Hack WPA3: DragonBlood



    Despite the fact that the new WPA3 standard has not yet been put into operation, the security flaws in this protocol allow attackers to crack a Wi-Fi password.

    The Wi-Fi Protected Access III (WPA3) protocol was launched in an attempt to eliminate the technical flaws of the WPA2 protocol, which has long been considered unsafe and vulnerable to a KRACK (Key Reinstallation Attack) attack. Although WPA3 relies on a safer handshake known as Dragonfly, which aims to protect Wi-Fi networks from offline dictionary attacks (offline busting), security researchers Mathy Vanhoef and Eyal Ronen have found weaknesses in the early WPA3-Personal implementation that may allow an attacker to recover Wi-Fi passwords by abusing timings or a side cache.
    “Attackers can read information that WPA3 was supposed to securely encrypt. This can be used to steal confidential information, such as credit card numbers, passwords, chat messages, emails, etc. ”
    In a research paper published today called DragonBlood, researchers looked at two types of design flaws in WPA3 in detail: the first leads to downgrade attacks, and the second leads to side cache leaks.

    Side cache attack based on cache


    The Dragonfly password encryption algorithm, also known as the hunting and pecking algorithm, contains conditional branches. If an attacker can determine which branch of the if-then-else branch was taken, he can find out if a password element was found in a particular iteration of this algorithm. In practice, it has been discovered that if an attacker can run unprivileged code on a victim computer, it is possible to use cache-based attacks to determine which branch was taken in the first iteration of the password generation algorithm. This information can be used to perform a password-split attack (this is similar to a stand-alone dictionary attack).

    This vulnerability is tracked using the identifier CVE-2019-9494.

    Protection consists in replacing conditional branches, which depend on secret values, with selection utilities with constant time. Implementations should also use constant-time Legendre symbol computation .

    Side channel attack based on synchronization


    When a Dragonfly handshake uses specific multiplicative groups, the password encryption algorithm uses a variable number of iterations to encode the password. The exact number of iterations depends on the password used and the MAC address of the access point and client. An attacker can perform a remote temporary attack on the password encryption algorithm to determine how many iterations were required to encode the password. The recovered information can be used to perform a password attack, which is similar to a standalone dictionary attack.

    To prevent synchronization-based attacks, implementations must disable vulnerable multiplicative groups. From a technical point of view, the MODP groups 22, 23 and 24 should be disabled. It is also recommended to disable MODP groups 1, 2, and 5.

    This vulnerability is also monitored using the identifier CVE-2019-9494 due to the similarity of the attack implementation.

    WPA3 downgrade


    As the 15-year-old WPA2 protocol has been widely used by billions of devices, WPA3 will not be widely distributed overnight. To support older devices, WPA3-certified devices offer a "transitional mode of operation" that can be configured to accept connections using both WPA3-SAE and WPA2.

    Researchers believe the transition mode is vulnerable to downgrade attacks that attackers can use to create a fraudulent access point that only supports WPA2, which forces WPA3-enabled devices to connect using WPA2's insecure four-way handshake.
    “We also found a downgrade attack against the SAE handshake itself (“ ​​Simultaneous Peer Authentication ”, commonly known as“ Dragonfly ”), where we can force the device to use a weaker elliptical curve than usual,” the researchers say.
    Moreover, the “man in the middle” position is not needed to conduct an attack with a downgrade. Instead, attackers only need to know the SSID of the WPA3-SAE network.

    Researchers reported on the results of the Wi-Fi Alliance, a nonprofit organization that certifies WiFi standards and Wi-Fi products for compliance, which have recognized problems and are working with vendors to fix existing WPA3-certified devices.

    PoC


    To confirm the concept, researchers will soon release the following four separate tools (in the GitHub repositories with a hyperlink below) that can be used to check for vulnerabilities.

    Dragondrain is a tool that can check to what extent the access point is vulnerable to WPA3 Dragonfly Dos handshake attacks.
    Dragontime is an experimental tool for conducting temporary attacks against the Dragonfly handshake.
    Dragonforce is an experimental tool that receives information for recovery from temporary attacks and performs a password attack.
    Dragonslayer is a tool that attacks EAP-pwd.


    Dragonblood: A Security Analysis of WPA3's SAE Handshake
    Project site - wpa3.mathyvanhoef.com

    Also popular now: