Hacking WPA3: DragonBlood

Despite the fact that the new WPA3 standard has not really been put into operation yet, the security flaws in this protocol allow attackers to crack the Wi-Fi password.

The Wi-Fi Protected Access III (WPA3) protocol was launched in an attempt to eliminate the technical flaws of the WPA2 protocol, which for a long time was considered unsafe and vulnerable to a KRACK-attack (Key Reinstallation Attack). While WPA3 relies on a more secure handshake, known as Dragonfly, which aims to protect Wi-Fi networks from offline dictionary attacks (offline brute force), security researchers Mathy Vanhoef and Eyal Ronen found weaknesses in the early implementation of WPA3-Personal, which can allow an attacker to recover Wi-Fi passwords by abusing timings or side-cache.

“Attackers can read information that WPA3 was supposed to securely encrypt. This can be used to steal sensitive information such as credit card numbers, passwords, chat messages, emails, etc. ”

In a research paper published today called DragonBlood, researchers examined two types of design flaws in WPA3 in detail: the first leads to downgrade attacks, and the second leads to side cache leaks.

Cache-based side channel attack

The password coding algorithm in Dragonfly, also known as the “hunting and pecking” algorithm, contains conditional branches. If the attacker can determine which branch of the if-then-else branch was taken, he can find out if a password element has been found in a specific iteration of this algorithm. In practice, it was discovered that if an attacker could run unprivileged code on the victim computer, it is possible to use cache-based attacks to determine which branch was attempted in the first iteration of the password generation algorithm. This information can be used to perform a password-sharing attack (this is similar to a stand-alone dictionary attack).
')
This vulnerability is monitored using the identifier CVE-2019-9494.

Protection consists in replacing conditional branches that depend on secret values ​​with selection tools with a constant time. Implementations should also use the Legendre symbol calculation with constant time.

Synchronization-based side channel attack

When the Dragonfly handshake uses certain multiplicative groups, the password coding algorithm uses a variable number of iterations to encode the password. The exact number of iterations depends on the password used and the MAC address of the access point and client. An attacker could perform a remote temporary attack on the password coding algorithm to determine how many iterations were required to encode the password. The recovered information can be used to perform a password attack, which is similar to an autonomous dictionary attack.

To prevent a synchronization-based attack, implementations should disable vulnerable multiplicative groups. From a technical point of view, MODP groups 22, 23 and 24 should be disabled. It is also recommended to disable the MODP groups 1, 2 and 5.

This vulnerability is also monitored using the identifier CVE-2019-9494 due to the similarity of the attack implementation.

WPA3 downgrade

Since the 15-year-old WPA2 protocol was widely used by billions of devices, widespread WPA3 will not happen overnight. To support older devices, WPA3 certified devices offer a “transition mode” that can be configured to accept connections using both WPA3-SAE and WPA2.

Researchers believe that the transitional mode is vulnerable to downgrade attacks that attackers can use to create a fraudulent access point that only supports WPA2, which causes devices supported by WPA3 to connect using the WPA2 insecure four-way handshake.

“We also found a downgrade attack against the SAE handshake itself (“ ​​Simultaneous Peer Authentication ”, commonly known as Dragonfly), where we can force the device to use a weaker elliptical curve than usual,” the researchers say.

Moreover, the “man in the middle” position is not needed for an attack with a downgrade. Instead, attackers only need to know the WPA3-SAE network SSID.

Researchers reported on their results of the Wi-Fi Alliance, a non-profit organization that certifies WiFi standards and Wi-Fi products for compliance, who have recognized problems and are working with vendors to fix existing WPA3 certified devices.

Poc

As a proof of the concept, researchers will soon release the following four separate tools (in the GitHub repositories with a hyperlink below) that can be used to test for vulnerabilities.

Dragondrain is a tool that can test the extent to which an access point is vulnerable to WPA3 Dragonfly Dos attacks on a handshake.
Dragontime is an experimental tool for conducting temporary attacks against the Dragonfly handshake.
Dragonforce is an experimental tool that obtains information for recovery from temporary attacks and performs a password attack.
Dragonslayer is a tool that attacks EAP-pwd.

---

Dragonblood: A Security Analysis of WPA3's SAE Handshake
Project site - wpa3.mathyvanhoef.com