Published on May 11th, 2019 📆 | 1720 Views ⚑
0WPA3 flaws may let attackers steal Wi-Fi passwords
The new wireless security protocol contains multiple design flaws that hackers could exploit for attacks on Wi-Fi passwords
WPA3, a new Wi-Fi security protocol launched in June 2018, suffers from vulnerabilities that make it possible for an adversary to recover the password of a wireless network via âefficient and low costâ attacks, according to a new academic paper and a website dedicated to the flaws.
As a reminder, the third iteration of the Wi-Fi Protected Access (WPA) protocol is designed to enhance wireless security, including by making it well-nigh impossible to breach a WiFi network using password-guessing attacks. This safeguard â which is courtesy of WPA3âs âSimultaneous Authentication of Equalsâ (SAE) handshake, popularly known as Dragonfly â could even âsave people from themselvesâ, i.e. in the far-too-common scenario when they choose easy-to-break passwords.
Not so fast, according to Mathy Vanhoef of New York University Abu Dhabi and Eyal Ronen of Tel Aviv University & KU Leuven. Their research found that the passwords may not be beyond reach for hackers after all, as the protocol contains two main types of design flaws that can be exploited for attacks.
âUnfortunately, we found that even with WPA3, an attacker within range of a victim can still recover the password of the Wi-Fi network,â they write, noting that, in the absence of further precautions, this could in some cases pave the way for thefts of sensitive information such as credit card details. The vulnerabilities â which were identified only in WPA3âs Personal, not Enterprise, implementation â are collectively dubbed âDragonbloodâ.
One type of attack, called the âdowngrade attackâ, targets WPA3âs transition mode, where a network can simultaneously support WPA2 and WPA3 for backward compatibility.
â[I]f a client and AP [access point] both support WPA2 and WPA3, an adversary can set up a rogue AP that only supports WPA2. This causes the client (i.e. victim) to connect using WPA2âs 4-way handshake. Although the client detects the downgrade-to-WPA2 during the 4-way handshake, this is too late,â according to the researchers.
This is because the 4-way handshake messages that were exchanged before the downgrade was detected provide enough information to launch an offline dictionary attack against the Wi-Fi password. The attacker âonlyâ needs to know the networkâs name, aka Service Set Identifier (SSID), and be close enough to broadcast the rogue AP.
Meanwhile, the âside-channel attackâ targets Dragonflyâs password-encoding method, called the âhunting and peckingâ algorithm. This attack comes in two flavors: cache- and timing-based.
âThe cache-based attack exploits Dragonflysâs hash-to-curve algorithm, and our timing-based attack exploits the hash-to-group algorithm. The information that is leaked in these attacks can be used to perform a password partitioning attack, which is similar to a dictionary attack,â said Vanhoef and Ronen, who also shared scripts intended to test some of the vulnerabilities they found.
âThe resulting attacks are efficient and low cost. For example, to brute-force all 8-character lowercase passwords, we require less than 40 handshakes and 125$ worth of Amazon EC2 instances,â they wrote.
Additionally, the two researchers also found that WPA3âs built-in protections against denial-of-service (DoS) attacks can be trivially bypassed and an attacker can overload an AP by initiating a large number of handshakes.
Allâs not lost
Vanhoef and Ronen said that they collaborated with the Wi-Fi Alliance and the US CERT Coordination Center (CERT/CC) to notify all affected vendors in a coordinated manner.
The Wi-Fi Alliance acknowledged the vulnerabilities and said that it is providing implementation guidance to affected vendors. âThe small number of device manufacturers that are affected have already started deploying patches to resolve the issueâ, according to the certification body for Wi-Fi compatible devices.
Meanwhile, Vanhoef and Ronen noted that âour attacks could have been avoided if the Wi-Fi Alliance created the WPA3 certification in a more open mannerâ. For all its flaws, however, WPA3 is an improvement over WPA2, they concluded.
Notably, Vanhoef was one of the researchers who in 2017 disclosed a security loophole in WPA2 known as âKey Reinstallation AttaCKâ (KRACK).
Gloss