WPA3: Dead On Arrival?
WPA3 is the brand new WiFi standard that was set to end WiFi hacking forever, it was announced about this time last year. Our current WiFi standard WPA2 has been around for over a decade and has enormous problems with it. From the recent KRACK issue to 4 way handshake vulnerabilities to deauthing it's about time we got something new. Enter WPA3, widely hailed as the solution to WPA2 woes. Alas it looks like we spoke to soon...
Remember KRACK? The nail in the coffin for wpa2 security, the same researcher who exposed that, Mathy Vanhoef along with his contemporaries is at the center of discovering all these new flaws in WPA3 which is just being rolled out. They call this pack of vulnerabilities 'dragonblood' since WPA3's flagship feature is the called the 'dragonfly key exchange system'. So, lets dig in.
WPA3 was initially praised for ending deauthentication attacks, essentially a vulnerability which exists in wpa2 allows an attacker to kick people off a WiFi network, regardless of whether the attacker had access to it or not. Well it would seem that another denial of service vulnerability has been unintentionally created in wpa3. Whilst WPA3 introduces new and improved security features, these security features can be very computationally expensive, which just means they need a lot of processing power to implement.
The above is an abstraction of how a WPA3 connection is established (it just shows the messages exchanged between a client and access point), if we look at the top section you'll see two 'Auth-commit' messages - to put it simply they are very computationally expensive for a router to process, which shouldn't normally be an issue (actually it's a good sign of a strong cryptographic algorithm). However if you have an attacker who spoofs these frames and spams them at a router it can really overwhelm an access point to the point where the access point just nopes out and crashes. This is pretty dire seeing as most hardware can only deal with 16 of these commit frames per second. So its real straight forward to BTFO a router.
Two of the other vulnerabilities discovered are known as 'side-channel' attacks. Now a side-channel attack isn't necessarily a vulnerability in the maths and algorithms of WPA3 itself, but rather a vulnerability in how something (in this case WPA3) is implemented. Firstly we've got a timing-based side-channel attack, remember those commit frames are pretty computationally expensive and take some time to process? Well apparently it's possible to time how long it takes for an access point to respond to these frames, the amount of time it takes may actually leak information about the password itself. Though this only effects some of the cryptographic methods that WPA3 access points use, however information leaked can be used to perform a dictionary attack.
The other side-channel attack is cache-based, this is slightly different. When a phone or computer is constructing one of these commit frames to send to a router, it's possible to discover information about the password, if you're observing memory patterns on the device. Now that might seem technical and difficult, though it is possible if an attacker is controlling any application on a victim device. So a rogue app could spell disaster. Even worse it's possible that just by running javascript in a web browser you are leaving the door open to this vulnerability. By observing memory access patterns associated with a password, it's possible to run a dictionary attack until you get the same memory patterns and thus revealing the password.
One of the main vulnerabilities discovered by the researchers is a downgrade attack. The architects of WPA3 of course want it to be backwards compatible, you don't want to buy a new router tomorrow and discover it won't work with your phone. So WPA3 routers also support WPA2, seems sensible enough though the issue is an attacker can set up a rogue access point and force clients that support WPA3 into connecting using WPA2. You can capture this partial handshake and use it to perform a dictionary attack. Leaving us in the same boat as if we just stuck with WPA2 all along.
The second downgrade attack relies on the fact that WPA3 supports multiple cryptographic standards that vary in strength. It's possible for an attacker to impersonate an access point and trick a user's device into using a less secure cryptographic method. And hence again dramatically increasing the likelihood of cracking a password.
Now this may all seem pretty bad, but there's more: the researchers have a trump card, a vulnerability that effects the dragonfly key exchange system itself, this is a big deal. Though as far as I can tell they haven't made information about this public just yet as the patching process is still in progress.
All these vulnerabilities were disclosed in the proper way, to the Wi-Fi alliance and vendors in advance of being made public, you should of course update all of your devices. The problem with the WiFi alliance (the organisation that comes up with all these standards) is that they do it in a very closed off, secretive way. The researchers did note that the attacks could have been avoided if the Wi-Fi Alliance created the WPA3 certification in a more open manner.
If you're technically inclined and want to try and replicate these attacks the researchers have released a set of tools that can help you do just that. Luckily though since WPA3 is only just starting to be rolled out there aren't many devices in the wild just yet, so after these have all been patched it should be plain sailing... Until something new comes along.