Dragonblood vulnerabilities discovered in Wi-Fi WPA3 protocol
Last year, Wi-Fi Alliance had released the next-gen WPA3 (Wi-Fi Protected Access 3) with several security improvements over WPA2 after the KRACK (Key Reinstallation Attack) exploit that affected almost every Wi-Fi supported device. WPA3 was introduced to protect against brute-force dictionary attacks on Wi-Fi supported devices and to provide authentication and encryption for Wi-Fi networks.
Although WPA3 uses a ‘Dragonfly’ handshake that makes it nearly impossible for attackers to crack the password of a network, two security researchers, Mathy Vanhoef (NYUAD) and Eyal Ronen (Tel Aviv University & KU Leuven), have discovered new vulnerabilities in WPA3-Personal protocol, that allows an attacker who is within the range of a victim to gain access to the encrypted network traffic and recover Wi-Fi passwords.
“Concretely, attackers can then read information that WPA3 was assumed to safely encrypt. This can be abused to steal sensitive transmitted information such as credit card numbers, passwords, chat messages, emails, and so on,” the researchers explained in their paper titled Dragonblood: A Security Analysis of WPA3’s SAE Handshake.
The researchers discovered two types of different design flaws in WPA3, where both these vulnerabilities can be exploited to recover the password used by the Wi-Fi network. The first type is downgrade attacks, and the second type is side-channels leaks that reveal information about the password being used.
The first flaw is the downgrade attack on WP3 is due to a transition mode that allows a network to simultaneously support both WPA2 and WPA3.
“Our downgrade attack enables an adversary to force a client to partly execute WPA2’s 4-way handshake, which can subsequently be used to perform a traditional brute-force attack against the partial WPA2 handshake. Additionally, we also discovered downgrade attacks against the Dragonfly handshake itself, which can be abuse to force a victim into using a weaker elliptic curve than it would normally use,” the researchers added.
The second flaw, side-channels leaks allows attackers to launch cache-based and timing-based side-channel attacks due to the vulnerabilities in the Dragonfly handshake.
“Our side-channel attacks target Dragonfly’s password encoding method. The cache-based attack exploits Dragonfly’s hash-to-curve algorithm, and our timing-based attack exploits the hash-to-group algorithm. The information that is leaked in these attacks can be used to perform a password partitioning attack, which is similar to a dictionary attack.”
Similar to dictionary attacks, the side-channel attacks are efficient and low cost, the researchers said. They were able to brute-force all 8-character lowercase passwords that required less than 40 handshakes and US$125 worth of Amazon EC2 instances.
Further, Cache-Based Side-Channel Attack CVE-2019-9494 allows attackers to run unprivileged code on the victim machine. It allows the attackers to determine which branch was taken in the first iteration of the password generation algorithm. This information can then be exploited to carry out a password partitioning attack (this is similar to an offline dictionary attack).
In the same way, Timing-Based Side-Channel Attack CVE-2019-9494 allows an attacker to perform a remote timing attack against the password encoding algorithm. This allows an attacker to determine how many iterations were needed to encode the password. The recovered information can then be abused to perform a password partitioning attack, which is similar to an offline dictionary attack.
The two researchers have made the following four separate tools to test for certain Dragonblood vulnerabilities discovered in WPA3 Protocol:
- Dragonslayer: implements attacks against EAP-pwd (to be released shortly).
- Dragondrain: this tool can be used to test to which extend an Access Point is vulnerable to denial-of-service attacks against WPA3’s SAE handshake.
- Dragontime: this is an experimental tool to perform timing attacks against the SAE handshake if MODP group 22, 23, or 24 is used. Note that most WPA3 implementations by default do not enable these groups.
- Dragonforce: this is an experimental tool which takes the information to recover from our timing or cache-based attacks, and performs a password partitioning attack. This is similar to a dictionary attack.
“Nearly all of our attacks are against SAE’s password encoding method, i.e., against its hash-to-group and hash-to-curve algorithm. Interestingly, a simple change to this algorithm would have prevented most of our attacks,” the researchers say.
The duo reported their findings to Wi-Fi Alliance, a non-profit organization that decides Wi-Fi standards, who acknowledged the flaws and said that all the flaws can be addressed with software updates. They are working with vendors to patch existing WPA3-certified devices.
“The software updates do not require any changes that affect interoperability between Wi-Fi devices. Users can refer to their device vendors’ websites for more information,” the Wi-Fi Alliance says in its press release.
You can read more information about Dragonblood vulnerabilities here.