Dragonblood: Data-leaking flaw in WPA3 Wi-Fi authentication

Researchers have discovered several holes in a new security protocol for wireless networks. It warrants patching because although no one has exploited the bugs in the wild yet, they’re severe enough to let people steal your Wi-Fi passwords.

Researchers Mathy Vanhoef of New York University Abu Dhabi and Eyal Ronen of Tel Aviv University & KU Leuven discovered the flaws in the WPA3 Wi-Fi authentication protocol. They published the results of their research in a technical paper, which you can get from Vanheof’s dedicated microsite. Vanhoef also discovered the KRACK vulnerability that affected WPA2 in 2017.

The Wi-Fi Alliance launched WPA3 in June 2018 to improve security over the previous Wi-Fi standard, WPA2. It came in two flavours: WPA3-Personal, and WPA3-Enterprise.

WPA3-Personal is the problematic one. It uses an authentication protocol called Simultaneous Authentication of Equals (SAE), also known as Dragonfly. A WPA3-Personal device uses it as a handshake mechanism to connect with other Wi-Fi-enabled devices.

In a paper on the topic, the pair explained:

Even with WPA3, an attacker within range of a victim can still recover the password of the network. This allows the adversary to steal sensitive information such as credit cards, password, emails, and so on, when the victim uses no extra layer of protection such as HTTPS.

The researchers discovered several attacks against the protocol that fall into three categories. One category forces a device to downgrade the security that it’s using. The other gives hackers enough information to deduce a password using side channel information, which is data leaked incidentally as part of another process. Finally, there’s a denial of service attack.

One of the downgrade bugs relies on WPA3’s backward compatibility with WPA2, which the Alliance included to make the transition to new devices smoother.

WPA3 devices interacting with WPA2 kit use a mode called WPA3-Transition. An attacker can force WPA3 devices using this mode to connect using WPA2 and capture part of the WPA2 handshake, which they can then use to recover the Wi-Fi password.

There are two side-channel attacks. The first targets WPA3 access points using a particular security group, which is a class of security used to exchange secrets.

Access points using the multiplicative security groups modulo a prime have a response time that varies according to the password being used. An attacker can work out how long it would take for the access point to process each password in their dictionary. They can then use the observed time to narrow down the list of possible passwords.

Attackers with access to the client device connecting to a network can also look at its memory access patterns when it’s in the middle of a Dragonfly handshake because they reveal information about the password being used. They could do this using something as simple as browser-based JavaScript code, the researchers say. Then, it’s off to the races with another dictionary attack.

This dictionary attack wouldn’t take long, they add:

The side-channel vulnerabilities can, for instance, be abused to brute-force all 8-character lowercase passwords with as little as $125 worth of Amazon EC2 instances.

Finally, an attacker can also flood an access point by bypassing the technique that WPA3 uses to stop people using fake MAC addresses. It can bring a network to its knees with as few as 16 forged connection attempts per second, they said.

As part of their research, the attackers also discovered serious flaws in EAP-PWD. This is a protocol that authenticates using a password. It is used in Android 4.0, and remote access servers using the RADIUS protocol. It is also used infrequently by some Wi-Fi networks. These bugs could allow an attacker to impersonate a user and access a Wi-Fi network without knowing the user’s password, they said.

At the time of writing, the researchers had not released the EAP-PWD details, because the bugs were so severe.

Luckily, these researchers followed responsible disclosure. They informed the Wi-Fi Alliance before releasing their findings, and it issued a press release. It said:

WPA3-Personal is in the early stages of deployment, and the small number of device manufacturers that are affected have already started deploying patches to resolve the issues.

What to do

If you have a WPA3 wireless access point at home, check with your vendor to see if there is a patch. And as always, be extra careful when connecting to public access points over which you have no control. Client-side virtual private networks (VPNs) to encrypt your data are always a good idea.