The WPA3 security standard makes WiFi access points more secure, protecting passwords from offline dictionary attacks. However, researchers have devised a clever man-in-the-middle attack that tricks users into entering their password when reconnecting.
You lose your WiFi connection. When trying to reconnect, you’re asked to enter the password. If you do, you’re compromised.
Researchers from the University of the West Indies spawned a rouge WPA3 access point and used the captive portal (a login page similar to those at hotels, airports, or companies) to capture user credentials.
They also demonstrated that attackers in the middle could initiate a downgrade attack, which forces the network to fall back to WPA2. This allows hackers to capture part of the handshake (a process when the device and the WiFi router exchange authentication information).
Hackers can use the captured handshake to check if the password is correct, and later to create an evil twin – a rouge WiFi access point to which other users will connect automatically.
WPA3 is the latest WiFi security standard. It introduced the so-called Simultaneous Authentication of Equals (SAE) method, rendering offline password dictionary attacks almost impossible. Not only can the handshake not be captured, but it’s also useless for offline cracking, as each password guess must interact with the WiFi router.
How did researchers bypass the WPA3?
The risk arises when using WPA3 in the transition mode, which is backward compatible with WPA2 – it is susceptible to downgrade attacks. When a WPA2-compatible device connects to a WPA2/3 access point, it accommodates the settings of the device, allowing attackers to capture part of the handshake.
“The first step in capturing the handshake is the deauthentication attack,” researchers write.
This attack causes devices to lose connection to the targeted WiFI router. Several strategies, including denial-of-service attacks, can be used to achieve this. When reconnecting, tools such as Wireshark can capture two out of the four handshake messages.
The captured handshake then can be used to spawn a rogue WPA2 access point with the same wireless network name (SSID) and a captive portal. Unsuspecting users would need to connect to it and enter the password, which can then be captured.
Deauthentication attacks can be used to make users more inclined to choose the fraudulent network.
“The Captive Portal can be configured to resemble or look like any router home page, but for the sake of the experiment, it was kept simple,” researchers said.
They also suggest that phishing attacks could be more convincing by altering the portal page to resemble the company's original network, router brand, or home page.
This research sought to intercept the communication between a WPA3 client and a WPA2-PSK/WPA3-SAE transition network and acquire the handshake by using a downgrade attack.
Researchers noted that they could not successfully implement a deauthentication attack during the experiment, possibly due to the “scripts provided not being able to work with the distro utilized.”
However, they believe the experiment demonstrated “that it is possible to recover the network password via social engineering methods through a captive portal to grant network access.”
Your email address will not be published. Required fields are markedmarked