In April this year, information security experts Mathy Vanhoef and Eyal Ronen published new DragonBlood vulnerabilities of WPA3. This is information on a set of problems called DragonBlood – “in honor of” the vulnerable Dragonfly, the mechanism by which clients authenticate on devices that support the new WPA3 standard.
Although it was previously thought that this “handshake” mechanism was safe, Wanhof and Ronen have proved that this suggestion was wrong.Five vulnerabilities have been called DragonBlood, including denial of service, two problems leading to side-channel leaks, and two other problems associated with downgrade connections. As a result, DragonBlood allowed an attacker located in the Wi-Fi access zone to recover the victim’s passwords and penetrate the network.
Now Vanhof and Ronen have released data on two more vulnerabilities that appeared after the representatives of the WiFi Alliance prepared protection from the source bugs. Similarly to April vulnerabilities, these new problems allow attackers to “drain” information about WPA3 cryptographic operations and brute-force passwords from Wi-Fi networks.
“It’s exceptionally hard to implement all parts of WPA3 without introducing side-channel leaks. The best approach to securely implement WPA3 that we encountered so far is the one of Microsoft: only support cryptographic group 19, and follow their techniques to implement the hunting and pecking algorithm”, — report researchers.
The first vulnerability received the identifier CVE-2019-13377 and affects the WPA3 Dragonfly handshake mechanism with using Brainpool curves. The fact is that in April, experts found that key exchange based on elliptic curves of P-521 can be reduced to a weaker P-256.
As a result, the WiFi Alliance recommended suppliers to use more reliable Brainpool curves instead. However, now experts write that this change only created a new opportunity for side-channel attacks and allows cracking passwords using the leak.
“Even if the advice of the Wi-Fi Alliance is followed, implementations remain at risk of attacks. This demonstrates that implementing Dragonfly and WPA3 without side-channel leaks is surprisingly hard. It also, once again, shows that privately creating security recommendations and standards is at best irresponsible and at worst inept”, — consider Vanhoef and Ronen.
The second vulnerability has the identifier CVE-2019-13456 and is associated with the implementation of EAP-pwd in the FreeRADIUS framework, which is used by many vendors. As in the previous vulnerability, the EAP-pwd authentication process on some devices with FreeRADIUS support leads to information leakage, which allows attackers to recover passwords.
Experts have already announced their findings to the WiFi Alliance and are now reporting that fixing new issues could lead to the release of WPA3.1. It is noted that the new security features are incompatible with WPA3, but will protect from majority of the attacks developed by Wanhof and Ronen.