Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

‘Dragonblood’ Flaws in WPA3 Allow Recovery of Wi-Fi Passwords

A series of vulnerabilities discovered by researchers in the WPA3 protocol can allow an attacker to obtain the password of a Wi-Fi network.

A series of vulnerabilities discovered by researchers in the WPA3 protocol can allow an attacker to obtain the password of a Wi-Fi network.

Officially launched in June 2018, the latest version of the Wi-Fi Protected Access (WPA) protocol is designed to provide better protection against offline dictionary attacks and password guessing attempts, improved security even when a less complex password is used, and forward secrecy to protect communications even if the password has been compromised.

WPA3, for which Personal and Enterprise variants are available, will gradually replace WPA2, but it will likely take several years until it’s widely adopted. In the meantime, WPA2 will continue to be maintained and improved.

Dragonblood vulnerabilities in WPA3Mathy Vanhoef of New York University Abu Dhabi and Eyal Ronen of Tel Aviv University and KU Leuven have analyzed WPA3, specifically its Simultaneous Authentication of Equals (SAE) handshake, which is commonly known as Dragonfly. It’s worth noting that Vanhoef was one of the researchers who discovered the WPA2 vulnerabilities known as KRACK (Key Reinstallation Attack).

Vanhoef and Ronen’s analysis of WPA3 led to the discovery of two types of vulnerabilities, dubbed Dragonblood, that can be exploited to recover a Wi-Fi network’s password: ones that allow downgrade attacks and ones that can result in side-channel leaks. They have also uncovered a flaw that can be exploited to cause a denial-of-service (DoS) condition on an access point (AP) after bypassing the DoS protection mechanisms in WPA3.

“Our downgrade attack enables an adversary to force a client to partly execute WPA2’s 4-way handshake, which can subsequently be used to perform a traditional brute-force attack against the partial WPA2 handshake. Additionally, we also discovered downgrade attacks against the Dragonfly handshake itself, which can be abuse to force a victim into using a weaker elliptic curve than it would normally use,” the researchers said.

“Our side-channel attacks target Dragonfly’s password encoding method. The cache-based attack exploits Dragonfly’s hash-to-curve algorithm, and our timing-based attack exploits the hash-to-group algorithm. The information that is leaked in these attacks can be used to perform a password partitioning attack, which is similar to a dictionary attack,” they explained.

According to the experts, these password partitioning attacks can be executed with $125-worth of Amazon EC2 computing power for an 8-character lowercase password. The CVE identifier CVE-2019-9494 has been assigned to the side-channel flaws.

An attacker who is in range of the targeted Wi-Fi network can obtain its password and gain access to sensitive information, such as passwords, emails, payment card numbers, and data sent via instant messaging applications, Vanhoef and Ronen said.

Advertisement. Scroll to continue reading.

The researchers pointed out that these attacks also work against the Extensible Authentication Protocol (EAP), specifically EAP-PWD.

The experts have published a paper detailing their findings, along with some tools that can be used to launch attacks.

The Wi-Fi Alliance, the non-profit organization whose global network of members maintains Wi-Fi technology, says these vulnerabilities only impact “a limited number of early implementations of WPA3-Personal” and there is no evidence that they have been exploited for malicious purposes.

“WPA3-Personal is in the early stages of deployment, and the small number of device manufacturers that are affected have already started deploying patches to resolve the issues. These issues can all be mitigated through software updates without any impact on devices’ ability to work well together,” the organization said.

Related: New Method Discovered for Cracking WPA2 Wi-Fi Passwords

Related: Lenovo Patches Critical Wi-Fi Vulnerabilities

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...