Full Program »
Dragonblood is Still Leaking: Practical Cache-based Side-Channel in the Wild
Recently, the Dragonblood attacks have attracted new interests on the security of WPA-3 implementation and in particular on the Dragonfly code deployed on many open-source libraries. One attack concerns the confidentiality of the user's password. In the Password Authentication Key Exchange (PAKE) protocol called Dragonfly, this secret element is mapped to an elliptic curve point. This operation is sensitive, as it involves the secret password, and therefore its resistance against side-channel attacks is of utmost importance. Following the initial disclosure of Dragonblood, we notice that this particular attack has been partially patched by only a few implementations.
In this work, we develop a cache attack on the newly released iwd (iNet Wireless Daemon) implementation written by Intel. Our discoveries show that the patches implemented after the disclosure of Dragonblood are insufficient. This iwd package is already deployed in the Arch Linux distribution, which is well-known among security experts, and aims to offer an alternative to wpa_supplicant. We took advantage of state-of-the-art techniques to extend the original attack, demonstrating that we are able to recover the password with only a third of the measurements needed in Dragonblood attack. In a backward compatibility perspective, we advise the use of a branch-free implementation as a mitigation technique, as what was used in hostapd, and we measure the overhead incurred by this countermeasure. We published a full Proof of Concept on iwd, but similar vulnerability is present in other open-source project, such as FreeRadius.