform random strings. In: Proceedings of the 2013 ACM SIGSAC conference on Computer & Communications Security, pp. 967–980 (2013)
8. WiFi Alliance: WPA3 specification version 1.0. Available: [link](https://www.wi-fi.org/file/wpa3-specifica-tion-v10)
9. Vanhoef, M., Ronen, E.: Dragonblood: analyzing the dragonfly handshake of WPA3 and EAP-pwd. In: IEEE Symposium on Security & Privacy (SP). IEEE (2020)
10. Chatzisofroniou, G., Kotzanikolaou, P.: Association attacks in IEEE 802.11: exploiting WiFi usability features. In: Proceedings of the International Workshop on Socio-Technical Aspects in Security and Trust (STAST). Springer , pp. 107–123 (2019)
11. National Institute of Standards and Technology (NIST): A closer look at revocation and key compromise in public key infrastructures. National Institute of Standards and Technology, Tech. Rep. [link](https://www.nist.gov/publications/closer-look-revocation-andkey-compromise-public-key-infrastructures) (2023). Accessed 02 Jan 2025
12. IEEE Standard for Local and Metropolitan Area Networks–PortBased Network Access Control, IEEE Std. 802.1X-2010. [link](https://standards.ieee.org/standard/802_1X-2010.html) (2010)
13. Common Vulnerability and Exposure database: CVE-2022-37660. [link](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE2022-37660) (2022)
14. Rondon, L.P., Babun, L., Aris, A., Akkaya, K., Uluagac, A.S.: Survey on enterprise internet-of-things systems (e-iot): a security perspective. Ad Hoc Networks, vol. 125, p. 102728. [link](https://www.sciencedirect.com/science/article/pii/S1570870521002171) (2022)
15. Vanhoef, M., Piessens, F.: Key reinstallation attacks: Forcing nonce reuse in wpa2. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, ser. CCS ’17. ACM, New York, NY, USA, pp. 1313–1328. [link](http://doi.acm.org/10.1145/3133956.3134027) (2017)
16. Vanhoef, M.: A time-memory trade-off attack on wpa3’s sae-pk. In: Proceedings of the 9th ACM on ASIA Public-Key Cryptography Workshop, ser. APKC ’22, pp. 27–37. Association for Computing Machinery, New York, NY. [link](https://doi.org/10.1145/3494105.3526235) (2022)
17. Marais, S., Coetzee, M., Blauw, F.: Simultaneous deauthentication of equals attack. In: Wang, G., Chen, B., Li, W., Di Pietro, R., Yan, X., Han, H. (eds.) Security, Privacy, and Anonymity in Computation, Communication, and Storage, pp. 545–556. Springer, Cham (2021)
18. Kampourakis, V., Chatzoglou, E., Kambourakis, G., Dolmes, A., Zaroliagis, C.: Wpaxfuzz: sniffing out vulnerabilities in wi-fi implementations. In: Cryptography, vol. 6, no. 4. [link](https://www.mdpi.com/2410-387X/6/4/53) (2022)
19. Chatzoglou, E., Kambourakis, G., Kolias, C.: How is your WiFi connection today? DoS attacks on WPA3-SAE. J. Inf. Secur. Appl. 64, 103058 (2022)
20. Chatzisofroniou, G., Kotzanikolaou, P.: Exploiting WiFi usability features for association attacks in IEEE 802.11: attack analysis and mitigation cont
Presenters:
-
George "sophron" Chatzisofroniou
George Chatzisofroniou is a computer security researcher and engineer specializing in Wi-Fi and wireless network security. He has conducted infrastructure and software security testing for Fortune 500 companies across Africa, Asia, Europe, and North America. His research has been presented at leading security conferences and has attracted media coverage for uncovering critical protocol-level vulnerabilities.
Similar Presentations: