Although the new WPA3 standard is not yet fully operational, security flaws in this protocol allow attackers to crack the Wi-Fi password.
The Wi-Fi Protected Access III (WPA3) protocol was launched in an attempt to address the technical shortcomings of the WPA2 protocol, which had long been considered insecure and vulnerable to the KRACK (Key Reinstallation Attack) attack. Although WPA3 relies on a more secure handshake known as Dragonfly, which aims to protect Wi-Fi networks from offline dictionary attacks (offline brute force), security researchers Mathy Vanhoef and Eyal Ronen have discovered weaknesses in the early implementation of WPA3-Personal that could allow an attacker to recover Wi-Fi passwords by abusing timings or a side cache.
“Intruders can read information that WPA3 was supposed to encrypt securely. This can be used to steal sensitive information such as credit card numbers, passwords, chat messages, emails, etc.”
Published today called DragonBlood, the researchers looked in detail at two types of design flaws in WPA3: the first leads to downgrade attacks, and the second leads to side cache leaks.
Cache based side channel attack
Dragonfly's password encoding algorithm, also known as the hunting and pecking algorithm, contains conditional branches. If an attacker can determine which branch of the if-then-else branch was taken, he can find out if the password element was found in a particular iteration of this algorithm. In practice, it has been found that if an attacker can run unprivileged code on the victim computer, it is possible to use cache-based attacks to determine which branch was taken in the first iteration of the password generation algorithm. This information can be used to perform a password splitting attack (this is similar to an offline dictionary attack).
This vulnerability is being tracked using CVE-2019-9494.
The defense consists in replacing conditional branches that depend on secret values with constant-time selection utilities. Implementations should also use the calculation with constant time.
Synchronization based side channel attack
When the Dragonfly handshake uses certain multiplicative groups, the password encoding algorithm uses a variable number of iterations to encode the password. The exact number of iterations depends on the password used and the MAC address of the access point and client. An attacker can perform a remote timing attack on the password encryption algorithm to determine how many iterations it took to encrypt the password. The recovered information can be used to perform a password attack, which is similar to an offline dictionary attack.
To prevent a timing-based attack, implementations should disable vulnerable multiplicative groups. Technically, MODP groups 22, 23 and 24 should be disabled. It is also recommended to disable MODP groups 1, 2 and 5.
This vulnerability is also being tracked using the identifier CVE-2019-9494 due to the similarity in the implementation of the attack.
WPA3 downgrade
Since the 15-year-old WPA2 protocol has been widely used by billions of devices, the widespread adoption of WPA3 will not happen overnight. To support older devices, WPA3-certified devices offer a "transient mode of operation" that can be configured to accept connections using both WPA3-SAE and WPA2.
Transient mode is believed by researchers to be vulnerable to downgrading attacks, which attackers can use to create a rogue WPA2-only access point that forces WPA3-enabled devices to connect using the insecure WPA2 four-way handshake.
“We also found a downgrade attack against the SAE handshake itself (Simultaneous Authentication of Equals, commonly known as Dragonfly), where we can force the device to use a weaker elliptic curve than normal,” the researchers say.
Moreover, the man-in-the-middle position is not needed for a downgrade attack. Instead, attackers only need to know the SSID of the WPA3-SAE network.
The researchers reported their findings to the Wi-Fi Alliance, a non-profit organization that certifies WiFi standards and WiFi products for compliance, which has acknowledged the issues and is working with vendors to patch existing WPA3-certified devices.
PoC (at the time of publication - 404)
As a proof of concept, the researchers will soon release the following four separate tools (in the GitHub repositories hyperlinked below) that can be used to check for vulnerabilities.
is a tool that can check to what extent an access point is vulnerable to DoS attacks on the WPA3 Dragonfly handshake.
- An experimental tool for performing timing attacks against the Dragonfly's handshake.
is an experimental tool that obtains information for recovery from temporary attacks and performs a password attack.
- a tool that attacks EAP-pwd.
Project website -
Source: habr.com