Security Experts:

'Dragonblood' Flaws in WPA3 Allow Recovery of Wi-Fi Passwords

A series of vulnerabilities discovered by researchers in the WPA3 protocol can allow an attacker to obtain the password of a Wi-Fi network.

Officially launched in June 2018, the latest version of the Wi-Fi Protected Access (WPA) protocol is designed to provide better protection against offline dictionary attacks and password guessing attempts, improved security even when a less complex password is used, and forward secrecy to protect communications even if the password has been compromised.

WPA3, for which Personal and Enterprise variants are available, will gradually replace WPA2, but it will likely take several years until it’s widely adopted. In the meantime, WPA2 will continue to be maintained and improved.

Dragonblood vulnerabilities in WPA3Mathy Vanhoef of New York University Abu Dhabi and Eyal Ronen of Tel Aviv University and KU Leuven have analyzed WPA3, specifically its Simultaneous Authentication of Equals (SAE) handshake, which is commonly known as Dragonfly. It’s worth noting that Vanhoef was one of the researchers who discovered the WPA2 vulnerabilities known as KRACK (Key Reinstallation Attack).

Vanhoef and Ronen’s analysis of WPA3 led to the discovery of two types of vulnerabilities, dubbed Dragonblood, that can be exploited to recover a Wi-Fi network’s password: ones that allow downgrade attacks and ones that can result in side-channel leaks. They have also uncovered a flaw that can be exploited to cause a denial-of-service (DoS) condition on an access point (AP) after bypassing the DoS protection mechanisms in WPA3.

“Our downgrade attack enables an adversary to force a client to partly execute WPA2's 4-way handshake, which can subsequently be used to perform a traditional brute-force attack against the partial WPA2 handshake. Additionally, we also discovered downgrade attacks against the Dragonfly handshake itself, which can be abuse to force a victim into using a weaker elliptic curve than it would normally use,” the researchers said.

“Our side-channel attacks target Dragonfly's password encoding method. The cache-based attack exploits Dragonfly's hash-to-curve algorithm, and our timing-based attack exploits the hash-to-group algorithm. The information that is leaked in these attacks can be used to perform a password partitioning attack, which is similar to a dictionary attack,” they explained.

According to the experts, these password partitioning attacks can be executed with $125-worth of Amazon EC2 computing power for an 8-character lowercase password. The CVE identifier CVE-2019-9494 has been assigned to the side-channel flaws.

An attacker who is in range of the targeted Wi-Fi network can obtain its password and gain access to sensitive information, such as passwords, emails, payment card numbers, and data sent via instant messaging applications, Vanhoef and Ronen said.

The researchers pointed out that these attacks also work against the Extensible Authentication Protocol (EAP), specifically EAP-PWD.

The experts have published a paper detailing their findings, along with some tools that can be used to launch attacks.

The Wi-Fi Alliance, the non-profit organization whose global network of members maintains Wi-Fi technology, says these vulnerabilities only impact “a limited number of early implementations of WPA3-Personal” and there is no evidence that they have been exploited for malicious purposes.

“WPA3-Personal is in the early stages of deployment, and the small number of device manufacturers that are affected have already started deploying patches to resolve the issues. These issues can all be mitigated through software updates without any impact on devices’ ability to work well together,” the organization said.

Related: New Method Discovered for Cracking WPA2 Wi-Fi Passwords

Related: Lenovo Patches Critical Wi-Fi Vulnerabilities

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.