One of its main advantages of WPA3 is that it provides forward secrecy and prevents offline dictionary attacks. However, the WPA3 certification program was created behind closed doors, meaning researchers could not critique it. This is problematic because, even though WPA3 relies on the existing Dragonfly handshake, this handshake received significant criticism during its standardization. This raises the question of how secure WPA3 is.
In this talk, we will show that WPA3 is affected by several design and implementations flaws. Most prominently, we show that WPA3's Dragonfly handshake, in Wi-Fi also known as SAE, is vulnerable to side-channel attacks. We demonstrate that the leaked information can be abused to carry out password partitioning attacks. These attacks resemble a dictionary attack, and allow an adversary to recover the password by abusing timing or cache-based side-channel leaks. Our side-channel attacks target the protocol's password encoding method, for example, our cache-based attack exploits Dragonfly's so-called hash-to-curve algorithm. Additionally, we present invalid curve attacks against EAP-pwd, which internally uses a close variant of the Dragonfly handshake. This enables an adversary to bypass authentication. We will also discuss downgrade attacks to WPA2, which in turn enable dictionary attacks, and discuss denial-of-service attacks. Finally, we explain how we confirmed all vulnerabilities in practice, and discuss to which extend attacks can be mitigated in a backwards-compatible manner.
Our conclusion is that WPA3 does not meet the standards of a modern security protocol. Either all countermeasures are implemented, in which case it might be affected by DoS attacks, or it does not implement the defenses, in which case it is vulnerable to our attacks. Nevertheless, WPA3 does remain an improvement over WPA2.