Summary of the main security enhancements and discovered vulnerabilities in WPA3
This blog post is an abridged version of a term paper I wrote this semester. The full report with citations can be viewed here .
WPA3 was initially announced in 2018, and as 2020 comes to an end we are beginning to see it enter the real world. At the time of writing, WiGLE has 1006 WPA3 networks in its database and a few popular routers are being shipped with WPA3 enabled, so hopefully we start to see enterprise networks begin transitioning to WPA3 as well. WPA3 provides significant improvements over WPA2 and addresses just about every security issue in WPA2, but it is not without vulnerabilities of its own.
WPA3 takes advantage of the Simultaneous Authentication of Equals (SAE) handshake for authentication, which is based on elliptic curve cryptography. The network password represents points on an elliptic curve. The two parties will each calculate random values called rand and mask, which are used with the password to calculate more values called inverse and scalar. These values differ between the client and the server. These values are then sent back and forth with some calculations going on in order to prove that they have the same password and a shared key is eventually generated. What makes this handshake important is that if an attacker was able to capture every value that was sent and back and forth, they still would not be able to perform offline brute force attacks on the password like they could when capturing a WPA2 handshake. It’s worth noting that a formal proof that this protocol is completely resistant to offline brute force attacks wasn’t provided by its creator, but an informal proof was.
SAE also provides perfect forward secrecy, which is not present in WPA2. The result of this is that you can’t decrypt other clients’ WPA3 traffic if you have the network password, like you can do in WPA2.
WPA3 also has an optional SAE Public Key (SAE-PK) mode to protect against evil twin attacks. When enabled, all APs on a network would share a private key, with the network password being a base32 (case insensitive) value with hypens added that is derived from hashing the public key and a few other values. A client would thus be able to detect if the AP they are connecting to isn’t legitimate when the password they are using doesn’t match up with the APs advertised public key.
Opportunistic Wireless Encryption (OWE) is a new feature that can be used to set up an encrypted Wi-Fi network that does not require a password to join. This would be useful for securing public or guest wireless networks. This uses public/private key cryptography to provide encryption, but unlike with SAE-PK, the public key can’t be verified since there is no network password. To prevent against evil twin attacks here, client implementations are recommended to use Trust on First Use, in which the initial connection is assumed to be secure, while future connections will check to see if the public key has been changed.
A new IoT device on boarding scheme will be introduced with WPA3, designed to accommodate devices that do not have user interfaces that make connecting to a WiFi network easy. This scheme involves using a device called a configurator to on board the IoT device, here called the enrollee, with the configurator being a device that is already on the network, such as a smartphone. The device can then scan a QR code on the IoT device or connect to it using NFC (depending on what the IoT device supports) and send the IoT device the information that it needs in order to discover connect to the network, after which it will authenticate with the AP. This is an improvement over the alternative of Wi-Fi Protected Setup (WPS), which has been considered broken since like 2011.
For devices that do not support WPA3, APs can be run in WPA3 Transition mode (WPA3-TM), allowing clients to connect over WPA2 if needed. It’s advised to only enable transition mode if necessary since it increases the attack surface and attacks against it have been discovered.
Disassociation/Deauthenticaiton DoS prevention features found in 802.11w are also required instead of being optional, and clients/APs that support WPA3 are basically guaranteed to be patched against KRACK.
The main vulnerability discovered so far in WPA3 is Dragonblood, which is really a series of vulnerabilities discovered by the same person who discovered KRACK. The first vulnerability mentioned is that a series of timing attacks were discovered in the SAE (called dragonfly in the paper) handshake, which basically boil down to that different passwords will finish certain steps of the handshake quicker or slower than others. An attacker observing these timings can calculate how long passwords in a dictionary would take in each of these steps to determine if they could be the network password, effectively making offline attacks possible. Another vulnerability was discovered in WPA3-TM. An attacker can set up a rogue AP with the same name as the target AP. When a WPA3 supported client is connecting to a WPA3-TM network, the rogue AP will broadcast that only WPA2 is supported. This could cause the client to start a WPA2 handshake, meaning the attacker can perform offline brute force attacks as normal. The first vulnerability, along with a couple other more minor vulnerabilities, have all been patched.
Downgrade attacks targeting WPA3-TM continued to be an issue into at least June 2020. The author suggested that clients should remember if a network supports WPA3 and not connect to it if it suddenly only supports WPA2 to prevent these attacks. However, different client implementations seemed to differ in how well these protections were implemented. All clients were successful at avoiding connecting to a WPA2 network that was once a WPA3 network. If it was previously a WPA3-TM network however, results were not as good. Androids and iPhones would fail if the AP was initially WPA2, then upgraded to WPA3-TM, then back to WPA2. Mac, Linux, and Windows devices would successfully avoid downgrade attacks, however Linux and Windows devices would connect to a WPA3-TM network using WPA2 if the network used to be a WPA2 network. When connecting to a network for the first time when APs with the same BSSID but different security suite were found, Windows and Mac would connect to the stronger of the two while iOS and Linux would pick one at random. While this is less than good, downgrade attacks would be protected against in WPA3-PK.
Bad-Token is a denial of service vulnerability that can keep a client off of a WPA3 network. This vulnerability is found in the step of the handshake where the parties verify that the values sent by the other party are correct. An attacker can inject invalid values into this step by spoofing their MAC address to be one of the parties and reliably have these values reach the target before the legitimate values do. The client or server will receive these values, notice that they are invalid, and abort the handshake. This has been fixed by simply having clients and APs wait a bit upon receiving invalid values to see if valid values will arrive shortly after.
A couple other DoS vulnerabilities have also been discovered and fixed, most of which just deal with flooding APs with forged packets or sending spoofed packets to a connecting client.
Beacons that are periodically sent out by APs remain unprotected. They are unencrypted and have no protection frames or anything to provide integrity. An attacker can therefore inject malicious beacons to do things such as decrease their transmit power, cause them to switch to another channel and lose connection, or exit sleep mode. Protection for beacons is being implemented, but it remains to be added to the WPA3 standard.