Thursday 11 April 2019

Dragonblood: Should you worry? (Wi-Fi WPA3 security vulnerabilities explained for the not-so-techie)

On 10 April 2019 I noticed a flurry of panicky news stories and posts around LinkedIn and Twitter. The Wi-Fi Alliance published a security update regarding security vulnerabilities in the new WPA3 Wi-Fi standards which WLAN vendors are expected to start rolling out en masse in 2019.

The WPA3 standards promised a far more secure environment than the aging WPA2 standards currently in use just about everywhere today. The vulnerabilities (named Dragonblood) already have their own webpage, logo, theme song, etc. so we know that non-technical company execs will be seeing this across their feeds and demanding information about the security of the million-dollar Wi-Fi refresh they've just paid for, by the end of the week.

Before we engage in mass hysteria, let's examine the vulnerabilities a little further and see if there is truly anything to worry about.

Is this report from a reputable source?
Yes! The analysis and POC code were written by Mathy Vanhoef (NYUAD) and Eyal Ronen (Tel Aviv University & KU Leuven). Vanhoef had also discovered the Krack attack vulnerabilites that got everyone worried in 2017.

Why "Dragonblood"?
It is trendy for vulnerabilities to be given catchy names as this makes it easier for them to be written about in the media and go viral. These vulnerabilities are mainly around the handshake key exchange mechanism used in WPA3 which is called Dragonfly, hence the analysis paper was titled Dragonblood. The researchers released 4 tools to demonstrate the specific attacks and named them Dragonslayer, Dragondrain, Dragontime, and Dragonforce.
Note that the Dragonfly family of handshakes is not only used in Wi-Fi. Other encryption-based systems could also be vulnerable.

Can the Dragonblood vulnerabilities be fixed?
Yes, mostly.
Thanks to the researchers' responsible disclosure of the vulnerabilities, major vendors already had patches in place or in the works before the public announcement was made. simply ensuring that the firmware on your network equipment is kept up to date is sufficient to mitigate or remediate against most of these vulnerabilities. (this is why it is important to use trusted brands and keep those support contracts up to date folks).
In at least one of the downgrade attack scenarios (explained in more detail later on), a device is tricked into connecting to a WPA2 network and then a WPA2 exploit is used. This can't be easily fixed but it isn't strictly a WPA3 exploit either.
Unless you're 100% in control of every device connecting to your network (and who is?), you can't update the client side devices. The good news here is that hardly any WPA3 client devices are released yet, so hopefully most will be fixed before anyone even buys them.

Cisco has already released a statement by the reputable Jerome Henry, saying "Cisco Access points are not affected by any of the vulnerabilities described. The Cisco AireOS and IOS-XE releases that support SAE for WPA3-Personal will also include protection mechanisms against these vulnerabilities. WPA3 clients may need to be updated and Cisco recommends finding the latest information from vendors’ websites."

I will update this page with statements from other vendors as they become available. Personally I'm looking forward seeing a comment from Dan Harkins, the computer scientist who wrote Dragonfly and EAP-pwd, and currently happens to be employed by Aruba Networks.

In summary: The sky isn't falling, keep your network devices up to date, keep your client devices up to date.

You can find more detail about the individual tools below.

Dragonslayer
From the readme: This is an experimental tool to test EAP-pwd implementations for vulnerabilities. We also strongly recommend to perform code inspections to assure all vulnerabilities have been properly addressed.

Should you worry?
No.
Virtually nobody is using EAP-pwd in their Wi-Fi networks. It is rarely even presented as an option. Unless your job involves actually building Wi-Fi devices, you don't need to worry about this.

Dragondrain
From the readme: The Dragondrain tool forges Commit messages to cause a high CPU usage on the target. This can for example be used to drain the battery of a device, or more generally to drain and exhaust resources.

The name is a play on the fact that this is a 'clogging' attack.

Should you worry?
Not if you keep your network devices up to date.
It is a denial-of-service attack. The authors have already given the solution to the vendors to implement i.e. use a dedicated, low-priority CPU thread to run this task so that the entire CPU can never be impacted.

Dragontime
From the readme: This is an experimental tool to carry out timing attacks against WPA3's SAE handshake. It was created to carry out attacks, not to detect whether an implementation is vulnerable in the first place. It was used to carry out the timing attack against MODP groups 22 and 24 as described in the Dragonblood paper.

This vulnerability actually has a CVE allocation: CVE-2019-9494

Should you worry?
Not too much.
You don't need to know what MODP (Modular Exponential) groups are, just that they are options implemented in cryptographic algorithms. Three groups have been identified here as being vulnerable while another three groups are suggested to be avoided. This can be fixed in a software patch that simply removes those groups as options (that is if the groups were ever used in the first place - according to the paper there were already known issues since 2017 with these groups, so they should have been avoided all along). The authors even state this "Note that most WPA3 implementations by default do not enable these groups"

Dragonforce
This is the tool that takes the information from the other tools and runs something similar to a dictionary attack to retrieve the keys.

What about that 'downgrade attack' mentioned earlier?
It is really difficult to move 20 years' worth of devices to a new encryption scheme, so the WPA3 standard allows for a compatibility mode, or transition mode, of operation where the network will simultaneously support WPA2 and WPA3. The attack in this case involves setting up an 'evil twin' SSID using only WPA2 and the client device connects to it because it knows that WPA2 is still permitted. WPA2 vulnerabilities are then leveraged to discover the keys.

Should you worry?
No more than you worried yesterday about your WPA2 networks.
The fix for this needs to come from the manufacturers of client devices. Samsung, Apple, Lenovo, etc. 
As a network operator you can run WIDS/WIPS to guard against this type of attack.


I'm having trouble sleeping at night, where can I find the full paper?
The full paper has been published at https://papers.mathyvanhoef.com/dragonblood.pdf