Downgrade to Dictionary Attack

Our first attack is against WPA3-SAE transition mode. Recall from Section 2.2 that in this mode the AP is configured to accept connections using both WPA3-SAE and WPA2. This provides backward compatibility with older clients. Moreover, WPA2’s 4-way handshake detects downgrade attacks, meaning an attacker cannot trick a WPA3-capable client into successfully establishing a connection using WPA2. Put differently, if an adversary attempts to perform a man-in-the-middle against a WPA3-capable AP and client, and modifies beacons so the client thinks the AP only supports WPA2, the client will detect the downgrade and abort the 4-way handshake of WPA2. More precisely, message 3 of WPA2’s 4-way handshake contains all the supported cipher suites of the AP in the authenticated RSNE element (recall Figure 1). Because this handshake message is authenticated under the session key (PTK), the adversary cannot modify it. As a result, the client will detect that RSNE in message 3 does not match with the RSNE received in beacons, and will subsequently abort the handshake. Hence it is indeed not possible to force a WPA3-capable client and AP to use WPA2. The problem is that, although downgrade attacks are detected by the 4-way handshake of WPA2, by that point an adversary has captured enough data to perform a dictionary attack. This is because an adversary only needs a single authenticated 4-way handshake message to carry out a dictionary attack. Therefore, even though the downgrade is detected, by this point it is too late. Moreover, a man-in-the-middle position is not needed to carry out the attack. The only requirements are that we know the SSID of the WPA3- SAE network, and that we are close to a client (see Figure 4). If these conditions are met, the adversary can broadcast a WPA2-only network with the given SSID (stage ○1 in Figure 4). This causes the client to connect to our rogue AP using WPA2. The adversary can forge the first message of the 4-way handshake, since this message is not yet authenticated (stage ○3 in Figure 4). In response, the victim will transmit message 2 of the 4-way handshake, which is authenticated. Based on this authenticated handshake message, a dictionary attack can be carried out. We tested the above attack against several client-side implementations of WPA3 (see Table 2). With the first three tested devices, the network to connect with must be manually configured. That is, we had to specify the name of the network to connect with, and that it uses WPA3 in transition mode. We then let this device connect to the WPA3 network, after which we put up a rogue WPA2 AP. This revealed that these three devices tried to connect to the WPA2.

Result of downgrade attacks against WPA3 clients when the AP operates in transition mode (column Trans) or in WPA3-only mode (column 3-Only). On the first 3 devices the network must be configured manually, while on other devices the network is selected from a list of nearby ones. Device Software Vulnerable? Trans. 3-Only AP from vendor A firmware 10.20.0168 ✓ ✗ RaspBerry Pi 1 B+ OpenWRT r9576 ✓ ✗ MSI GE60 Laptop wpa_supplicant v2.7 ✓ ✗ MSI GE60 Laptop iwd v0.14 ✓ ✓ Dell Latitude 7490 NetworkManager 1.17 ✗ ✗ Google Pixel 3 QPP1.190205.018.B4 ✗ ✗ Galaxy S10 G975USQU1ASBA ✓ ✓ network, allowing subsequent dictionary attacks. With the last four devices in Table 2, the desired network is selected from a list of nearby ones. We found that iwd and the Galaxy S10 are vulnerable. However, Linux’s NetworkManager and the Google Pixel 3 refused to connect to the rogue WPA2 network, preventing our attack. We also discovered an implementation-specific downgrade attack when using WPA3-only networks. More precisely, we noticed that some devices will connect to the rogue WPA2 network, even if originally the network only supported WPA3 (see column 3-Only in Table 2). In particular, iwd and the Samsung Galaxy S10 are affected by this attack, meaning downgrade to dictionary attacks remain possible even if the network is configured to only support WPA3.