Dragonblood


Currently, all modern Wi-Fi networks use WPA2 to protect transmitted data. However, because WPA2 is more than 14 years old, the Wi-Fi Alliance recently announced the new and more secure WPA3 protocol. One of the main advantages of WPA3 is that, thanks to its underlying Dragonfly handshake, it's near impossible to crack the password of a network. Unfortunately, we found that even with WPA3, an attacker within range of a victim can still recover the password of the Wi-Fi network. Concretely, attackers can then read information that WPA3 was assumed to safely encrypt. This can be abused to steal sensitive transmitted information such as credit card numbers, passwords, chat messages, emails, and so on.

The Dragonfly handshake, which forms the core of WPA3, is also used on certain Wi-Fi networks that require a username and password for access control. That is, Dragonfly is also used in the EAP-pwd protocol. Unfortunately, our attacks against WPA3 also work against EAP-pwd, meaning an adversary can even recover a user's password when EAP-pwd is used. Moreover, we also discovered serious bugs in most products that implement EAP-pwd. These allow an adversary to impersonate any user, and thereby access the Wi-Fi network, without knowing the user's password. Although we believe that EAP-pwd is used fairly infrequently, this still poses serious risks for many users, and illustrates the risks of incorrectly implementing Dragonfly.

The technical details behind our attacks against WPA3 can be found in our detailed research paper titled Dragonblood: A Security Analysis of WPA3's SAE Handshake. The details of our EAP-pwd attacks are explained on this website.

Coordinated Disclosure

We collaborated with the WiFi Alliance and CERT/CC to notify all affected vendors in a coordinated manner, and helped with implementing backwards-compatible countermeasures. Please check with your vendors for updates. The Wi-Fi Alliance has published a press release, and hostap published advisories and patches. We will post more information about CVEs and available patches as they become public.

Flaws in WPA3

We discovered two types of design flaws in WPA3. The first type are downgrade attacks, and the second type are side-channels leaks that reveal information about the password being used. Both of these vulnerabilities can be abused to recover the password used by the Wi-Fi network.

Our downgrade attack enables an adversary to force a client to partly execute WPA2's 4-way handshake, which can subsequently be used to perform a traditional brute-force attack against the partial WPA2 handshake. Additionally, we also discovered downgrade attacks against the Dragonsly handshake itself, which can be abuse to force a victim into using a weaker elliptic curve than it would normally use.

Our side-channel attacks target Dragonfly's password encoding method. The cache-based attack exploits Dragonflys's hash-to-curve algorithm, and our timing-based attack exploits the hash-to-group algorithm. The information that is leaked in these attacks can be used to perform a password partitioning attack, which is similar to a dictionary attack. The resulting attacks are efficient and low cost. For example, to brute-force all 8-character lowercase passwords, we require less than 40 handshakes and 125$ worth of Amazon EC2 instances.

Downgrade to Dictionary Attack

To enable the gradual deployment of WPA3, the Wi-Fi Alliance added a transition mode to WPA3 where a network can simultaneously support both WPA2 and WPA3. Unfortunately, this mode is vulnerable to downgrade attacks. In particular, if a client and AP both support WPA2 and WPA3, an adversary can set up a rogue AP that only supports WPA2. This causes the client (i.e. victim) to connect using WPA2's 4-way handshake. Although the client detects the downgrade-to-WPA2 during the 4-way handshake, this is too late. The 4-way handshake messages that were exchanged before the downgrade was detected, provide enough information to launch an offline dictionary attack.

We also discovered a downgrade attack against SAE itself, where we can force a device into using a weaker elliptic curve than it normally would use. Additionally, we discovered that the iwd Wi-Fi client and the Samsung Galaxy S10 are vulnerable to downgrade attacks, even against WPA3-only networks. That is, if these devices previously connected to a WPA3-only network, the adversary can create a rogue WPA2 network with the same network, and both iwd and the Galaxy S10 will try to connect to the WPA2 network. This can be abused to launch dictionary attacks.

Cache-Based Side-Channel Attack

The password encoding algorithm of Dragonfly, commonly also known as the "hunting and pecking" algorithm, contains conditional branches. If an adversary can determine which branch of the if-then-else branch was taken, they can learn whether the password element was found in a specific iteration of this algorithm. In practice we found that, if an adversary can run unprivileged code on the victim machine, we were able to use cache-based attacks to determine which branch was taken in the first iteration of the password generation algorithm. This information can be abused to perform a password partitioning attack (this is similar to an offline dictionary attack).

This vulnerability is tracked using identifier CVE-2019-9494.

A backward-compatible countermeasure is to replace conditional branches that depend on secret values with constant-time select utilities. Implementations must also use a constant time Legendre symbol computation.

Timing-Based Side-Channel Attack

When the Dragonfly handshake uses certain multiplicative groups, the password encoding algorithm uses a variable number of iteratins to encode the password. The precise number of iterations depends on the password being used, and the MAC address of the AP and client. An adversary can perform a remote timing attack against the password encoding algorithm, to determine how many iterations were needed to encode the password. The recovered information can be abused to perform a password partitioning attack, which is similar to an offline dictionary attack.

The prevent our timing-based attack, implementations should disable the vulnerable multiplicative groups. More technically, MODP groups 22, 23, and 24 should be disabled. We also advice implementations to disable the MODP groups 1, 2, and 5.

This vulnerability is tracked using the identifier CVE-2019-9494. Notice that this identifier is also use to track our cache-based attack, since both are side-channel vulnerabilities in the Dragonfly handshake.

Denial-of-Service Attack

An adversary can overload an AP by initiating a large amount of handshakes with a WPA3-enabled Access Point (AP). Although WPA3 contains a defense to prevent such denial-of-service attacks, it can be trivially bypassed. By repeatedly initiating handshakes from spoofed MAC addresses, the AP performs many costly password derivation operations (i.e. it performs many executions of the "Hunting and Pecking" algorithm). Depending on the AP under attack, this may consume all resources of the AP.

A backwards-compatible countermeasure is to perform the password generation algorithm (the "hunting and pecking" algorithm) in a low-priority background thread. Although this will still result in a high CPU usage, it assures that other functionality of the AP remains responsive.

Group Downgrade Attack

An adversary can downgrade the cryptographic group that is used during WPA3's Dragonfly handshake. For example, say a client supports the elliptic curves P-521 and P-256, and prefers to use them in that order. In that case, even thoug the AP also supports the P-521 curve, an adversary can force the client and AP into using the weaker P-256 curve. This can be accomplished by jamming the messages of the Dragonfly handshake, and forging a message that indicates certain curves are not supported.

To mitigate attacks, a client and AP should only enable groups that are known to be secure. For information on which groups should be avoided, we refer to RFC 8247.

Flaws in EAP-pwd

Due to the severity of some of our (implementation-specific) attacks against EAP-pwd, we will briefly delay the release of the full details of the vulnerabilities that we discovered. Please use this short time window to update your devices, we plan to provide the full details in as little as a few hours.

Paper

Our research paper behind the attack is titled Dragonblood: A Security Analysis of WPA3's SAE Handshake. The paper focusses on all discoveries related to WPA3. In other words, the recent discoveries concerning the EAP-pwd protocol are not discussed in this paper.

Tools

We have made scripts to test for certain vulnerabilities:

  • Dragonslayer: implements attacks against EAP-pwd (to be released shortly).
  • Dragondrain: this tool can be used to test to which extend an Access Point is vulnerable to denial-of-service attacks against WPA3's SAE handshake.
  • Dragontime: this is an experimental tool to perform timing attacks against the SAE handshake if MODP group 22, 23, or 24 is used. Note that most WPA3 implementations by default do not enable these groups.
  • Dragonforce: this is an experimental tool which takes the information recover from our timing or cache-based attacks, and performs a password partitioning attack. This is similar to a dictionary attack.

Q&A

Why aren't there more Q&A entries?

We discovered certain implementation-specific vulnerabilities in the EAP-pwd protocol fairly late during the embargo period. In the past days we focussed on helping vendors write and audit patches for EAP-pwd to prevent the most critical attacks, instead of working on the webiste. We will further update the website over the next hours and days!