Security researchers discovered a new vulnerability in WPA3 Protocol named as “Dragonblood” allows hackers to steal the WiFi Password from WP3 enabled WiFi Network.
This serious vulnerability in WPA3 protocol let cyber criminals crack the password and access the encrypted traffic to steal sensitive data transmitted such as credit card numbers, passwords, chat messages, emails.
WPA3 protocol was recently announced by Wi-Fi Alliance and claims that it is impossible to crack the password of a network due to the powerful Dragonfly handshake but now its proven wrong due to this new Dragonblood vulnerability.
Design Flaw in WPA3 Dragonblood Vulnerability
In this case, Researchers uncovered 2 different design flaw in WPA3 Protocol, and
1. Downgrade attacks
2. Side-channels leaks
Since the WP3 enabled WiFi Network supports both WP2 and WPA3, by setting up a rogue Access point that only supports WPA2 let an attacker connect using WPA2’s 4-way handshake to perform offline Dictionary Attack.
Researchers said, “Although the client detects the downgrade-to-WPA2 during the 4-way handshake, this is too late. The 4-way handshake messages that were exchanged before the downgrade was detected, provide enough information to launch an offline dictionary attack.”
The second flaw, Side-channels leaks allows attackers to perform Cache-based side channel attack and Time-Based
Cache-Based Side-Channel Attack CVE-2019-9494. let attackers run unprivileged code on the victim machine and this attack allows to determine which branch was taken in the first iteration of the password generation algorithm of Dragonfly.
“This information can be abused to perform a password partitioning attack (this is similar to an offline dictionary attack). “
Similarly, time-based side channel Attack CVE-2019-9494 abuse the password encoding algorithm of Dragonfly handshake to perform the same password partitioning attack, which is similar to an offline dictionary attack.
In this case, Two researchers, Mathy Vanhoef (NYUAD) and Eyal Ronen (Tel Aviv University & KU Leuven) who discovered this vulnerability made scripts to test for certain Dragonblood vulnerabilities discovered in WPA3 Protocol:
- Dragonslayer: implements attacks against EAP-pwd (to be released shortly).
- Dragondrain: this tool can be used to test to which extend an Access Point is vulnerable to denial-of-service attacks against WPA3’s SAE handshake.
- Dragontime: this is an experimental tool to perform timing attacks against the SAE handshake if MODP group 22, 23, or 24 is used. Note that most WPA3 implementations by default do not enable these groups.
- Dragonforce: this is an experimental tool which takes the information recover from our timing or cache-based attacks, and performs a password partitioning attack. This is similar to a dictionary attack.
WiFi Alliance Patched Both Vulnerabilities
Both Vulnerabilities are currently patched and released an update by WiFi Alliance, a non-profit organization that promotes Wi-Fi technology and certifies Wi-Fi products for conformity to certain standards of interoperability.
According to WiFi Alliance, There is no evidence of the vulnerability being used against Wi-Fi users maliciously, and Wi-Fi Alliance® has taken immediate steps to ensure users can count on WPA3-Personal to deliver even stronger security protections.”
“These issues can be resolved through a straightforward software update – a process much like the software updates Wi-Fi users regularly perform on their mobile devices.”