How is your Wi-Fi connection today? DoS attacks on WPA3-SAE

WPA3-Personal renders the Simultaneous Authentication of Equals (SAE) password-authenticated key agreement method mandatory. The scheme achieves forward secrecy and is highly resistant to offline brute-force dictionary attacks. Given that SAE is based on the Dragonfly handshake, essentially a simple password exponential key exchange, it remains susceptible to clogging type of attacks at the Access Point side. To resist such attacks, SAE includes an anti-clogging scheme. To shed light on this contemporary and high-stakes issue, this work offers a full-fledged empirical study on Denial of Service (DoS) against SAE. By utilizing both real-life modern Wi-Fi 6 certified and non-certified equipment and the OpenBSD’s hostapd, we expose a significant number of novel DoS assaults affecting virtually any AP. No less important, more than a dozen of vendor-depended and severe zero-day DoS assaults are manifested, showing that the implementation of the protocol by vendors is not yet mature enough. The fallout of the introduced attacks to the associated stations ranges from a temporary loss of Internet connectivity to outright disconnection. To our knowledge, this work provides the first wholemeal appraisal of SAE’s mechanism endurance against DoS, and it is therefore anticipated to serve as a basis for further research in this timely and intriguing area.