WPA3 Wi-Fi Standard Affected by New Dragonblood Vulnerabilities

Security researchers discovered new vulnerabilities in the WPA3-Personal protocol which allow potential attackers to crack Wi-Fi network passwords and get access to the encrypted network traffic exchanged between the connected devices.

According to a press release from the Wi-Fi Alliance, the devices impacted by these security vulnerabilities in the WPA3 Wi-Fi standard “allow collection of side channel information on a device running an attacker’s software, do not properly implement certain cryptographic operations, or use unsuitable cryptographic elements.”

WPA3 uses Wi-Fi Device Provisioning Protocol (DPP) instead of shared passwords to sign up new devices to the network, a protocol which allows users to scan QR codes or NFC tags to log devices onto the wireless network. Additionally, unlike WPA2, all network traffic will be encrypted after connecting to a network which uses WPA3 WiFi Security.

The WPA3-Personal protocol replaces the Pre-shared Key (PSK) in WPA2-Personal with Simultaneous Authentication of Equals (SAE) to provide more robust password-based authentication.

While the WPA3-Personal was designed to substitute the less secure 14-year-old WPA2, the newer protocol’s Simultaneous Authentication of Equals (SAE) handshake—also known as Dragonfly—seems to be plagued by a number of underlying design flaws which expose users to password partitioning attacks as discovered by researchers.

Dragonblood attacks can be used to steal sensitive information

“These attacks resemble dictionary attacks and allow an adversary to recover the password by abusing timing or cache-based side-channel leaks. Our sidechannel attacks target the protocol’s password encoding method” said Mathy Vanhoef (NYUAD) and Eyal Ronen (Tel Aviv University & KU Leuven) in their research paper.

The researchers also mention on the website dedicated to the analysis of the attacks against WPA3’s Dragonfly handshake that “This can be abused to steal sensitive transmitted information such as credit card numbers, passwords, chat messages, emails, and so on.”

As explained in the abstract of the research paper, “The resulting attacks are efficient and low cost: brute-forcing all 8-character lowercase password requires less than 125$in Amazon EC2 instances.”

Since the Dragonfly handshake is used by Wi-Fi networks which require usernames and password for access control, it is also used by the EAP-pwd protocol which makes all the Dragonblood attacks found to impact WPA3-Personal ready to be used against EAP-pwd.

“Moreover, we also discovered serious bugs in most products that implement EAP-pwd. These allow an adversary to impersonate any user, and thereby access the Wi-Fi network, without knowing the user’s password,” state the two researchers, “Although we believe that EAP-pwd is used fairly infrequently, this still poses serious risks for many users, and illustrates the risks of incorrectly implementing Dragonfly.”

Researcher also found KRACK WPA2 vulnerability

The flaws found within WPA3-Personal are of two types, side-channel leaks, and downgrade attacks, and they both can be used by potential attackers to find the Wi-Fi network’s password. More detailed information on each type of attack users are exposed to on wireless networks which employ vulnerable implementations of WPA3-Personal is available HERE.

Vanhoef was also part of the research team which discovered the KRACK (short for key reinstallation attack) attacks affecting the WPA2 protocol that, at the time, impacted “all modern protected Wi-Fi networks.”

The two researchers have also created and shared open source scripts designed to test some of the vulnerabilities they discovered in the WPA3-Personal protocol:

  • Dragonslayer: implements attacks against EAP-pwd (to be released shortly).
  • Dragondrain: this tool can be used to test to which extend an Access Point is vulnerable to denial-of-service attacks against WPA3’s SAE handshake.
  • Dragontime: this is an experimental tool to perform timing attacks against the SAE handshake if MODP group 22, 23, or 24 is used. Note that most WPA3 implementations by default do not enable these groups.
  • Dragonforce: this is an experimental tool which takes the information recover from our timing or cache-based attacks, and performs a password partitioning attack. This is similar to a dictionary attack.

Security patches already being deployed by device manufacturers

The researchers conclude their “Dragonblood: A Security Analysis of WPA3’s SAE Handshake” paper by saying that “a more open process would have prevented (or clarified) the possibility of downgrade attacks against WPA3-Transition mode. Nevertheless, although WPA3 has its flaws, we still consider it an improvement over WPA2.”

The Wi-Fi Alliance press release says that “These issues can all be mitigated through software updates without any impact on devices’ ability to work well together. There is no evidence that these vulnerabilities have been exploited” and “device manufacturers that are affected have already started deploying patches to resolve the issue.”

Additionally, all impacted vendors were notified of the WPA3 vulnerabilities by the WiFi Alliance, CERT/CC, and the researchers, with backward-compatible countermeasures being implemented with the help of Vanhoef and Ronen.


Leave a Comment