It wasn’t that long ago that the Wi-Fi world was startled by the announcement of the KRACK vulnerability, and people everywhere started worrying about the security of their network. Now, here we are again with a brand new, shiny standard (WPA3) that is supposedly already broken upon its release to the world. So what is this dragonblood, and just how will it affect your network?
To review the paper itself, check out https://papers.mathyvanhoef.com/dragonblood.pdf
Dragonblood is the name given to this set of vulnerabilities discovered around WPA3-SAE, and is a play on words with the name of the SAE handshake called dragonfly. The particular vulnerabilities were all targeted around the pre-shared key standard, which within the WPA3 standard are known as WPA3-SAE. Previously, we noted pre-shared key networks as WPA2-PSK or WPA-PSK with the big difference around WPA3-SAE being that the SAE handshake provides forward secrecy as the password is never transmitted over-the-air (OTA). So with a little background out of the way, what were the issues discovered?
The following three issues are the big ones, but for a full outline of the issues, check out Dan Harkins’ post on the Aruba Networks, an HPE company site: https://blogs.arubanetworks.com/solutions/dragonblood-an-analysis-of-the-wpa3-sae-handshake/
- Transition mode attacks
Within WPA3-SAE, the standard included the ability to support older clients that could not communicate via WPA3. In order to support those older clients, the transition mode was defined that allowed the same BSS to support both WPA2-PSK and WPA3-SAE simultaneously. What the researchers discovered was that if you triggered transition mode to allow WPA2-PSK connections, you could initiate a dictionary attack against the resulting key exchange that occurred. This obviously is not a problem with WPA3 entirely, but moreso against the transition piece that was included. Something that could easily be resolved by eliminating this transition mode.
2. Side Channel attacks
These attacks could also be looked at as denial-of-service attacks as they are basically an attempt to overload the processor of the AP to a point that it can no longer process incoming frames. This is due to it being impossible to prevent malicious clients from sending bogus frames in the air. Let’s face it folks, we’ve never been able to do this so this is another one of those things I don’t really see as a failure of WPA3. I see it as the failure of certain vendors to implement measures to prevent such attacks.
In my [Scott’s] opinion, with the understanding that obviously I’m not a security expert, the vast majority of these attacks are due to vendor implementation and countermeasures can easily be deployed in code to prevent them from occurring.
3. Downgrade attacks
With a downgrade attack, the client and AP must negotiate the cryptographic group to be used during the handshake. Within this negotiation, it opens up the ability for a malicious character to insert themselves as a man-in-the-middle (MiTM) and continue to decline the AP provided group until a weak group is allowed. There are known weak groups within the IANA that should not be used during this handshake, but some vendors could chose to honor those. Thus another event where a simple countermeasure could be for the AP to not honor groups below a certain security threshold.
While these are the 3 things that I feel are most critical, you can find the other 2 talked about in the paper itself, or in the Aruba blog that I linked above. All of these seem to be things that can easily be countered by some simple countermeasures that should be implemented by the AP vendors. Therefore, in my opinion, I don’t see these as critical flaws within the WPA3 standard, but flaws within how vendors chose to implement it. Even with these “issues” WPA3 is still vastly more secure than previous security standards. We can only hope that vendor’s apply the proper countermeasures and that WPA3 is adopted rapidly.
Lastly, I think it’s important to note that these measures were all targeted against WPA3-SAE. They were not targeted against WPA3-Enterprise that utilizes certificate based authentication. It begs the question, “As a network administrator, why are you still using pre-shared key mechanisms?”
To answer this question stay tuned to the Aruba Networks Blog site for my recommendations coming in the near future on what my security methodology is when it comes to securing your Wi-Fi network.
Until next time,
Find me on twitter as @theITrebel, and I also host a technology podcast, The Contention Window that can be found on Apple Podcasts, Google Play Music, Stitcher, and the TCW website.
*Graphic courtsey of https://wpa3.mathyvanhoef.com