🔥 Breaking — It has been close to just one year since the launch of next-generation Wi-Fi security standard WPA3 and researchers have unveiled several serious vulnerabilities in the wireless security protocol that could allow attackers to recover the password of the Wi-Fi network.
WPA, or Wi-Fi Protected Access, is a standard designed to authenticate wireless devices using the Advanced Encryption Standard (AES) protocol and is intended to prevent hackers from eavesdropping on your wireless data.
The Wi-Fi Protected Access III (WPA3) protocol was launched in an attempt to address technical shortcomings of the WPA2 protocol from the ground, which has long been considered to be insecure and found vulnerable to KRACK (Key Reinstallation Attack).
Though WPA3 relies on a more secure handshake, known as Dragonfly, that aims to protect Wi-Fi networks against offline dictionary attacks, security researchers Mathy Vanhoef and Eyal Ronen found weaknesses in the early implementation of WPA3-Personal, allowing an attacker to recover WiFi passwords by abusing timing or cache-based side-channel leaks.
“Concretely, attackers can then read information that WPA3 was assumed to safely encrypt. This can be abused to steal sensitive transmitted information such as credit card numbers, passwords, chat messages, emails, and so on,” the researchers say.
Vulnerabilities in WPA3 — Hacking WiFi Password
In a research paper, dubbed DragonBlood, published today, researchers detailed two types of design flaws in WPA3—first leads to downgrade attacks and second to side-channel leaks.
Since the 15-year-old WPA2 protocol has been widely used by billions of devices, widespread adoption of WPA3 won’t happen overnight. To support old devices, WPA3 Certified devices offer a “transitional mode of operation” that can be configured to accept connections using both WPA3-SAE and WPA2.
Researchers find that the transitional mode is vulnerable to downgrade attacks, which attackers can abuse to set up a rogue AP that only supports WPA2, forcing WPA3-supported devices to connect using insecure WPA2’s 4-way handshake.
“We also discovered a downgrade attack against SAE [Simultaneous Authentication of Equals handshake, commonly known as Dragonfly] itself, where we can force a device into using a weaker elliptic curve than it normally would use,” the researchers say.
Moreover, a man-in-the-middle position is not needed to carry out downgrade attack. Instead, attackers only need to know the SSID of the WPA3- SAE network.
Researchers also detail two side-channel attacks—Cache-based (CVE-2019-9494) and Timing-based (CVE-2019-9494) attacks—against Dragonfly’s password encoding method that could allow attackers to perform a password partitioning attack, similar to an offline dictionary attack, to obtain Wi-Fi password.
“For our password partitioning attack, we need to record several handshakes with different MAC addresses. We can get handshakes with different MAC addresses by targeting multiple clients in the same network (e.g. convince multiple users to download the same malicious application). If we are only able to attack one client, we can set up rogue APs with the same SSID but a spoofed MAC address.”
Besides these, the duo also documented a Denial of Service attack that can be launched by overloading an “AP by initiating a large amount of handshakes with a WPA3-enabled Access Point,” bypassing SAE’s anti-clogging mechanism that is supposed to prevent DoS attacks.
Some of these vulnerabilities also affect devices using the EAP-pwd (Extensible Authentication Protocol-Password) protocol, which is also based on the Dragonfly password-authenticated key exchange method.
As a proof-of-concept, researchers will shortly release the following four separate tools (in the GitHub repositories hyperlinked below) that can be used to test the vulnerabilities as mentioned above.
- Dragondrain—a tool that can test to which extend an Access Point is vulnerable to Dos attacks against WPA3’s Dragonfly handshake.
- Dragontime—an experimental tool to perform timing attacks against the Dragonfly handshake.
- Dragonforce—an experimental tool that takes the information to recover from the timing attacks and performs a password partitioning attack.
- Dragonslayer—a tool that implements attacks against EAP-pwd.
“Nearly all of our attacks are against SAE’s password encoding method, i.e., against its hash-to-group and hash-to-curve algorithm. Interestingly, a simple change to this algorithm would have prevented most of our attacks,” the researchers say.
Wi-Fi Alliance Working With Vendors to Patch Reported Issues
The duo reported their findings to the WiFi Alliance, the non-profit organization that certifies WiFi standards and Wi-Fi products for conformity, who acknowledged the issues and are working with vendors to patch existing WPA3-certified devices.
“The software updates do not require any changes that affect interoperability between Wi-Fi devices. Users can refer to their device vendors’ websites for more information,” the WiFi Alliance says in its press release.
“The software updates do not require any changes that affect interoperability between Wi-Fi devices. Users can expect all their Wi-Fi devices, whether patched or unpatched, to continue working well together.”
You can read more information about these vulnerabilities on the DragonBlood dedicated website, and the research paper [PDF], which also explains how minor changes to the protocol could prevent most of the attacks detailed by the researchers.