Researchers have uncovered a pair of new weaknesses in the WPA3 security standard that is used to protect wireless traffic, vulnerabilities that could allow an attacker to gather enough information to brute-force the password for a WiFi network.
The weaknesses lie in the way that the Dragonfly handshake is implemented in WPA3, the most recent iteration of the main WiFi security protocol. Dragonfly is the authentication handshake that occurs when devices join a WPA3-protected wireless network, and it’s designed to be resistant to the kinds of attacks that leak cryptographic information. In April, a pair of security researchers discovered a set of serious flaws in the WPA3 implementation of Dragonfly. The researchers, Mathy Vanhoef and Eyal Ronen, reported the vulnerabilities privately to the affected vendors and the Wi-Fi Alliance, and fixes were developed. Those initial vulnerabilities allowed for downgrade and side-channel attacks that were easy and effective for attackers to run.
Now, Vanhoef and Ronen have disclosed a new set of weaknesses in Dragonfly that allow attackers to get around some of the countermeasures put in place to fix the original flaws. The new vulnerabilities are the result of an information leak in the Brainpool elliptic curves that the Wi-Fi Alliance recommends be used as part of the Dragonfly cryptographic operations. Vanhoef and Ronen found that under some circumstances, an attacker could gather sensitive data from wireless traffic. The irony is that the recommendation to use the Brainpool curves came as a result of the initial disclosure of the so-called Dragonblood vulnerabilities in April. That recommendation was part of a privately developed set of security standards the alliance put together.
“However, we found that using Brainpool curves introduces a second class of side-channel leaks in the Dragonfly handshake of WPA3. In other words, even if the advice of the Wi-Fi Alliance is followed, implementations remain at risk of attacks,” the researchers said.
“Fortunately, as a result of our research, both the Wi-Fi standard and EAP-pwd are being updated with a more secure protocol."
“This demonstrates that implementing Dragonfly and WPA3 without side-channel leaks is surprisingly hard. It also, once again, shows that privately creating security recommendations and standards is at best irresponsible and at worst inept.”
Side-channel attacks comprise a wide array of different techniques and can be quite difficult to prevent and defend against. The one that Vanhoef and Ronen discovered most recently in Dragonfly has to do with the way that the protocol deals with password encoding.
“The new side-channel leak is located in the password encoding algorithm of Dragonfly. This algorithm first tries to find a hash output that is smaller than the prime of the elliptic curve being used. With the default NIST curves, such a hash output is practically always found immediately. However, with Brainpool curves, several iterations may have to be executed before finding a hash output smaller than the prime,” the researchers said.
“The number of iterations that didn't have such a valid hash output depends on the password being used and on the MAC address of the client. Simplified, the resulting timing and execution differences can be measured by an adversary.”
Vanhoef will present more information on the Dragonblood weaknesses at the Black Hat USA conference Wednesday in Las Vegas.
“Fortunately, as a result of our research, both the Wi-Fi standard and EAP-pwd are being updated with a more secure protocol. Although this update is not backwards-compatible with current deployments of WPA3, it does prevent most of our attacks,” the researchers said.