17 min read
WPA3 was designed to improve wireless security, but when misconfigured, it can still leave networks open to attack. During a recent assessment, RedLegg discovered that several client networks using WPA3 Personal transition mode were vulnerable to a classic evil twin attack. This backwards compatibility setting, while useful for legacy devices, introduced the risk of a downgrade attack that exposed the network passphrase.
Here’s how our team identified the issue and why even modern protocols like WPA3 require careful implementation and review.
Field Testing WPA3 Personal Networks
Recently, RedLegg was in the field testing wireless networks for a client at multiple physical locations. Most of these networks were using WPA3 (Wi-Fi Protected Access 3) Personal, also known as WPA3 SAE (Simultaneous Authentication of Equals). As a part of testing, RedLegg interrogated the networks for misconfigurations and weaknesses.
Using a Kali virtual machine and an external wireless card, RedLegg began enumerating the networks to catalog and validate any vulnerabilities. As a part of the engagement, the client also provided the passphrase for testing purposes; however, the main objective of the assessment was to determine if anything could be leveraged for unauthorized access by an outside attacker.
RedLegg found that all the WPA3 networks were using transition mode, a setting designed for backward compatibility with older devices that may not support WPA3 authentication. During testing, RedLegg discovered that WPA3 transition mode could be exploited to launch a successful evil twin attack via a downgrade method, capturing a wireless handshake that could then be cracked to reveal a plaintext password. To better understand this, we should establish a background.
A Brief History of WPA2 and WPA3 Personal Protocols
WPA3 is the latest wireless security protocol developed by the Wi-Fi Alliance, designed to fix weaknesses in the older WPA2 and provide stronger protections for wireless communication. Here we will dive into the WPA3 Personal protocol.
WPA3 introduces new mechanisms to defend against brute-force attacks and offers enhanced encryption. The biggest change in WPA3 is the introduction of the Dragonfly handshake, officially known as the Simultaneous Authentication of Equals (SAE). The Dragonfly handshake replaces the Pre-Shared Key (PSK) handshake used in WPA2.
In WPA2, authentication relies on a four-way handshake that proves both the client, and the access point know the shared password. If an attacker captures the connection request, they can try guessing the password offline without further interaction with the network. The Dragonfly handshake resists offline password attacks by using a more complex key exchange process based on SAE. Brute force attacks would require live interaction with the target access point for each attempt, making the process slower and reducing the chances of success.
SAE handshakes leverage forward secrecy, which generates a unique key for each session, so even if the credentials are harvested in an attack, the past traffic can’t be decrypted. SAE also uses equal authentication, where both the client and the access point equally contribute to the encryption. This avoids relying on just one side proving responsibility for the whole key. This improves the security of the handshake even if weaker passwords are in use.
Identifying Transition Mode in the Field
In the field, RedLegg used airodump-ng, part of the aircrack-ng suite of tools, to listen to the targeted networks on a variety of different channels.
An example of this can be observed in the image below:
When examining the packet capture files of these networks, RedLegg used the tool tshark and quickly identified that transition mode was enabled with the following command:
tshark -r target.cap -Y "wlan.fc.type_subtype == 8" -V | grep -i 'auth key management'
The data captured showed that while SAE authentication was accepted, it was also clear that WPA2 PSK authentication was accepted, indicating that transition mode was enabled.
The Security Considerations for WPA3 Personal and Transition Mode
Although WPA3 is more secure than previous protocols, there are multiple concerns surrounding the configuration and implementation in an environment. WPA3 can present multiple challenges with older, smaller, and less powerful devices, as well as complex security parameters.
For devices that do not support WPA3, the backwards compatibility transition mode must be enabled to allow them to connect to access points using WPA2 connections. This security downgrade can result in handshakes being captured and cracked offline.
WPA3 also entails an increase in resource usage, which can affect the performance of the connection or shorten battery life. Aside from those issues, the security parameters for implementation are often non-intuitive and complex. Default settings, permissions, and protection mechanisms need to be regularly reviewed and tested.
There are also attacks collectively known as “Dragonblood,” which primarily focus on side-channel vulnerabilities. These can result in data leakage, forcing connections to be downgraded to WPA2, and cause denial of service conditions.
The most frequently seen attacks take aim at the transition settings used for compatibility. By exploiting the ability to downgrade the security protocol, an attacker has the highest likelihood of capturing a password that can be cracked to gain access to the wireless network.
Capturing a WPA2 PSK Handshake with an Evil Twin Access Point
To highlight these weaknesses and demonstrate this attack vector, RedLegg used the tool eaphammer to create an evil twin access point, a fake wireless network that has the same name as the legitimate target network.
This evil twin access point is created to trick clients that are already connected to or associated with the legitimate network to authenticate to the attacker's network instead.
In an example photo below, RedLegg creates the evil twin and configures this fake access point to use the older WPA2 PSK authentication instead of WPA3 SAE in an authentication downgrade attack:
Eventually, one of the clients on the network that has already associated with the legitimate access point and used WPA3 Personal previously, attempted to authenticate to the “evil twin” with the same network name using WPA2 PSK, allowing RedLegg to capture a handshake. An example photo of what this looks like can be observed below:
Because RedLegg already knew the passphrase to this network, this handshake was easily cracked into a plaintext password using hashcat, validating the security issues endemic in WPA3 transition mode and creating evidence that could then be reported to the client. Thankfully in this instance, the client was using a complex and lengthy passphrase that would be difficult for an outside attacker to crack even if they were successful in using this authentication downgrade attack.
In conclusion, wireless security has come a long way over the last 20 years, and these improvements are a good thing. However, there is still risk from WPA3 transition mode, and there is risk anytime a password or passphrase is used to access a wireless network.
Researchers such as Mathy Vanhoef and teams like TrustedSec have demonstrated how WPA3 transition mode can be exploited through downgrade attacks. Tools like DragonShift also help simulate and study these scenarios in controlled environments.
At RedLegg, our penetration testing services help organizations identify vulnerabilities like misconfigured wireless authentication and compatibility settings before they’re exploited.
We recommend using certificate-based authentication, which is available in WPA3-Enterprise, and routine auditing to ensure networks are deployed and configured securely.
