Almost one year after its launch, some very serious vulnerabilities that could lead to online password cracking have been detected in the next-generation Wi-Fi security standard WPA3.
It was in June 2018 that WPA3 was launched; now security researchers have found in the wireless security protocol several serious vulnerabilities that could let hackers recover even the password of a Wi-Fi network. Good news maybe for those hackers who are thinking about how to hack Wi-Fi password!
In fact, WPA (Wi-Fi Protected Access) authenticates wireless devices using the AES (Advanced Encryption Standard) protocol and serves to prevent attackers from eavesdropping on the transmitted data. It was since WPA2 (which is over 14 years old) was found to be insecure and vulnerable to Key Reinstallation Attack (KRACK) that WPA3 was launched, seeking to address the technical shortcomings of its predecessor. WPA3 relies on Dragonfly, a more secure handshake, to protect Wi-Fi networks, especially against offline dictionary attacks. But certain security issues that could allow hackers to recover Wi-Fi passwords have been found in the early implementation of WPA3-Personal. Security researchers Mathy Vanhoef and Eyal Ronen have detected these weaknesses that abuse timing or cache-based side-channel leaks to do the password recovery.
The researchers explain, in a detailed post on the issue, “One of the main advantages of WPA3 is that, thanks to its underlying Dragonfly handshake, it’s near impossible to crack the password of a network. Unfortunately, we found that even with WPA3, an attacker within range of a victim can still recover the password of the Wi-Fi network. Concretely, attackers can then read information that WPA3 was assumed to safely encrypt. This can be abused to steal sensitive transmitted information such as credit card numbers, passwords, chat messages, emails, and so on.”
The two researchers have written about two types of design flaws in WPA3, one leading to downgrade attacks and the other causing side-channel leaks; both of these can be abused to recover the password used by the Wi-Fi network.
Billions of devices were depending on the WPA2 protocol for the past many years. The Wi-Fi Alliance (the non-profit organization that certifies Wi-Fi standards and Wi-Fi products for conformity), in a bid to enable the gradual deployment of WPA3, added to WPA3 a transition mode where a network can support both WPA2 and WPA3 simultaneously. This mode, however, is vulnerable to downgrade attacks. The researchers explain, “In particular, if a client and AP both support WPA2 and WPA3, an adversary can set up a rogue AP that only supports WPA2. This causes the client (i.e. victim) to connect using WPA2’s 4-way handshake. Although the client detects the downgrade-to-WPA2 during the 4-way handshake, this is too late. The 4-way handshake messages that were exchanged before the downgrade was detected, provide enough information to launch an offline dictionary attack.”
Mathy Vanhoef and Eyal Ronen also discovered a downgrade attack against the SAE (Simultaneous Authentication of Equals) handshake where a device could be forced into using a weaker elliptic curve than it would normally use. Interesting to note is the fact that hackers don’t have to adopt a man-in-the-middle position to launch a downgrade attack. They just need to know the SSID of the WPA3- SAE network.
As for the side-channel attacks, the researchers have detailed about two vulnerabilities that could lead to such attacks. The first one, tracked using identifier CVE-2019-9494, could cause Cache-based side-channel attacks while the second one, tracked using the identifier CVE-2019-9494, could cause Timing-based attacks. These attacks, targeting the password encoding method of Dragonfly, could allow hackers to perform password partitioning attacks, almost similar to offline dictionary attacks, and steal Wi-Fi passwords.
In addition to these, they have also discussed a Denial of Service attack which can be executed by overloading an AP (Access Point) by initiating a large amount of handshakes with a WPA3-enabled Access Point and by trivially bypassing the defense mechanism that’s there to prevent Denial of Service attacks. They also discuss in brief a Group Downgrade Attack, in which a hacker can downgrade the cryptographic group that is used during WPA3’s Dragonfly handshake.
Some of the vulnerabilities that the researchers have detected also affect devices using the Extensible Authentication Protocol-Password (EAP-pwd) protocol, also based on the Dragonfly password-authenticated key exchange method.
Mathy Vanhoef and Eyal Ronen have also come up with four scripts to test for certain vulnerabilities. These are- Dragonslayer ( which would be released soon and which implements attacks against EAP-pwd), Dragondrain (tests to which extent an Access Point is vulnerable to DoS attacks against WPA3’s SAE handshake), Dragontime (performs timing attacks against the SAE handshake if MODP group 22, 23, or 24 is used) and Dragonforce (takes the information recover from timing or cache-based attacks, and performs a password partitioning attack).
The duo had reported the vulnerabilities to the Wi-Fi Alliance; the Wi-Fi Alliance have acknowledged the issues and have started working with vendors to patch the vulnerabilities on the existing WPA3-certified devices.
The Wi-Fi Alliance, in a press release, states,
“These issues can be resolved through a straightforward software update – a process much like the software updates Wi-Fi users regularly perform on their mobile devices. WPA3-Personal is in the early stages of deployment, and the small number of device manufacturers that are affected have already started deploying patches to resolve the issue. The software updates do not require any changes that affect interoperability between Wi-Fi devices. Users can refer to their device vendors’ websites for more information.”