Dragonblood is Still Leaking: Practical Cache-based Side-Channel in the Wild

TL;DR

This paper demonstrates that recent patches to the Dragonblood side-channel attack on WPA-3's Dragonfly protocol are insufficient, extending the attack to recover passwords more efficiently in real-world open-source implementations.

Contribution

The authors extend the Dragonblood attack, showing it can recover passwords with fewer measurements and demonstrate its practicality on widely used open-source projects.

Findings

Attacks can recover passwords with only a third of the original measurements.

Vulnerable implementations include iwd and FreeRADIUS, which are widely deployed.

Proposed a branch-free mitigation technique with minimal overhead.

Abstract

Recently, the Dragonblood attacks have attracted new interests on the security of WPA-3 implementation and in particular on the Dragonfly code deployed on many open-source libraries. One attack concerns the protection of users passwords during authentication. In the Password Authentication Key Exchange (PAKE) protocol called Dragonfly, the secret, namely the password, is mapped to an elliptic curve point. This operation is sensitive, as it involves the secret password, and therefore its resistance against side-channel attacks is of utmost importance. Following the initial disclosure of Dragonblood, we notice that this particular attack has been partially patched by only a few implementations. In this work, we show that the patches implemented after the disclosure of Dragonblood are insufficient. We took advantage of state-of-the-art techniques to extend the original attack, demonstrating that we are able to recover the password with only a third of the measurements needed in Dragonblood attack. We mainly apply our attack on two open-source projects: iwd (iNet Wireless Daemon) and FreeRADIUS, in order underline the practicability of our attack. Indeed, the iwd package, written by Intel, is already deployed in the Arch Linux distribution, which is well-known among security experts, and aims to offer an alternative to wpa\_supplicant. As for FreeRADIUS, it is widely deployed and well-maintained upstream open-source project. We publish a full Proof of Concept of our attack, and actively participated in the process of patching the vulnerable code. Here, in a backward compatibility perspective, we advise the use of a branch-free implementation as a mitigation technique, as what was used in hostapd, due to its quite simplicity and its negligible incurred overhead.