WPA3, a new Wi-Fi security protocol launched in June 2018, suffers from vulnerabilities that make it possible for an adversary to recover the password of a wireless network via “efficient and low cost” attacks, according to a new academic paper and a website dedicated to the flaws.

As a reminder, the third iteration of the Wi-Fi Protected Access (WPA) protocol is designed to enhance wireless security, including by making it well-nigh impossible to breach a WiFi network using password-guessing attacks. This safeguard – which is courtesy of WPA3’s ‘Simultaneous Authentication of Equals’ (SAE) handshake, popularly known as Dragonfly – could even ‘save people from themselves’, i.e. in the far-too-common scenario when they choose easy-to-break passwords.

Not so fast, according to Mathy Vanhoef of New York University Abu Dhabi and Eyal Ronen of Tel Aviv University & KU Leuven. Their research found that the passwords may not be beyond reach for hackers after all, as the protocol contains two main types of design flaws that can be exploited for attacks.

“Unfortunately, we found that even with WPA3, an attacker within range of a victim can still recover the password of the Wi-Fi network,” they write, noting that, in the absence of further precautions, this could in some cases pave the way for thefts of sensitive information such as credit card details. The vulnerabilities – which were identified only in WPA3’s Personal, not Enterprise, implementation – are collectively dubbed ‘Dragonblood’.

'Dragonblood' logo (wpa3.mathyvanhoef.com)

One type of attack, called the ‘downgrade attack’, targets WPA3’s transition mode, where a network can simultaneously support WPA2 and WPA3 for backward compatibility.

“[I]f a client and AP [access point] both support WPA2 and WPA3, an adversary can set up a rogue AP that only supports WPA2. This causes the client (i.e. victim) to connect using WPA2's 4-way handshake. Although the client detects the downgrade-to-WPA2 during the 4-way handshake, this is too late,” according to the researchers.

This is because the 4-way handshake messages that were exchanged before the downgrade was detected provide enough information to launch an offline dictionary attack against the Wi-Fi password. The attacker 'only' needs to know the network’s name, aka Service Set Identifier (SSID), and be close enough to broadcast the rogue AP.

Meanwhile, the ‘side-channel attack’ targets Dragonfly’s password-encoding method, called the ‘hunting and pecking’ algorithm. This attack comes in two flavors: cache- and timing-based.

“The cache-based attack exploits Dragonflys's hash-to-curve algorithm, and our timing-based attack exploits the hash-to-group algorithm. The information that is leaked in these attacks can be used to perform a password partitioning attack, which is similar to a dictionary attack,” said Vanhoef and Ronen, who also shared scripts intended to test some of the vulnerabilities they found.

“The resulting attacks are efficient and low cost. For example, to brute-force all 8-character lowercase passwords, we require less than 40 handshakes and 125$ worth of Amazon EC2 instances,” they wrote.

Additionally, the two researchers also found that WPA3’s built-in protections against denial-of-service (DoS) attacks can be trivially bypassed and an attacker can overload an AP by initiating a large number of handshakes.

All’s not lost

Vanhoef and Ronen said that they collaborated with the Wi-Fi Alliance and the US CERT Coordination Center (CERT/CC) to notify all affected vendors in a coordinated manner.

The Wi-Fi Alliance acknowledged the vulnerabilities and said that it is providing implementation guidance to affected vendors. “The small number of device manufacturers that are affected have already started deploying patches to resolve the issue”, according to the certification body for Wi-Fi compatible devices.

Meanwhile, Vanhoef and Ronen noted that “our attacks could have been avoided if the Wi-Fi Alliance created the WPA3 certification in a more open manner”. For all its flaws, however, WPA3 is an improvement over WPA2, they concluded.

Notably, Vanhoef was one of the researchers who in 2017 disclosed a security loophole in WPA2 known as ‘Key Reinstallation AttaCK’ (KRACK).