The WPA3 protocol and certification that was introduced last year to make Wi-Fi networks more secure was found to contain a series of vulnerabilities, including time- and cache-based side-channel flaws that could ultimately allow adversaries to recover passwords.
Developed by the Wireless Security Alliance, WPA3 replaced the old standard's Pre-Shared Key exchange with a Simultaneous Authentication of Equals (SAE) handshake. Referred to as Dragonfly, the SAE handshake is meant to provide Wi-Fi networks with forward secrecy while preventing offline dictionary attacks. However, the vulnerabilities, collectively nicknamed Dragonblood, can allow attackers to collect enough data to perform a password partitioning attack that allows them to essentially crack passwords.
"The resulting attacks are efficient and low cost: brute forcing all 8-character lowercase password requires less than $125 in Amazon EC2 (Amazon Elastic Compute Cloud) instances," warns a research paper authored by the researchers who discovered the issues, Mathy Vanhoef of New York University Abu Dhabi and Eyal Ronen of Tel Aviv University and KU Leuven.
"In light of our presented attacks, we believe that WPA3 does not meet the standards of a modern security protocol," the researchers conclude in the paper. "Moreover, we believe that our attacks could have been avoided if the Wi-Fi Alliance created the WPA3 certification in a more open manner. Notable is also that nearly all of our attacks are against SAE’s password encoding method, i.e., against its hash-to-group and hash-to-curve algorithm. Interestingly, a simple change to this algorithm would have prevented most of our attacks."
The researchers say they worked with the Wi-Fi Alliance the and CERT Coordination Center to notify affected vendors and help implement backwards-compatible countermeasures.
The Wi-Fi Alliance responded the the study with a press release: "Recently published research identified vulnerabilities in a limited number of early implementations of WPA3-Personal, where those devices allow collection of side-channel information on a device running an attacker’s software, do not properly implement certain cryptographic operations, or use unsuitable cryptographic elements," the release states. "WPA3-Personal is in the early stages of deployment, and the small number of device manufacturers that are affected have already started deploying patches to resolve the issues. These issues can all be mitigated through software updates without any impact on devices' ability to work well together. There is no evidence that these vulnerabilities have been exploited."
Altogether, the paper describes five main vulnerabilities. For starters, the researchers demonstrated that SAE's anti-clogging mechanisms could be circumvented to cause a denial of service attack. "In particular, by abusing the overhead of SAE’s defenses against already-known side-channels, a resource-constrained device can overload the CPU of a professional Access Point," the researchers state.
Vanhoef and Ronen also discovered a way to perform a dictionary attack against WPA3-SAE when it's operating in transition mode by attempting to downgrade clients to the WPA2 protocol. Even though the downgrade won't be accepted, enough information still gets captured to cause a dictionary attack. Meanwhile, the researchers also disclosed a downgrade attack against the mechanism SAE uses to negotiate which elliptic curve or multiplicative groups are used during the handshake.
The researchers also confirmed that it is possible to pull off a timing attack against the SAE handshake, specifically its hash-to-group method that converts passwords into MODP (Modular Exponential) elements. Such attacks can leak password information that can be further leveraged in a password partitioning attack.
Finally, the researchers described what they called a micro-architecture cache-based side-channel attack that affects the hash-to-curve algorithm of SAE and can again leak data that could be used in a password partitioning attack.
"...WPA3 alone will not stop Wi-Fi hacking resulting in stealing of information over the air," said Ryan Orsi, WatchGuard Technologies’ director of product management, in emailed comments. "One of the biggest takeaways for businesses of all sizes is to understand that a long-term fix may not be technically feasible for devices with lightweight processing capabilities such as IoT and embedded systems. Businesses need to consider adding products that enable a trusted wireless environment for all types of devices and users alike.”