{"uuid": "b499f09b-172a-40ce-bb65-10401b8b6393", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2019-9494", "type": "published-proof-of-concept", "source": "https://t.me/MajorHacker/49", "content": "\ud83d\udd25 Breaking \u2014 It has been close to just one year since the launch of next-generation Wi-Fi security standard WPA3 and researchers have unveiled several serious vulnerabilities in the wireless security protocol that could allow attackers to recover the password of the Wi-Fi network.\n\nThough WPA3 relies on a more secure handshake, known as Dragonfly, that aims to protect Wi-Fi networks against offline dictionary attacks, security researchers Mathy Vanhoef and Eyal Ronen found weaknesses in the early implementation of WPA3-Personal, allowing an attacker to recover WiFi passwords by abusing timing or cache-based side-channel leaks.\n\n* Researchers find that the transitional mode is vulnerable to downgrade attacks, which attackers can abuse to set up a rogue AP that only supports WPA2, forcing WPA3-supported devices to connect using insecure WPA2's 4-way handshake.\n\n* Researchers also detail two side-channel attacks\u2014Cache-based (CVE-2019-9494) and Timing-based (CVE-2019-9494) attacks\u2014against Dragonfly's password encoding method that could allow attackers to perform a password partitioning attack, similar to an offline dictionary attack, to obtain Wi-Fi password.\n\nAs a proof-of-concept, researchers will shortly release the following four separate tools (in the GitHub repositories hyperlinked below) that can be used to test the vulnerabilities\n\n         $ Dragondrain \u2014 a tool that can test to which extend an Access Point is vulnerable to Dos attacks against WPA3's Dragonfly handshake.\n\n         $ Dragontime   \u2014 an experimental tool to perform timing           attacks against the Dragonfly handshake.\n\n         $ Dragonforce   \u2014  an experimental tool that takes the information to recover from the timing attacks and performs a password partitioning attack.\n\n         $ Dragonslayer  \u2014 a tool that implements attacks against     EAP-pwd.\n\n\"Nearly all of our attacks are against SAE\u2019s password encoding method, i.e., against its hash-to-group and hash-to-curve algorithm. Interestingly, a simple change to this algorithm would have prevented most of our attacks,\" the researchers say.", "creation_timestamp": "2019-04-11T03:46:18.000000Z"}