A new research reveals vulnerabilities in “a limited number of early implementations of WPA3™-Personal, where those devices allow collection of side channel information on a device running an attacker’s software, do not properly implement certain cryptographic operations, or use unsuitable cryptographic elements”.
The disclosure of these vulnerabilities comes one year after the launch of the WPA3 standard which was introduced to address the shortcomings of the WPA2 protocol. In August 2018, a new technique was discovered that allowed attackers to crack WPA PSK (Pre-Shared Key) passwords and enabled outside users to capture access credentials easily.
The technique worked against 802.11i/p/q/r networks with roaming functions enabled which put almost any modern router at risk. The Wi-Fi Alliance, however, started developing WPA3 after the discovery of the KRACK vulnerability within the WPA2 protocol which was uncovered in 2017. The flaw allowed attackers to gain access to Wi-Fi transmissions guarded by the WPA2 standard.
As for the vulnerabilities discovered in WPA3, they could enable attackers to recover the password of a targeted Wi-Fi network.
WPA3 Dragonblood Vulnerabilities: Some Details
In a research paper, dubbed Dragonblood, two types of design flaws in WPA3 are presented. The first group of flaws is associated with downgrade attacks, and the second one with side-channel leaks. The good news is that the vulnerabilities can all be mitigated through software updates without any impact on the devices’ ability to work well together, the researchers said. Furthermore, there is no evidence that these vulnerabilities have been exploited.
It should be noted one of the main advantages of WPA3 is that, thanks to its underlying Dragonfly handshake, it’s near impossible to crack the password of a network. Unfortunately, the researchers discovered that even with WPA3, threat actors located in the vicinity of the victim can still recover the password of the Wi-Fi network.
More specifically, attackers will be able to read information that WPA3 was assumed to safely encrypt. This loophole can be exploited to steal sensitive information such as credit cards, passwords, chat messages, emails, among others, especially when no extra protection such as HTTPS is utilized.
The Dragonfly handshake, which forms the core of WPA3, is also used on certain Wi-Fi networks that require a username and password for access control. That is, Dragonfly is also used in the EAP-pwd protocol. Unfortunately, our attacks against WPA3 also work against EAP-pwd, meaning an adversary can even recover a user’s password when EAP-pwd is used.
In a nutshell, the downgrade attack enables attackers to force a client to partly execute WPA2’s 4-way handshake, which can subsequently be used to perform a traditional brute-force attack against the partial WPA2 handshake. In addition, the researchers also discovered downgrade attacks against the Dragonfly handshake itself, which can be abused to force a victim into using a weaker elliptic curve than it would normally use.
As for the side-channel attack, it specifically targets Dragonfly’s password encoding method. The cache-based attack exploits Dragonflys’s hash-to-curve algorithm, and the researchers’ timing-based attack exploits the hash-to-group algorithm.
The information that is exposed in these attacks can be utilized in a password partitioning attack, which is similar to a dictionary attack. These attacks are efficient and easy to carry out. According to the researchers, to brute-force all 8-character lowercase passwords, less than 40 handshakes are needed, and 125$ worth of Amazon EC2 instances.
The researchers also discovered serious bugs in most products that implement EAP-pwd. These bugs enable threat actors to impersonate any user, and thereby access the Wi-Fi network, without knowing the user’s password. Although EAP-pwd is not as popular, this still poses serious risks for many users, and illustrates the risks of incorrectly implementing Dragonfly.
Here are some relevant identifiers of the discovered issues:
CERT case ID: VU#871675
CVE-2019-9494
CVE-2019-9495
CVE-2019-9496
CVE-2019-9497
CVE-2019-9498
CVE-2019-9499