A new study by researchers Matty Vanhoef and Eyal Ronen revealed five vulnerabilities – collectively named ‘Dragonblood’ – in the WPA3 Wi-Fi standard. Four of the five are considered a severe threat to online security. What does this teach us about trust in our networks?
WPA3 (Wi-Fi Protected Access 3) is the latest generation of Wi-Fi security certification developed by the Wi-Fi Alliance. Building on the widespread success and adoption of WPA2, the succeeding technology was announced late in 2018 and heralded as the market’s “next cutting-edge security protocol”.
WPA3 adds a range of new features aimed at simplifying WiFi security, including more robust authentication, increased cryptographic strength, and more resilient networks. The new standard retains interoperability with WPA2 devices, and while currently optional, it will eventually become obligatory in line with market adoption.
Though designed to provide stronger privacy and security protections for personal and enterprise users, several design flaws have already been reported.
Researchers have detailed a set of side-channel and downgrade attacks that would allow an attacker to compromise Wi-Fi networks equipped with WPA3 protection. The research duo has named these vulnerabilities “Dragonblood” with reference to the ‘Dragonfly’ handshake WPA3 uses to establish secure communication between two devices.
The Wi-Fi Alliance stated in a press release:
“WPA3-Personal is in the early stages of deployment, and the small number of device manufacturers that are affected have already started deploying patches to resolve the issues. These issues can all be mitigated through software updates without any impact on devices’ ability to work well together. There is no evidence that these vulnerabilities have been exploited.”
Prior to disclosing these vulnerabilities, researchers, Vanhoef and Ronen collaborated with the Wi-Fi Alliance to resolve the discovered issues and mitigate the impact before WPA3 is fully deployed.
What did they find?
It is supposedly near impossible to crack the password of a given network that uses WPA3. Yet network security researchers Mathy Vanhoef and Eyal Ronen found that even with the new standard in place, an attacker within range could recover the password of a given network and read the information that WPA3 was assumed to safely encrypt.
The vulnerabilities exposed can be separated into two classifications: flaws in the Dragonfly handshake and downgrade attacks against WPA3-ready devices.
Using attacks against home networks operating the personal certification, their investigation revealed weaknesses that could “be abused to recover the password of the Wi-Fi network, launch resource consumption attacks, and force devices into using weaker security groups”. Without the extra protection of HTTPS, this flaw could be leveraged to steal sensitive information including credit cards, passwords, chat messages, emails, and more.
The Dragonfly handshake that hosted these vulnerabilities is also used on other networks that require a username and password for access control – namely those using the EAP-pwd protocol. This means that attackers could exploit the same vulnerabilities on any network using this protocol, regardless of its full certification.
Vanhoef and Ronen discovered serious flaws in most products that implement EAP-pwd. These bugs allow an attacker to impersonate any user and thereby access the network without the use of a password. Though EAP-pwd is used fairly rarely, these findings still present a serious risk for many users and illustrate the risks of incorrectly implementing the Dragonfly handshake.
The Resulting Attacks
Attacks based on these vulnerabilities are simple and inexpensive. Many can be carried out using old WPA2 cracking equipment that is readily available. According to the full report, the side-channel attacks can even be leveraged to expose “all 8-character lowercase passwords with as little as $125 worth of tools”. The key methods are detailed below.
Security Group Downgrade Attack
This method exploits the Dragonfly handshake to force victim devices into using a weak security group.
Typically, an initiating device sends a commit frame that includes the security group it wishes to use. If the Access Point (AP) doesn’t support this group, it responds with a declining message, forcing the client to try another group. This process continues until a security group is found that is supported by both sides.
In this attack, a malicious party can impersonate an AP and send repeated decline messages to force clients into choosing a vulnerable security group.
Researchers discovered that an access point could reveal information about the network password based on timing or memory access patterns.
When responding to commit frames, if the AP in a given situation supports multiplicative security groups (MODP groups) as opposed to those based on elliptic curves, the response time will depend on the network’s password.
It was found that an attacker could abuse this timing information to execute a dictionary attack;
“Simulating how much time it would take for the AP to process each password and comparing this to observed timings.”
The exposed patterns can then be exploited to perform another dictionary attack by “replicating the memory access patterns associated with a guessed password and comparing this to the recorded access patterns”.
WPA3 does contain a cookie-exchange process which is designed to prevent malicious actors from fabricating commit frames using false MAC addresses. Though this safeguard is present, it is simple to avoid. Consequently, attackers can overload a given AP by sending as little as 16 fake commit frames per second. This results in high CPU usage and resource consumption on the AP, preventing other devices from connecting, draining the battery, and impeding other functionality.
Depending on the exact protections that vendors put in place, it is likely possible to trigger high CPU usage on the AP or prevent other devices from connecting using WPA3.
Downgrade & Dictionary Attack
To allow for older clients and the eventual migration to WPA3, developers created a ‘transition mode’ for WPA3. When using this mode, a network is able to support both WPA3 and WPA2 usage with a shared password. This downgrade attack exploits this backward compatibility.
The researchers found that a malicious entity could generate a rogue network and force clients that support WPA3 to connect via WPA2. The recorded WPA2 handshake can then be used to recover the shared password using a dictionary or brute-force attacks known from the previous generation.
Similar flaws were found in the Samsung Galaxy S10 and several other devices, many of which could be forced into using WPA2 – even when connecting through a WPA3-exclusive network. This allows for similar attacks.
What can be done?
In practice, the main risks for WPA3 based on this research are downgrade attacks and timing attacks against resource-constrained devices. The majority of remaining attacks are considerably more complex to execute, and – assuming vendors will implement appropriate defenses – it is unlikely they’ll be commonly abused in practice.
Yet considering how little time elapsed between the release of WPA3 and the discovery of these serious security flaws, it’s not unrealistic to expect that further vulnerabilities may be discovered in time.
Even though these vulnerabilities have been patched, their discovery comes as a welcome reminder to Wi-Fi users that extra measures like VPNs and similar security tools should always be taken to protect sensitive transactions and communications – even on familiar, password-protected networks.
VPNs work by encrypting a user’s internet connection via a remote server, ensuring that anyone spying on the network is unable to read any traffic sent between a device and the server. The ultimate takeaway of these findings should be that Wi-Fi alone can never be trusted completely, regardless of the latest certification and despite its convenience. It’s always better to be safe than sorry.