New “Dragonblood” vulnerability affects the Wi-Fi WPA3 standard
It’s less than a year old, but the WPA3 security standard for Wi-Fi has already had a host of flaws made public by two researchers. Released back in June of 2018, WPA3 was a necessary upgrade after WPA2 was split wide open by the KRACK exploit. WPA3 offers a host of features that make it more secure than its predecessor, such as Opportunistic Wireless Encryption, and completely changing how devices authenticate the access point.
In spite of these improvements, it seems that WPA3 is far from perfect. Researchers Mathy Vanhoef and Eyal Ronen have revealed five exploits that they are collectively referring to as “Dragonblood.” Should these vulnerabilities be exploited, they would allow an attacker within range of the victim’s network to recover the Wi-Fi password, thus giving them full access to the target’s network. The vulnerabilities are split into two categories. The first category consists of downgrade attacks against WPA3-capable devices, and the second consists of weaknesses in the Dragonfly handshake of WPA3. The Dragonfly handshake is the key exchange WPA3 devices perform to check they are communicating with the correct device before proceeding with full communication.
Of the five vulnerabilities detailed by Vanhoef and Ronen, one is only capable of crashing the WPA3 access points. The other four, however, are capable of recovering user passwords. The two downgrade attacks essentially complete bypass WPA3. They force WPA3-capable networks to use an older and more insecure password exchange system. The older system is much easier to crack as there are more widely known flaws to exploit. The other two attacks are what’s known as side-channel information leak attacks. In a side-channel information leak attack, attackers trick devices into using weaker algorithms that leak small amounts of information about the network password each time they are used. With enough attempts, attackers can eventually recover the entire password by piecing together the small amounts of information they gain each time.
We’re not going to go into detailed explanations in this article, though should you wish to learn more you can find Vanhoef and Ronen’s article here. The two researchers also published tools that can be used to determine whether or not a WPA3-enabled device suffers from these flaws.
The Wi-Fi Alliance has been quick on the trigger, however, announcing today that they are releasing a security update for the WPA3 standard. This update is in direct reply to Dragonblood and aims to fix the vulnerabilities it exposed. It’s worth noting that these vulnerabilities are only present on the WPA3-Personal version of WPA3. The other version, WPA3-Enterprise, appears to be unaffected.