Pierluigi Paganini April 11, 2019

Security researchers discovered weaknesses in WPA3 that could be exploited to recover WiFi passwords by abusing timing or cache-based side-channel leaks.Security researchers discovered weaknesses in WPA3 that could be exploited to recover WiFi passwords by abusing timing or cache-based side-channel leaks.

One of the main advantages of WPA3 is that it’s near impossible to crack the password of a network because it implements the Dragonfly handshake, Unfortunately, we found that even with WPA3, an attacker within range of a victim can still recover the password of the Wi-Fi network.

Security researchers Mathy Vanhoef and Eyal Ronen discovered weaknesses in the early implementation of WPA3-Personal that could be exploited by an attacker within range of a victim to recover WiFi passwords by abusing timing or cache-based side-channel leaks.

One of the main advantages of WPA3 is that it’s near impossible to crack the password of a network because it implements the Dragonfly handshake, Unfortunately, we found that even with WPA3, an attacker within range of a victim can still recover the password of the Wi-Fi network.

Security researchers Mathy Vanhoef and Eyal Ronen discovered weaknesses in the early implementation of WPA3-Personal that could be exploited by an attacker within range of a victim to recover WiFi passwords by abusing timing or cache-based side-channel leaks.

An attacker can steal sensitive transmitted information, including credit card numbers, passwords, emails, and chat messages.

“Concretely, attackers can then read information that WPA3 was assumed to safely encrypt. This can be abused to steal sensitive transmitted information such as credit card numbers, passwords, chat messages, emails, and so on.” reads a dedicated website published by the experts that describe the DragonBlood research.

The experts provided technical details about two design flaws in
WPA3 that could be exploited to carry out downgrade and side-channel leaks.

Devices that support WPA3 must guarantee backward compatibility with WPA2 and this is done supporting a “transitional mode of operation” that could accept connections using both WPA3-SAE (Simultaneous Authentication of Equals (SAE) handshake aka Dragonfly) and WPA2.

The security duo demonstrated that the transitional mode is vulnerable to downgrade attacks. An attacker could abuse it to set up a rogue AP that only supports WPA2, forcing the WPA3-certified devices to connect using insecure WPA2’s 4-way handshake.

“We present a dictionary attack against WPA3 when it is operating in transition mode. This is accomplished by trying to downgrade clients to WPA2. Although WPA2’s 4-way handshake detects the downgrade and aborts, the frames sent during the partial 4-way handshake provide enough information for a dictionary attack.” reads the DragonBlood research paper. “We also present a downgrade attack against SAE, and discuss implementationspecific downgrade attacks when a client improperly autoconnects to a previously used WPA3-only network.”

The attackers need to know the SSID of the WPA3- SAE network to carry out the attack, experts pointed out that a man-in-the-middle position is not needed. Anyway, the attacker must be close to a client to broadcast a WPA2-only network with the given SSID and force the target to connect to our rogue AP using WPA2.

The experts detailed two side-channel attacks against Dragonfly’s password encoding method (Cache-based (CVE-2019-9494) and Timing-based (CVE-2019-9494) attacks) that could be exploited by attackers to perform a password partitioning attack and obtain Wi-Fi password.

“The cache-based attack exploits Dragonflys’s hash-to-curve algorithm, and our timing-based attack exploits the hash-to-group algorithm. The information that is leaked in these attacks can be used to perform a password partitioning attack, which is similar to a dictionary attack. The resulting attacks are efficient and low cost.” wrote the experts.

“our cache-based attack exploits SAE’s hash-to-curve algorithm. The resulting attacks are efficient and low cost: bruteforcing all 8-character lowercase password requires less than 125$ in Amazon EC2 instances” continues the paper.

To carry out the password partitioning attack, the experts need to record several handshakes with different MAC addresses. It is possible to record them by targeting multiple devicess in the same network (e.g. tricking multiple users to download the same malicious application). If the attackers are only able to hit one client, then it is necessary to set up rogue APs with the same SSID but a spoofed MAC address.

Experts also demonstrated how to abuse side-channel defenses of SAE (against already-known leaks) to introduce overhead and cause a denial-of-service (DoS) condition. They were also able to bypass SAE’s anti-clogging mechanism that is supposed to prevent DoS attack

“An adversary can overload an AP by initiating a large amount of handshakes with a WPA3-enabled Access Point (AP). Although WPA3 contains a defense to prevent such denial-of-service attacks, it can be trivially bypassed.” continues the experts. “By repeatedly initiating handshakes from spoofed MAC addresses, the AP performs many costly password derivation operations (i.e. it performs many executions of the “Hunting and Pecking” algorithm). Depending on the AP under attack, this may consume all resources of the AP.”

The experts plan to release the following four separate proof-of-concept tools to test the vulnerabilities they described.

• Dragondrain—a tool that can test to which extend an Access Point is vulnerable to Dos attacks against WPA3’s Dragonfly handshake.
• Dragontime—an experimental tool to perform timing attacks against the Dragonfly handshake.
• Dragonforce—an experimental tool that takes the information to recover from the timing attacks and performs a password partitioning attack.
• Dragonslayer—a tool that implements attacks against EAP-pwd.

The researchers reported their findings to the WiFi Alliance and are working with vendors to address the flaw in existing WPA3-certified devices.

Below the press release published by the WiFi Alliance:

Pierluigi Paganini

(SecurityAffairs – fingerprints, Genesis Store)

[adrotate banner=”5″]

[adrotate banner=”13″]