Researchers found 5 vulnerabilities in WPA3 Protocol

WPA3 Protocol vulnerability

Security researchers recently revealed a set of vulnerabilities, collectively known as Dragonblood, that affected the WiFi Alliance’s recently released WPA3 Wi-Fi security and authentication standards. If exploited, the vulnerability will allow an attacker within the victim’s network to obtain a Wi-Fi password.

The Dragonblood vulnerability group has a total of five vulnerabilities:

  • CERT ID #VU871675: Downgrade attack against WPA3-Transtition mode leading to dictionary attacks.
  • CERT ID #VU871675: Security group downgrade attack against WPA3’s Dragonfly handshake.
  • CVE-2019-9494: Timing-based side-channel attack against WPA3’s Dragonfly handshake.
  • CVE-2019-9494: Cache-based side-channel attack against WPA3’s Dragonfly handshake.
  • CERT ID #VU871675: Resource consumption attack (i.e. denial of service) against WPA3’s Dragonfly handshake.

In downgrade attacks, networks that support WiFi WPA3 can induce devices to use older, less secure password-switching systems, allowing an attacker to retrieve network passwords using old vulnerabilities.

Inside side-channel leaks attacks, networks that support WiFi WPA3 can trick devices into using weaker algorithms that leak a small amount of information about network passwords. Through repeated attacks, you can finally recover the full password.

As a proof-of-concept, researchers have released four separate tools on GitHub to test for certain vulnerabilities

  • Dragonslayer: implements attacks against EAP-pwd (to be released shortly).
  • Dragondrain: this tool can be used to test to which extend an Access Point is vulnerable to denial-of-service attacks against WPA3’s SAE handshake.
  • Dragontime: this is an experimental tool to perform timing attacks against the SAE handshake if MODP group 22, 23, or 24 is used. Note that most WPA3 implementations by default do not enable these groups.
  • Dragonforce: this is an experimental tool which takes the information recover from our timing or cache-based attacks, and performs a password partitioning attack. This is similar to a dictionary attack.

You can read more information about DragonBlood vulnerabilities here.