It has been close to just one year since the launch of next-generation Wi-Fi security standard WPA3 and researchers have unveiled several serious vulnerabilities in the wireless security protocol that could allow attackers to recover the password of the Wi-Fi network.
WPA, or Wi-Fi Protected Access, is a standard designed to authenticate wireless devices using the Advanced Encryption Standard (AES) protocol and is intended to prevent hackers from eavesdropping on your wireless data.
The Wi-Fi Protected Access III (WPA3) protocol was launched in an attempt to address technical shortcomings of the WPA2 protocol from the ground, which has long been considered to be insecure and found vulnerable to KRACK (Key Reinstallation Attack).
Though WPA3 relies on a more secure handshake, known as Dragonfly, that aims to protect Wi-Fi networks against offline dictionary attacks, security researchers Mathy Vanhoef and Eyal Ronen found weaknesses in the early implementation of WPA3-Personal, allowing an attacker to recover WiFi passwords by abusing timing or cache-based side-channel leaks.
“Concretely, attackers can then read information that WPA3 was assumed to safely encrypt. This can be abused to steal sensitive transmitted information such as credit card numbers, passwords, chat messages, emails, and so on,” the researchers say.
Vulnerabilities in WPA3 — Cracking WiFi Password
In a research paper, dubbed DragonBlood, published today, researchers detailed two types of design flaws in WPA3—first leads to downgrade attacks and second to side-channel leaks.
Since the 15-year-old WPA2 protocol has been widely used by billions of devices and considering that widespread adoption of WPA3 won’t happen overnight, WPA3 Certified devices offer a “transitional mode of operation” to maintain interoperability with WPA2.
Researchers find that the transitional mode is vulnerable to downgrade attacks, which attackers can abuse to set up a rogue AP that only supports WPA2, forcing WPA3-supported devices to connect using insecure WPA2’s 4-way handshake.
“We also discovered a downgrade attack against SAE [Simultaneous Authentication of Equals handshake, commonly known as Dragonfly] itself, where we can force a device into using a weaker elliptic curve than it normally would use,” the researchers say.
Researchers also detail two side-channel attacks—Cache-based (CVE-2019-9494) and Timing-based (CVE-2019-9494) attacks—against Dragonfly’s password encoding method that could allow attackers to perform a password partitioning attack, similar to an offline dictionary attack, to obtain Wi-Fi password.
Besides these, the duo also documented a Denial of Service attack that can be launched by overloading an “AP by initiating a large amount of handshakes with a WPA3-enabled Access Point.”
Some of these vulnerabilities also affect devices using the EAP-pwd (Extensible Authentication Protocol-Password) protocol, which is also based on the Dragonfly password-authenticated key exchange method.
As a proof-of-concept, researchers have also released four separate scripts that can be used to test the above-mentioned vulnerabilities.
“Nearly all of our attacks are against SAE’s password encoding method, i.e., against its hash-to-group and hash-to-curve algorithm. Interestingly, a simple change to this algorithm would have prevented most of our attacks,” the researchers say.
The duo reported their findings to the WiFi Alliance, the non-profit organization that certifies WiFi standards and Wi-Fi products for conformity, who acknowledged the issues and are working with vendors to patch existing WPA3-certified devices.
“The software updates do not require any changes that affect interoperability between Wi-Fi devices. Users can refer to their device vendors’ websites for more information,” the WiFi Alliance says in its press release.
“The software updates do not require any changes that affect interoperability between Wi-Fi devices. Users can expect all their Wi-Fi devices, whether patched or unpatched, to continue working well together.”
You can read more information about these vulnerabilities on the DragonBlood dedicated website, and the research paper [PDF], which also explains how minor changes to the protocol could prevent most of the attacks detailed by the researchers.