보안 업데이트 2019년 4월

여타 기술과 마찬가지로, 최신 위협에 대비하기 위해 필요한 고강도 보안 연구를 통해 때때로 새로운 취약점이 발견되기도 합니다. 최근 보안 연구에서 일부 초기 WPA3™-Personal 구현에 취약점이 있는 것이 확인되어 Wi-Fi® 업계에 즉각 보고되었습니다.  해당 취약점이 Wi-Fi 사용자들에게 악의적으로 사용되었다는 증거는 전혀 확인되지 않았으며, Wi-Fi Alliance®는 사용자들이 WPA3-Personal을 통해 더욱 강력한 보안을 보장받을 수 있도록 즉각적인 조치를 완료하였습니다.

  • Wi-Fi Alliance의 글로벌 인증 랩 네트워크에 권장 프랙티스의 광범위한 적용을 위한 테스트가 추가되었습니다.
  • Wi-Fi Alliance는 업계에서 WPA3-Personal 출시가 본격화되기 시작함에 따라 기기 벤더들에게 해당 취약점에 대한 자세한 정보와 구현 지침을 널리 전달하고 있습니다.

해당 이슈는 Wi-Fi 사용자가 모바일 기기에서 정기적으로 실행하는 소프트웨어 업데이트 프로세스와 같은 소프트웨어 업데이트를 통해 해결 가능합니다. WPA3-Personal은 현재 배포 초기 단계이며, 관련된 소수의 기기 제조업체들은 이미 해당 이슈에 대한 패치 배포에 착수했습니다. 해당 소프트웨어 업데이트는 Wi-Fi 기기 상호운용성에 영향을 주지 않습니다. 사용자는 소유한 기기의 제조업체 웹사이트에서 자세한 정보를 확인할 수 있습니다.  

늘 그렇듯이 Wi-Fi 사용자는 기기에 제조업체가 제공하는 최신 권장 업데이트가 설치되도록 확인해야 합니다. 보안은 끊임없는 대응과 노력을 통해 달성되며, 앞으로도 그러할 것입니다. Wi-Fi Alliance는 Wi-Fi CERTIFIED™ 프로그램을 통해 계속해서 Wi-Fi 사용자를 위한 강력한 보안이 유지되도록 할 것입니다.

Wi-Fi Alliance 공개 발표: https://www.wi-fi.org/ko/news-events/newsroom/wi-fi-alliance-4

관련 식별자:

  • CERT case ID: VU#871675
  • CVE-2019-9494
  • CVE-2019-9495
  • CVE-2019-9496
  • CVE-2019-9497
  • CVE-2019-9498
  • CVE-2019-9499

관련 연구:

구현 지침:

Frequently Asked Questions

Are the identified vulnerabilities a WPA3™-Personal protocol issue or on issue related to specific device implementations?

When considering the question of whether a vulnerability is a protocol or implementation issue, the purpose is often to determine the vulnerability’s broader implications, such as the pervasiveness of the vulnerability, the ease of addressing the vulnerability, and the ability to maintain interoperability between patched and unpatched devices.

In this instance, the issues found in a limited number of early implementations of WPA3-Personal can be mitigated through software updates that retain interoperability across Wi-Fi devices. WPA3-Personal is in the early stages of deployment, and the small number of device manufacturers that are affected have already started deploying updates to their implementations of WPA3-Personal. Wi-Fi Alliance is broadly communicating implementation guidance to ensure vendors understand the relevant security considerations when developing their devices.

How will vulnerabilities in existing devices be fixed?

These issues can be resolved with a software update – much like users regularly perform on their Wi-Fi devices already. WPA3-Personal is in the early stages of deployment, and the small number of device manufacturers that are affected have already started distributing updates to their users. Wi-Fi CERTIFIED WPA3-Personal now includes additional testing to encourage greater adoption of recommended practices.

Will the fixes to address this vulnerability create interoperability issues between Wi-Fi devices?

The software updates do not require any changes that affect interoperability between Wi-Fi devices. Users can expect all their Wi-Fi devices, whether patched or unpatched, to continue working well together.

How will I know if my device is affected?

These issues affect a limited number of early implementations of WPA3-Personal, which devices have only recently begun supporting. Users should refer to their Wi-Fi device vendor’s website or security advisories to determine if their device has been affected and has an update available. As always, Wi-Fi users should ensure they have installed the latest recommended updates from device manufacturers.

What will Wi-Fi Alliance do to prevent these types of issues moving forward?

Security is and will always be a dynamic endeavor, and Wi-Fi CERTIFIED is an important tool in driving broad adoption of strong security protections in Wi-Fi devices. Wi-Fi Alliance regularly updates Wi-Fi CERTIFIED requirements and test coverage to address wireless security and privacy challenges as the threat landscape changes. Wi-Fi Alliance encourages responsible disclosure of any discovered security vulnerabilities to ensure the best possible outcome.

Does WPA3 remain secure?

WPA3-Personal provides security for private Wi-Fi networks based on a simple password credential. Wi-Fi users should continue to look for Wi-Fi CERTIFIED WPA3 in their devices to ensure they are receiving the strongest available Wi-Fi security. Wi-Fi CERTIFIED WPA3-Personal now includes additional testing within our global certification lab network to encourage greater adoption of recommended practices.