Cybersecurity researchers who exposed numerous critical susceptibilities, jointly called as Dragonblood, has now revealed two more faults that could allow attackers to hack WiFi passwords.
WPA, or WiFi Protected Access, is a WiFi security standard that has been intended to validate wireless devices using the Advanced Encryption Standard (AES) protocol and projected to stop hackers from snooping on your wireless data.
In a bid to address technical glitches of the WPA2 protocol from the ground, the WiFi Protected Access III (WPA3) protocol was launched a year ago.
WPA3 depends on a more secure handshake, called SAE (Simultaneous Authentication of Equals), which is also known as Dragonfly, that aims to protect WiFi networks against offline dictionary attacks.
Nevertheless, in less than a year, security researchers Mathy Vanhoef and Eyal Ronen found several vulnerabilities in the early execution of WPA3, letting an attacker recover WiFi passwords by mistreating timing or cache-based side-channel leaks.
Soon after that revelation, the WiFi Alliance, the non-profit organization which supervises the approval of the WiFi standard, issued covers to highlight the problems and formed security endorsements to alleviate the initial Dragonblood attacks.
Identified as CVE-2019-13377, the first flaw is a timing-based side-channel attack against WPA3’s Dragonfly handshake when using Brainpool curves, which the WiFi Alliance recommended vendors to use as one of the security recommendations to add another layer of security.
“However, we found that using Brainpool curves introduces the second class of side-channel leaks in the Dragonfly handshake of WPA3,” the duo says in an updated advisory. “In other words, even if the advice of the WiFi Alliance is followed, implementations remain at risk of attacks.”
“The new side-channel leak is located in the password encoding algorithm of Dragonfly,” the researchers said, “We confirmed the new Brainpool leak in practice against the lastest Hostapd version, and were able to brute-force the password using the leaked information.”
The second susceptibility, recognized as CVE-2019-13456, is an information leak virus which resides the execution of EAP-pwd (Extensible Authentication Protocol-Password) in FreeRADIUS.
Mathy Vanhoef, one of the two researchers who discovered the Dragonblood flaws, told The Hacker News that an attacker could initiate several EAP-pwd handshakes to leak information, which can then be used to recover the user’s WiFi password by performing dictionary and brute-force attacks.