Poorly Designed WPA3 Wi-Fi Standard Leads to Multiple ‘Dragonblood’ Flaws

Credit: Tom's HardwareCredit: Tom's Hardware

The researchers who originally uncovered the WPA2 “KRACK” vulnerabilities, which ended up forcing the Wi-Fi Alliance to speed-up the release of the WPA3 security and authentication standard with included fixes, have also found several vulnerabilities in the new WPA3 protocol. The researchers called the flaws “Dragonblood” due to some of the uncovered vulnerabilities affecting the "Dragonfly" handshake protocol used by the WPA3 standard.

WPA3 Tainted by Dragonblood

The WPA3 standard has yet to even come out for many devices or routers, but security researchers have already found two types of design flaws in it. One type involves downgrade attacks, and the other type involves side-channel attacks that leak information about the password being used.

The release of the WPA3 standard was necessary to fix the serious key reinstallation attacks (KRACKs) found by Mathy Vanhoef (now part of the New York University Abu Dhabi), back in 2017. However, the standard may have been rushed or improperly designed, as it now contains several flaws that will likely be difficult to fix for the foreseeable future, even if various mitigations can be implemented whenever a new exploit of these design flaws is found. This time, Vanhoef was also helped by Eyal Ronen of Tel Aviv University and KU Leuven.

WPA3 Downgrade Attacks

The downgrade attack can be used because the Wi-Fi Alliance permitted the fallback to WPA2 handshakes inside the WPA3 protocol to maintain backward compatibility with older routers and computing devices. As such, an attacker can force a client to partly execute a four-way WPA2 handshake, which can then be used to force brute-force attack on the partial WPA2 handshake.

The researchers also discovered another downgrade attack that can exploit the “Dragonfly” handshake used by the WPA3 protocol itself to downgrade to a weaker elliptical curve. If a client supports both the P-521 and P-256 elliptic curves and uses them in that order, an attacker could downgrade the client to use only the weaker P-256 elliptic curve. 

WPA3 Side-Channel Attacks

The side-channel attacks uncovered by the KRACK researchers target Dragonfly’s password encoding method. The first cache-based attack exploits Dragonfly’s hash-to-hash algorithm, and the timing-based attack exploits the hash-to-group algorithm. The information leaked via these side-channel attacks can allow adversaries to perform a password partitioning attack, which is similar to a dictionary attack.

According to the researchers, the side-channel attacks are efficient and low cost. For instance, to brute-force all possible eight-character lowercase passwords, they only needed less than 40 handshakes and $125 worth of Amazon EC2 instances.

The researchers worked with the Wi-Fi Alliance to fix the issues before disclosing the Dragonblood vulnerabilities. The Wi-Fi Alliance said in a press release that not too many vendors have adopted the WPA3 standard yet, so these flaws shouldn’t have affected too many people.

The organization committed to updating the Wi-Fi standard and certification program to include these fixes. However, given that the WPA3 standard seems to have some serious security issues by design (such as allowing fallback to WPA2 or other weaker and crackable security modes), it will likely not be the first time we hear about WPA3 protocol exploits. The difference will be that in a few years, the WPA3 standard will have shipped to millions of devices and routers and issuing updates to them won’t be so easy, considering the state of router firmware and Android software updates today.