WPA3 Dragonblood: A new vulnerability discovered in the WPA3 template was named Dragonblood (because it affects WPA3's Dragonfly handshake), and can be exploited for DoS attacks on a vulnerable access point or, for theft of sensitive data (such as passwords) Wi-Fi.
"Attackers can read information that WPA3 is supposed to protect by encryption. This can be used to steal sensitive information such as credit cards, passwords, chats, emails, etc., if no additional protection is used, such as HTTPS, ”say researchers Mathy Vanhoef and Eyal Ronen.
WPA3 Dragonblood Attack Ways
The error allows an attacker to do DoS attacks by overloading an access point that uses the WPA3 standard, causing countless handshakes.
Οι ερευνητές ανέφεραν και επιθέσεις υποβάθμισης, όπου ένας εισβολέας σε ένα ευάλωτο access point αναγκάζει τον χρήστη να συνδεθεί με χειραψία (handshake) 4 σημείων που χρησιμοποιείται από το πρότυπο WPA2. Έτσι συλλέγει αρκετές πληροφορίες για να ξεκινήσει ένα offline dictionary attack. Σε μια άλλη επίθεση, ο εισβολέας μπορεί να υποβαθμίσει την κρυπτογραφική team used during the WPA3 Dragonfly handshake forcing the user and the access point to use a weaker cipher.
Side-channel attacks (side-channel attacks) μια cache-based και μια timing-based, μπορούν να εκμεταλλευτούν μια αδυναμία στον αλγόριθμο του Dragonfly, επιτρέποντας στον εισβολέα να εκτελέσει μια επίθεση διαχωρισμού κωδικών πρόσβασης (password partitioning attack παρόμοια με ένα offline dictionary attack) για να αποκτήσει τον code Wi-Fi access.
"The resulting attacks are effective and low-cost: full-character bruteforcing and 8-character password length require less than $ 125 in Amazon EC2 cases," the researchers said.
More details about each of the attacks mentioned above can be found at paper (PDF) which they published for WPA3 Dragonblood.
Researchers have not yet published all of the vulnerability details because they also affect EAP-pwd, the authentication protocol supported by WPA and WPA2.
Unfortunately, our attacks against WPA3 also work for EAP-pwd, which means that an attacker can even recover a user's password when using EAP-pwd. In addition, we found serious bugs in most EAP-pwd products that allow the attacker to emulate any user. This way he can access the Wi-Fi network without knowing the user's password.
"Although we believe that EAP-pwd is used quite infrequently, it still poses serious risks to many users and shows the dangers of incorrectly implementing Dragonfly."
Researchers have published tools that can be used to check if an access point is vulnerable to any of the aforementioned attacks, but have refrained from releasing a tool that facilitates attacks against EAP-pwd (though they say they will do so soon).
The researchers disclosed their findings to the WiFi Alliance, which issued a statement explaining that the problems identified "affect a limited number of early implementations of WPA3-Personal" (one of two ways operation WPA3) and can be resolved with a information software, which users can obtain from the Wi-Fi device vendor's page.
"WPA3-Personal is in the early stages of development and the small number of affected device manufacturers have already begun developing fixes for the problem. "Software updates do not require changes that affect interoperability between the Wi-Fi device." WiFi Alliance.
______________