The next-generation Wi-Fi Protected Access protocol released 15 months ago was once hailed by key architects as resistant to most types of password-theft attacks that threatened its predecessors. On Wednesday, researchers disclosed several serious design flaws in WPA3 that shattered that myth and raised troubling new questions about the future of wireless security, particularly among low-cost Internet-of-things devices.
While a big improvement over the earlier and notoriously weak Wired Equivalent Privacy and the WPA protocols, the current WPA2 version (in use since the mid 2000s) has suffered a crippling design flaw that has been known for more than a decade: the four-way handshake—a cryptographic process WPA2 uses to validate computers, phones, and tablets to an access point and vice versa—contains a hash of the network password. Anyone within range of a device connecting to the network can record this handshake. Short passwords or those that aren’t random are then trivial to crack in a matter of seconds.
One of WPA3’s most promoted changes was its use of “Dragonfly,” a completely overhauled handshake that its architects once said was resistant to the types of password guessing attacks that threatened WPA2 users. Known in Wi-Fi parlance as the Simultaneous Authentication of Equals handshake, or just SAE for short, Dragonfly augments the four-way handshake with a Pairwise Master Key that has much more entropy than network passwords. SAE also provides a feature known as forward secrecy that protects past sessions against future password compromises.
Same as the old boss
A research paper titled Dragonblood: A Security Analysis of WPA3’s SAE Handshake disclosed several vulnerabilities in WPA3 that open users to many of the same attacks that threatened WPA2 users. The researchers warned that some of the flaws are likely to persist for years, particularly in lower-cost devices. They also criticized the WPA3 specification as a whole and the process that led to its formalization by the Wi-Fi Alliance industry group.
“In light of our presented attacks, we believe that WPA3 does not meet the standards of a modern security protocol,” authors Mathy Vanhoef of New York University, Abu Dhabi, and Eyal Ronen of Tel Aviv University and KU Leuven wrote. “Moreover, we believe that our attacks could have been avoided if the Wi-Fi Alliance created the WPA3 certification in a more open manner.”
Had the alliance heeded a recommendation made early in the process to move away from so-called hash-to-group and hash-to-curve password encoding, most of the Dragonblood proof-of-concept exploits wouldn't have worked, the researchers went on to say. Now that the Dragonfly is finished, the only option is to mitigate the damage using countermeasures that at best will be "non-trivial" to carry out and may be impossible on resource-constrained devices.
The researchers warned in a blog post that their exploits also work against networks using the Extensible Authentication Protocol. Attackers can exploit the vulnerabilities to recover user passwords when the EAP-pwd option is used. The researchers said they also discovered serious bugs that “allow an adversary to impersonate any user, and thereby access the Wi-Fi network, without knowing the user’s password. Although we believe that EAP-pwd is used fairly infrequently, this still poses serious risks for many users, and illustrates the risks of incorrectly implementing Dragonfly.” Enterprise networks that don't use EAP-pwd aren't vulnerable to any of the attacks described in the paper.
The easiest attack to perform exploits a transition mode that allows WPA3-capable devices to be backward compatible with devices that don’t support the new protocol. There are two ways to perform such a downgrade hack. The first is to perform a man-in-the-middle attack that modifies the wireless beacons in a way that makes a WPA3-enabled router represent itself as being able to only use WPA2. While a WPA3 client device will eventually detect the spoofed beacons and abort the handshake, this security mechanism isn’t tripped until after the attacker has captured the four-way handshake.
A variation of this downgrade attack—usable if the SSID name of the targeted WPA3 network is known—is to forgo the man-in-the-middle tampering and instead create a WPA2-only network with the same name. As long as clients are in transitional mode, they will connect to the WPA2-only access point. As soon as that happens, attackers have the four-way handshake.
The researchers tested a handful of devices and found the latter downgrade attack works against a Samsung Galaxy S10 and the Linux iwd Wi-Fi client. The researchers expect a more thorough search would turn up a much larger number of vulnerable devices. In an email, Vanhoef said the downgrade attacks were “really trivial." He added:
The downgrade to dictionary attack abuses how WPA3-Transition mode is defined, meaning it's a design flaw. In practice we indeed found that most devices are vulnerable to this attack, meaning dictionary attacks can still be performed when WPA3 is used in transition mode. Since the first few years most networks will have to operate in WPA3-Transition mode to support both WPA2 and WPA3 simultaneously, this greatly reduces the advantage of WPA3.
Yet another type of downgrade attack works by jamming and forging messages in the Dragonfly handshake in a way that indicates an access point doesn’t support elliptic curves that are cryptographically strong. The hack can force the access point to use a different curve, presumably one that’s weaker.
A separate timing-based side-channel attack measures the amount of time certain password encoding processes take during the Dragonfly handshake. That information helps an attacker determine how many iterations the password encoding algorithm took.
That information gleaned from either side-channel attack can enable attackers to carry out a password partitioning attack, which is similar to a password-cracking attack. The attacks are inexpensive and require little effort. Brute-forcing the entire set of all possible eight-character lower-case passwords, for instance, required fewer than 40 handshakes and about $125 worth of Amazon EC2 computing resources.
One last category of vulnerability the researchers discovered leaves WPA3 networks open to denial-of-service attacks that can prevent devices from connecting.
Patch your gear, use strong passwords
In a release, officials with the Wi-Fi Alliance wrote:
Recently published research identified vulnerabilities in a limited number of early implementations of WPA3-Personal, where those devices allow collection of side channel information on a device running an attacker’s software, do not properly implement certain cryptographic operations, or use unsuitable cryptographic elements. WPA3-Personal is in the early stages of deployment, and the small number of device manufacturers that are affected have already started deploying patches to resolve the issues. These issues can all be mitigated through software updates without any impact on devices’ ability to work well together. There is no evidence that these vulnerabilities have been exploited.
People should ensure that any WPA3 devices they may be using are running the latest firmware. They should also ensure they are using unique, randomly generated passwords that are at least 13 characters long. Password managers or the use of dice words are two useful ways to ensure password requirements are being met. Security experts have long recommended both these practices. They only become more important now.
Hope and worry
Vanhoef is the researcher behind the KRACK proof-of-concept exploit that made it possible for attackers within radio range of WPA2 devices to recover passwords and other sensitive data carried in wireless signals. By the time his research went public in October 2017, most large device makers already had patches in place, a measure that greatly decreased the motivation of hackers to recreate the attack.
“We hope to achieve the same with our work against WPA3,” Vanhoef wrote in an email. “By researching WPA3 before it is widespread, we greatly increase the chance that most devices will implement our countermeasures.”
In the same email, the researcher also voiced some pessimism about the chances of updates fully mitigating vulnerabilities this time around, particularly in lower-cost devices that don’t have the computing resources to implement the recommended fixes.
“Correctly implementing our suggested backwards-compatible side-channel countermeasures is non-trivial,” he wrote. “This is worrisome, because security protocols are normally designed to reduce the chance of implementation vulnerabilities.”