Collectively dubbed Dragonblood (because they affect WPA3’s Dragonfly handshake), they can be exploited to mount a DoS attack against a vulnerable access point or, more worryingly, to recover the password of a Wi-Fi network.
"Attackers can then read information that WPA3 was assumed to safely encrypt. This can for example be abused to steal sensitive information such as credit cards, passwords, chat messages, emails, and so on, if no extra protection such as HTTPS is used," the researchers, Mathy Vanhoef and Eyal Ronen, noted.
The DoS flaw allows an attacker to overload the target WPA3-enabled access point by initiating a large amount of handshakes.
In one of the downgrade attacks, an attacker with a rogue access point can force the client connecting to it to use WPA2’s 4-way handshake and, consequently, to get enough information to launch an offline dictionary attack. In another, the adversary can downgrade the cryptographic group that is used during WPA3’s Dragonfly handshake and force the the client and AP into using a weaker curve.
The side-channel attacks – one cache-based and the other timing-based – exploit a weakness in the Dragonfly algorithm, allowing the attacker to perform a password partitioning attack (similar to an offline dictionary attack) to recover the Wi-Fi password.
"The resulting attacks are efficient and low cost: bruteforcing all 8-character lowercase password requires less than 125$ in Amazon EC2 instances," the researchers pointed out.
The researchers have yet to publish full details about the vulnerabilities because they also impact EAP-pwd, the authentication protocol supported in the WPA and WPA2 standards.
"Unfortunately, our attacks against WPA3 also work against EAP-pwd, meaning an adversary can even recover a user’s password when EAP-pwd is used. Moreover, we also discovered serious bugs in most products that implement EAP-pwd. These allow an adversary to impersonate any user, and thereby access the Wi-Fi network, without knowing the user’s password," they noted.
"Although we believe that EAP-pwd is used fairly infrequently, this still poses serious risks for many users, and illustrates the risks of incorrectly implementing Dragonfly."
They’ve published tools that can be used to test whether an access point is vulnerable to any of the aforementioned attacks, but have refrained from releasing one that implements attacks against EAP-pwd (although they say they will do it soon). In the meantime, they have been helping vendors to write and audit patches for EAP-pwd.
The researchers have disclosed their findings to the WiFi Alliance, which issued a notice explaining that the found issues "affect a limited number of early implementations of WPA3-Personal" (one of the two WPA3 modes of operation) and they can be resolved with a software update, which users can get from their Wi-Fi device vendor’s website.
"WPA3-Personal is in the early stages of deployment, and the small number of device manufacturers that are affected have already started deploying patches to resolve the issue. The software updates do not require any changes that affect interoperability between Wi-Fi device," the Wi-Fi Alliance explained.
"Wi-Fi Alliance is broadly communicating implementation guidance to ensure vendors understand the relevant security considerations when developing their devices. Wi-Fi CERTIFIED WPA3-Personal now includes additional testing within our global certification lab network to encourage greater adoption of recommended practices."