The same team of cybersecurity researchers who discovered several severe vulnerabilities, collectively dubbed as Dragonblood, in the newly launched WPA3 WiFi security standard few months ago has now uncovered two more flaws that could allow attackers to hack WiFi passwords.
WPA, or WiFi Protected Access, is a WiFi security standard that has been designed to authenticate wireless devices using the Advanced Encryption Standard (AES) protocol and intended to prevent hackers from eavesdropping on your wireless data.
The WiFi Protected Access III (WPA3) protocol was launched a year ago in an attempt to address technical shortcomings of the WPA2 protocol from the ground, which has long been considered to be insecure and found vulnerable to more severe KRACK attacks.
WPA3 relies on a more secure handshake, called SAE (Simultaneous Authentication of Equals), which is also known as Dragonfly, that aims to protect WiFi networks against offline dictionary attacks.
However, in less than a year, security researchers Mathy Vanhoef and Eyal Ronen found several weaknesses (Dragonblood) in the early implementation of WPA3, allowing an attacker to recover WiFi passwords by abusing timing or cache-based side-channel leaks.
Shortly after that disclosure, the WiFi Alliance, the non-profit organization which oversees the adoption of the WiFi standard, released patches to address the issues and created security recommendations to mitigate the initial Dragonblood attacks.
But it turns out that those security recommendations, which were created privately without collaborating with the researchers, are not enough to protect users against the Dragonblood attacks. Instead, it opens up two new side-channel attacks, which once again allows attackers to steal your WiFi password even if you are using the latest version of WiFi protocol.
New Side-Channel Attack Against WPA3 When Using Brainpool Curves
The first vulnerability, identified as CVE-2019-13377, is a timing-based side-channel attack against WPA3’s Dragonfly handshake when using Brainpool curves, which the WiFi Alliance recommended vendors to use as the security recommendations instead of relying on the elliptic curves which could be downgraded.
“However, we found that using Brainpool curves introduces the second class of side-channel leaks in the Dragonfly handshake of WPA3,” the duo says in an updated advisory. “In other words, even if the advice of the WiFi Alliance is followed, implementations remain at risk of attacks.”
“The new side-channel leak is located in the password encoding algorithm of Dragonfly,” the researchers said, “We confirmed the new Brainpool leak in practice against the lastest Hostapd version, and were able to brute-force the password using the leaked information.”
Side-Channel Attack Against FreeRADIUS’ EAP-PWD Implementation
The second vulnerability, identified as CVE-2019-13456, is an information leak bug which resides the implementation of EAP-pwd (Extensible Authentication Protocol-Password) in FreeRADIUS—one of the most widely used open-source RADIUS server that companies utilizes as a central database to authenticate remote users.
Mathy Vanhoef, one of the two researchers who discovered the Dragonblood flaws, told The Hacker News that an attacker could initiate several EAP-pwd handshakes to leak information, which can then be used to recover the user’s WiFi password by performing dictionary and brute-force attacks.
“The EAP-pwd protocol internally uses the Dragonfly handshake, and this protocol is used in some enterprise networks where users authenticate using a username and password,” Vanhoef told The Hacker News.
“More worrisome, we found that the WiFi firmware of Cypress chips only executes 8 iterations at minimum to prevent side-channel leaks. Although this makes attacks harder, it does not prevent them.” the duo said.
According to researchers, implementing Dragonfly algorithm and WPA3 without side-channel leaks is surprisingly hard, and the backward-compatible countermeasures against these attacks are too costly for lightweight devices.
The researchers shared their new findings with the WiFi Alliance and tweeted that “WiFi standard is now being updated with proper defenses, which might lead to WPA 3.1,” but unfortunately, the new defenses wouldn’t be compatible with the initial version of WPA3.
Mathy Vanhoef also told The Hacker News that it’s unfortunate that WiFi Alliance created their security guidelines in private. “If they would have done this publicly, these new issues could have been avoided. Even the original WPA3 certification was partly made in private, which also wasn’t ideal.”