Connect with us


Dragonblood vulnerabilities disclosed in WiFi WPA3 standard



Logo: Mathy Vanhoef & Eyal Ronen // Composition: ZDNet

Two security researchers disclosed details today about a group of vulnerabilities collectively referred to as Dragonblood that impact the WiFi Alliance’s recently launched WPA3 Wi-Fi security and authentication standard.

If ever exploited, the vulnerabilities would allow an attacker within the range of a victim’s network to recover the Wi-Fi password and infiltrate the target’s network.

The Dragonblood vulnerabilities

In total, five vulnerabilities are part of the Dragonblood ensemble –a denial of service attack, two downgrade attacks, and two side-channel information leaks.

While the denial of service attack is somewhat unimportant as it only leads to crashing WPA3-compatible access points, the other four are the ones that can be used to recover user passwords.

Both the two downgrade attacks and two side-channel leaks exploit design flaws in the WPA3 standard’s Dragonfly key exchange –the mechanism through which clients authenticate on a WPA3 router or access point.

In a downgrade attack, WiFi WPA3-capable networks can be coerced in using an older and more insecure password exchange systems, which can allow attackers to retrieve the network passwords using older flaws.

In a side-channel information leak attack, WiFi WPA3-capable networks can trick devices into using weaker algorithms that leak small ammounts of information about the network password. With repeated attacks, the full password can eventually be recovered.

Downgrade to Dictionary Attack – works on networks where both WPA3 and WPA2 are supported at the same time via WPA3’s “transition mode.” This attack has been confirmed on a recently released Samsung Galaxy S10 device. Explainer below:

If a client and AP both support WPA2 and WPA3, an adversary can set up a rogue AP that only supports WPA2. This causes the client (i.e. victim) to connect using WPA2’s 4-way handshake. Although the client detects the downgrade-to-WPA2 during the 4-way handshake, this is too late. The 4-way handshake messages that were exchanged before the downgrade was detected, provide enough information to launch an offline dictionary attack.

Group Downgrade Attack – works when WPA3 is configured to work with multiple groups of cryptographic algorithms, instead of just one. Basic downgrade attack. Explainer below:

For example, say a client supports the elliptic curves P-521 and P-256, and prefers to use them in that order. In that case, even thoug the AP also supports the P-521 curve, an adversary can force the client and AP into using the weaker P-256 curve. This can be accomplished by jamming the messages of the Dragonfly handshake, and forging a message that indicates certain curves are not supported.

Cache-Based Side-Channel Attack (CVE-2019-9494) – exploits the Dragonfly’s protocol’s “hunting and pecking” algorithm. High-level explainer below.

If an adversary can determine which branch of the if-then-else branch was taken, they can learn whether the password element was found in a specific iteration of this algorithm. In practice we found that, if an adversary can run unprivileged code on the victim machine, we were able to use cache-based attacks to determine which branch was taken in the first iteration of the password generation algorithm. This information can be abused to perform a password partitioning attack (this is similar to an offline dictionary attack).

Timing-Based Side-Channel Attack (CVE-2019-9494) – exploits WPA3’s “multiplicative groups” feature. Explainer below:

When the Dragonfly handshake uses certain multiplicative groups, the password encoding algorithm uses a variable number of iteratins to encode the password. The precise number of iterations depends on the password being used, and the MAC address of the AP and client. An adversary can perform a remote timing attack against the password encoding algorithm, to determine how many iterations were needed to encode the password. The recovered information can be abused to perform a password partitioning attack, which is similar to an offline dictionary attack.

More detailed explanations for each of these vulnerabilities are available in an academic paper authored by Mathy Vanhoef and Eyal Ronen, titled “Dragonblood: A Security Analysis of WPA3’s SAE Handshake” –or this website dedicated to the Dragonblood vulnerabilities.

Dargonblood also impacts EAP-pwd

Besides WPA3, researchers said the Dragonblood vulnerabilities also impact the EAP-pwd (Extensible Authentication Protocol) that is supported in the previous WPA and WPA2 WiFi authentication standards.

“We […] discovered serious bugs in most products that implement EAP-pwd,” the research duo said. “These allow an adversary to impersonate any user, and thereby access the Wi-Fi network, without knowing the user’s password.”

The two researchers didn’t publish details how the Dragonblood vulnerabilities impact EAP-pwd because the patching process is still in progress. They did, however, publish tools that can be used to discover if WPA3-capable devices are vulnerbale to any of the major Dragonblood flaws.

Fixes for WPA3 are available

On the other hand, the WiFi Alliance announced today a security update for the WPA3 standard following Vanhoef and Ronen’s public disclosure of the Dragonblood flaws.

“These issues can all be mitigated through software updates without any impact on devices’ ability to work well together,” the WiFi Alliance said today in a press release. Vendors of WiFi products will now have to integrate these changes into their products via firmware updates.

Vanhoef is the same security researcher who in the fall of 2017 disclosed the KRACK attack on the WiFi WPA2 standard, which was the main reason the WiFi Alliance developed WPA3 in the first place.

More vulnerability reports:

Source link

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *


2021 Audi TT and TTS gets new equipment and Bronze Selection trim



Audi is spicing up the TT coupe and roadster in Europe. The newest TTS with the ‘competition plus’ package not only adds standard Quattro all-wheel-drive, magnetic suspension, and a seven-speed S-Tronic automatic gearbox. The latest Audi TTS also receives a more powerful 2.0-liter turbocharged four-cylinder engine.

Ingolstadt’s newest TTS is now producing 315 horsepower and 295 pound-feet of torque from its blown four-cylinder mill. With that much power, the TTS Coupe can rush to 60 mph in 4.5-seconds (4.8-seconds for the Roadster). According to Audi, the top speed is at 155 mph.

It’s not as fast as the last Audi TT RS we tested a few years back, but the TTS competition plus is more powerful than the previous-gen TTS. The TT RS has a burlier turbocharged 2.5-liter inline-five with 395 horsepower and 354 pound-feet of torque, and goes from zero to 60 mph in around 3.7-seconds.

The competition plus package also throws in LED headlights, privacy tint for the coupe, red brake calipers, and unique 20-inch high-gloss black wheels. Meanwhile, the iconic Audi rings (found on the side sills and the front and rear of the vehicle) are now black for a more sinister vibe. The package includes a fixed rear wing and a plethora of new paint colors to sweeten the deal.

The newest Audi TTS competition plus has standard Nappa leather seats, Alcantara and leather interior trim, a flat-bottom steering wheel, and a 12.3-inch digital instrument cluster. Carbon-fiber dash inlays are standard, while buyers can choose between a blue or red interior theme with satin or glossy detailing.

On the other hand, the Bronze Selection trim is available for both the 2021 Audi TT and TTS. The package includes bronze and copper interior trim, 20-inch bronze wheels, and LED headlights. Standard equipment comprises a Bang & Olufsen audio system, expanded leather trim, dual round tailpipes, and a gloss black (TT) or matte titanium black (TTS) front grille.

The Audi TTS competition plus is now on sale in Germany and the rest of Europe. Prices start at around €61,000 (plus VAT) for the TTS Coupe and €63,700 for the Roadster. But if you’re pining for gold, the Bronze Selection package is available to order from the spring of 2021. Base pricing for the bronze package starts at €6,190 for the TT and €4,490 for the TTS.

Continue Reading


Super Nintendo World theme park will open on February 4, 2021



Visitors to Universal Studios Japan will get the opportunity to enjoy some Nintendo-themed activities in the new Super Nintendo World early next year. Nintendo has confirmed that Super Nintendo World will open on February 4, 2021, in Osaka City. The new area is part of Universal Studios Japan, and its opening day is on a Thursday.

Among the opening attractions will be a ride-type attraction that is Mario Kart themed. The Mario Kart ride appears to be a roller coaster with each car holding four people. Those riding wear augmented reality glasses that look like Mario’s hat.

An image of Bowser’s Castle has been shared that shows a giant statue of Bowser with a stone-like appearance. Nintendo promises the game world is faithfully reproduced in the structure, including a large staircase with Bowser in the center meant to look intimidating to visitors. There are several attractions inside the castle, including icons and trophies seen in the Mario Kart game.

The ride uses video technologies including AR, projection mapping, screen projected images, and special effects, including steam. There will be scenes from other Nintendo games produced on the course. Another ride is Yoshi Adventure that puts players on the back of Yoshi as they hunt for treasure. Riders will use a map to find three hidden eggs.

Visitors will also be able to view the mushroom kingdom from Mount Beanpole and more. Visitors will also be able to accept a power-up band key challenge where they attempt to get golden mushrooms back from Bowser Junior. They will defeat enemies around the area. That particular ride appears to require an additional expense other than getting into the park. The official confirmation of the February 4, 2021 opening day is the first concrete opening day offered.

Continue Reading


Both Volkswagen and Tesla are preparing cheaper EVs



A new report is going around that claims new, more affordable electric vehicles will be coming to market. According to the report, both Tesla and Volkswagen have given new EV programs the green light to create cars selling for between $25,000 and $30,000. That is a price point that will undoubtedly make transitioning to electric vehicles more affordable for people worldwide.

Pricing is one of the main concerns cited by vehicle shoppers for not choosing electric vehicles compared to a traditional car. Many have been waiting for EVs to reach price parity with similarly equipped traditional vehicles. That parity has been achieved in some parts of the luxury segment making EVs more popular in that part of the market.

Advancements in batteries have helped bring the price of electric vehicles down as the battery pack is one of the most expensive parts of the car. More drivers are interested in EVs as driving ranges have increased significantly in recent years. One barrier that remains in the way is the lack of charging infrastructure in many parts of the world.

Many also cite long charge times as a reason they’ve yet to adopt an electric vehicle. With new electric cars in the $25,000-$30,000 price range, one more barrier of entry will be removed. Tesla announced in September that it was planning a smaller long-range electric car using new battery technology that would start at $25,000. Elon Musk also noted that the vehicle will be fully autonomous and revealed a timeframe of about three years from now. The VW car is dubbed the Small Battery Electric Vehicle.

Volkswagen is aiming at a car about the size of its Polo. Volkswagen has offered no indication of when exactly its vehicle might come to market. Reports indicate that the 2024 through 2025 model range is a good guess for when the vehicles might arrive.

Continue Reading