Pierluigi Paganini August 03, 2019

Dragonblood researchers found two new weaknesses in WPA3 protocol that could be exploited to hack WPA3 protected WiFi passwords. passwords.

A group of researchers known as Dragonblood (Mathy Vanhoef and Eyal Ronen)devised new methods to hack WPA3 protected WiFi passwords by exploiting two new vulnerabilities dubbed Dragonblood flaws.

We first met this team of experts in April when they discovered weaknesses in WPA3 that could be exploited to recover WiFi passwords by abusing timing or cache-based side-channel leaks.

The WiFi Protected Access 3(WPA3) protocol was launched in June 2018 to address all known security issues affecting the previous standards and mitigate wireless attacks such as the KRACK attacks and DEAUTH attacks.

The WPA Wireless security standard was designed to authenticate wireless devices using the Advanced Encryption Standard (AES) protocol and to establish secure connections that hackers cannot spy on.

WPA3 replaced the WPA2 that is currently used by billions of devices every day, it implements important improvements for Wi-Fi enabled devices, it aims at enhancing configuration, authentication, and encryption issues.

 The new standard leverages SAE (Simultaneous Authentication of Equals) handshake to introduce the use of forward secrecy in order to protect communications in case the secret password has been compromised.

The Enterprise mode implements 192-bit encryption for networks that require extra security.

Now Dragonblood experts devised two new side-channel attacks that allow attackers to steal your WiFi password by exploiting two flaws in the protocol.

The first issue, tracked as CVE-2019-13377, is a timing-based side-channel attack against WPA3’s Dragonfly handshake when using Brainpool curves.

“During our initial disclosure, the Wi-Fi Alliance privately created security recommendations to mitigate our attacks. In these recommendations, they claim that Brainpool curves are safe to use, at least if products securely implement Dragonfly’s quadratic residue test (i.e. it must be implemented without side-channel leaks).” reads a security advisory published by the team.

“However, we found that using Brainpool curves introduces the second class of side-channel leaks in the Dragonfly handshake of WPA3. In other words, even if the advice of the WiFi Alliance is followed, implementations remain at risk of attacks.”

Experts pointed out that the new side-channel leak affects the password encoding algorithm of Dragonfly, the Brainpool leak works against the latest Hostapd version, and attackers can use leaked information to carry out a brute-force attack.

The second issue, tracked as CVE-2019-13456, is an information leak flaw that resides the implementation of EAP-pwd (Extensible Authentication Protocol-Password) in FreeRADIUS.

“Apart from this, we also discovered a new implementation-specific side-channel in the EAP-pwdt implementation of FreeRADIUS. More worrisome, we found that the Wi-Fi firmware of Cypress chips only executes 8 iterations at minimum to prevent side-channel leaks. Although this makes attacks harder, it does not prevent them.” the experts added. “This strengthens our hypothesis that the backwards-compatible countermeasures against our attacks are too costly for lightweight devices.”

The security duo reported their findings to the WiFi Alliance that addressed the issues with an update, but the mitigations wouldn’t be compatible with the initial version of WPA3.

Experts detailed their research in a paper Dragonblood: Analyzing the Dragonfly Handshake of WPA3 and EAP-pwd that will be presented at the IEEE Symposium on Security and Privacy on 18-20 May 2020 in Oakland, San Francisco.

Pierluigi Paganini

(SecurityAffairs – WPA3, DRAGONBLOOD)

[adrotate banner=”5″]

[adrotate banner=”13″]