Wi-Fi Security New Standard “WPA3” Discovers New Vulnerability in Wi-Fi Password Leak

by Alan Levine

WPA3 was announced in June 2018 as a new standard for Wi-Fi security, but within a year, some Wi-Fi network passwords leakage ( Roe ) 'I will Vulnerable ( At best ) Sex was discovered by security researchers. And on August 2, 2019, the same researcher reported that two new vulnerabilities were found in WPA3.

Dragonblood: Analyzing WPA3's Dragonfly Handshake

New Dragonblood vulnerabilities found in WiFi WPA3 standard | ZDNet

As of 2019, WPA2 is widely used as a Wi-Fi security standard. However, since WPA2 has a vulnerability called ' KRACK ' that can intercept Wi-Fi communication without a password, a new standard 'WPA3' that made hacking difficult in response to this vulnerability is Wi-Fi. It was announced in June 2018 by the Alliance .

New Wi-Fi Security Standard “WPA3” Appears, WPA2 Vulnerabilities Also Address Hacking Difficulty-GIGAZINE

However, in April 2019, less than a year after its release, a vulnerability was found to break the security of WPA3. This vulnerability, called ' Dragonblood ', is possessed by the password generation algorithm for the ' Dragonfly ' handshake adopted in WPA3 and there is a possibility that the password may be leaked by side channel attack. understood.

Vulnerabilities Found in New Wi-Fi Security Standard WPA3-GIGAZINE

Furthermore, athy Vanhoef and Eyal Ronen who discovered the 'Dragonblood' discovered that two new vulnerabilities, ' CVE-2019-13377 ' and ' CVE-2019-13456 ' were discovered on August 2, 2019. Announced. CVE-2019-13377 shows that when using Dragonfly an encryption called 'Brainpool's Elliptic Curve Cryptography (ECC)', part of the password is leaked due to a side channel attack. CVE-2019-13456 is an information leak that occurs because the processing of the EAP-PWD module in open source advanced authentication software ' FreeRADIUS ' is interrupted.

According to Vanhoef and Ronen, I estimated the cost of a brute force attack using a GPU, and even in the example of the dictionary size, it could be analyzed for less than one dollar (about 108 yen). However, at the time of writing, the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) did not contain detailed information on CVE-2019-13377 and CVE-2019-13456.

'Even if the Wi-Fi Alliance's advice has been followed, researchers are still at risk from implementing a WPA3. In other words, implementing WPA3 and Dragonfly without leaking from a side channel attack. Is surprisingly difficult, ”he said, asking for doubts about the implementation of WPA3.

in Software,   Security, Posted by log1i_yk