Security flaws in WPA3 allow attackers to hack passwords

Vulnerabilities in WPA3 enable attackers to take control of Wi-Fi networks and crack encrypted passwords

A string of vulnerabilities in the WPA3 internet security standard could let attackers hack the password of a WiFi network.

Launched just a year ago, WPA3 uses the Advanced Encryption Standard (AES) protocol to improve WiFi network security.

However, a new research paper published by Mathy Vanhoef and Eyal Ronen shows that the protocol may not be as safe as previously thought.

WPA3 is affected by several design flaws

"The WPA3 certification aims to secure WiFi networks, and provides several advantages over its predecessor, WPA2, such as protection against offline dictionary attacks and forward secrecy," wrote the researchers.

"Unfortunately, we show that WPA3 is affected by several design flaws, and analyze these flaws both theoretically and practically."

According to their findings, attackers could leverage timing or cache-based side-channel leaks to work out the password of a WiFi network.

WPA3's Simultaneous Authentication of Equals handshake, also known as Dragonfly, can be affected by password partitioning attacks

The researchers claimed that this technique can be "abused to steal sensitive transmitted information such as credit card numbers, passwords, chat messages, emails and so on".

They go on to say that WPA3's Simultaneous Authentication of Equals (SAE) handshake, also known as Dragonfly, can be affected by password partitioning attacks.

"These attacks resemble dictionary attacks and allow an adversary to recover the password by abusing timing or cache-based side-channel leaks," they said.

"Our sidechannel attacks target the protocol's password encoding method. For instance, our cache-based attack exploits SAE's hash-to-curve algorithm.

The researchers identified a denial-of-service attack that works by initiating a large amount of handshakes with a WPA3-enabled Access Point

"The resulting attacks are efficient and low cost: bruteforcing all 8-character lowercase password requires less than $125 in Amazon EC2 instances."

What's more, the researchers identified a denial-of-service attack that works "by initiating a large amount of handshakes with a WPA3-enabled Access Point".

To help people identify and mitigate these attacks, the researchers have released four proof-of-concept tools on GitHub. With them, users can test these vulnerabilities.

These issues can be resolved through a straightforward software update

"Nearly all of our attacks are against SAE's password encoding method, ie, against its hash-to-group and hash-to-curve algorithm. Interestingly, a simple change to this algorithm would have prevented most of our attacks," added the academics.

After learning of the vulnerabilities, the WiFi Alliance released a statement: "These issues can be resolved through a straightforward software update - a process much like the software updates WiFi users regularly perform on their mobile devices.

"WPA3-Personal is in the early stages of deployment, and the small number of device manufacturers that are affected have already started deploying patches to resolve the issue.

"The software updates do not require any changes that affect interoperability between WiFi devices. Users can refer to their device vendors' websites for more information."

Computing and CRN have united to present the Women in Tech Festival UK 2019, on 17 September in London.

The event will celebrate successful women in the IT industry, enabling attendes to hear about, and to share, personal experiences of professional journeys and challenges.

Whether you're the ‘Next Generation', an ‘Inspirational Leader', or an ‘Innovator of Tech' this event will offer inspiration on not only how to improve yourself, but how to help others too. The event is FREE for qualifying IT pros, but places will go fast