Connect with us

Cars

New Dragonblood vulnerabilities found in WiFi WPA3 standard

Published

on


Image: Mathy Vanhoef & Eyal Ronen

Earlier this year in April, two security researchers disclosed details about five vulnerabilities (collectively known as Dragonblood) in the WiFi Alliance’s recently launched WPA3 WiFi security and authentication standard.

Yesterday, the same security researchers disclosed two new additional bugs impacting the same standard.

The two researchers — Mathy Vanhoef and Eyal Ronen — found these two new bugs in the security recommendations the WiFi Alliance created for equipment vendors in order to mitigate the initial Dragonblood attacks.

Just like the original Dragonblood vulnerabilities from April, these two new ones allow attackers to leak information from WPA3 cryptographic operations and brute-force a WiFi network’s password.

The two bugs explained

The first bug is CVE-2019-13377 and this impacts the WPA3’s Dragonfly handshake when using Brainpool curves.

Dragonfly is the key exchange mechanism through which users authenticate on a WPA3 router or access point. In April, Vanhoef and Ronen found that Dragonfly key exchanges that relied on P-521 elliptic curves could be downgraded to use the weaker P-256. As a result, the WiFi Alliance recommended that vendors use the stronger Brainpool curves as part of the Dragonfly algorithms.

“However, we found that using Brainpool curves introduces a second class of side-channel leaks in the Dragonfly handshake of WPA3,” the two researchers explained. “We confirmed the new Brainpool leak in practice against the lastest Hostapd version, and were able to brute-force the password using the leaked information.”

The second bug is CVE-2019-13456 and this impacts the EAP-pwd implementation in the FreeRADIUS framework — used by many vendors to support WiFi connectivity.

EAP-pwd (Extensible Authentication Protocol) is an authentication system supported in the previous WPA and WPA2 WiFi authentication standards, that is also supported for legacy purposes in WPA3.

Just like the previous bug, there is an information leak in the EAP-pwd authentication process on some FreeRADIUS-supported devices, which allows attackers to recover passwords.

WiFi Alliance’s closed standards development

The researchers said they reported these two new bugs to the WiFi Alliance.

“[The] Wi-Fi standard is now being updated with proper defenses, which might lead to WPA3.1,” Vanhoef said.

“Although this update is not backwards-compatible with current deployments of WPA3, it does prevent most of our attacks,” the researchers said.

But besides just disclosing the two new Dragonblood vulnerabilities, the two researchers also took the chance to criticize the WiFi Alliance again for its closed standards development process that doesn’t allow for the open-source community to contribute and prevent big vulnerabilities from making it into the standard in the first place.

“This demonstrates that implementing Dragonfly and WPA3 without side-channel leaks is surprisingly hard,” the researchers said. “It also, once again, shows that privately creating security recommendations and standards is at best irresponsible and at worst inept.”

While these type of feedback might be ignored when coming from other researchers, it means more when it comes from Vanhoef. The Belgian researchers is the one who discovered the KRACK attack that broke the WPA2 WiFi authentication standard and forced the WiFi Alliance to develop the WPA3 standard, which it launched in June 2018.

Details about the two new Dragonblood vulnerabilities are available in an updated version of the Dragonblood white paper.

More vulnerability reports:

Source link

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Cars

A longer Land Rover Defender called the 130 is coming

Published

on

The Land Rover Defender returned to the US in recent months and has proven to be a popular SUV for many buyers. Currently, the vehicle can be had in two-door and a longer four-door version known as the Defender 110. Many buyers have been clamoring for something with more space in the third row, and Land Rover is set to deliver.

A new Defender 130 is on the way, according to a recent report. The 130 will have 14 extra inches of body, giving it a much more usable third-row seat. The optional third row in the 110 is only fit for smaller children. The longer Defender could mean a third row suitable for actual adults.

The 130 will be targeted at buyers in the US, China, and the Middle East. The chassis for the 130 will be the same with the same wheelbase as the Defender 110. However, the vehicle will have an overall length of 201 inches. While more space inside the Defender 130 is exciting, even more exciting was the recent announcement of a new V-8 engine option for the Defender in 2022.

Land Rover is offering a supercharged V-8 engine under the hood. The downside to putting the V-8 engine in the vehicle is that the price jumps up significantly. For 2022 the Defender 90 V-8 (pictured) starts at $97,200, with the Defender 110 V-8 starting at $100,400.

No matter which version you purchase, they get the same 5.0-liter supercharged V-8 that makes 518 horsepower and 461 pound-foot of torque. Land Rover says the Defender 90 V8 will reach 60 mph in 4.9 seconds and 149 mph given enough road. Both six-cylinder and four-cylinder engines remain options.

Continue Reading

Cars

Ford issues a recall on a small number of delivered Mustang Mach-E EVs

Published

on

Ford has announced that it is issuing a safety recall on some of its Mustang Mach-E EVs delivered to customers. Ford says the recall impacts fewer than 75 customers who have already taken delivery of their electric vehicles. Ford says that during checks it performs to deliver high levels of quality and customer satisfaction, it discovered some of the vehicles could have subframe bolts that a supplier did not tighten to specification.

Ford says that the issue means impacted vehicles don’t meet its standards, but it is unaware of any accidents or injuries related to the condition. Ford says that 94 percent of the 1258 total impacted vehicles in the US and 90 in Canada will be serviced before they are delivered to customers. Dealers are inspecting subframe bolts and will tighten them as necessary.

For the 75 owners who have taken delivery of their vehicles, notifications will begin going out to them the week of March 22. Ford has given the recall reference number 21S09. The Mustang Mach-E is a very important vehicle for Ford. As its first real entry into the fully electric vehicle market, it’s critical that the vehicle is successful and delivers high-quality for buyers.

This recall isn’t the first issue that Ford has had with the Mach-E. In January, the automaker confirmed that it was delaying the delivery of hundreds of vehicles while it performed additional quality checks. Exactly what those quality checks were looking at is unknown. The automaker delivered a small number of Mach-Es late in 2020, and speculation was that owners had discovered some issues that needed to be addressed.

Ford seems to have learned a valuable lesson in launching high-profile vehicles with significant issues from the get-go. The automaker launched the all-new Explorer and took a beating over substantial problems with many of the cars.

Continue Reading

Cars

This Bugatti Divo Lady Bug’s geometric paint job is truly one-of-a-kind

Published

on

The Bugatti Divo is a Chiron for the racetrack, but this Lady Bug version with its diamond-shaped fading patterns is best appreciated while the car is stationary. As if the Divo is not outrageous enough, one lucky customer in America wants to push the boundaries further. And as expected, Bugatti pulled it off, although it took quite a while to iron the challenges of creating an exclusive, one-off Lady Bug paint job.

“Every Bugatti Divo is one of a kind. With the custom-made ‘Lady Bug,’ Bugatti has demonstrated the full range of its customization expertise,” said Stephan Winkelmann, President of Bugatti. The car really demonstrates what the marque is capable of in terms of creativity and craftsmanship.”

Creating Lady Bug’s geometric-dynamic algorithmic fading pattern seems easy on paper. Given the Divo’s three-dimensional sculpted body, the 2D digital patterns became distorted upon application to the car’s body, which is not good enough if you’re paying upwards of $5-million for a track-ready version of the Bugatti Chiron.

“The Lady Bug was an exceptional challenge and, at the same time, an unforgettable experience. Due to the nature of the project, where a 2D graphic was applied to a 3D sculpture, we were close to giving up,” said Jörg Grumer, Head of Color & Trim at Bugatti Design. “However, it is our profound conviction that we should never give up and that our foremost motivation should always be to make the impossible possible for the customer.”

The entire project took two years to complete as Bugatti CAD modelers simulated and created a diamond pattern design with around 1,600 individual diamonds in six-meter long transfer films. Each diamond (yes, all 1,600 of them) is checked and realigned in the body to rule out any distortions.

The designers spent countless hours rehearsing the application procedure on two test vehicles before the moment of truth.

“Every maneuver had to be exactly right in this painstaking task; therefore, we decided to do another rehearsal before the final stage of work. Because there could only be one attempt on the customer’s car, and that had to be perfect,” said Dirk Hinze, an expert in customization and surfaces at Bugatti.

The final step is applying the paint finish before painstakingly peeling away each diamond. The base color, Customer Special Red, is contrasted with graphite and clear coat to invert the pattern. According to Bugatti, it took the paintwork artist two weeks to sand, smooth, check, retouch, and re-sand every millimeter of the body surface.

The result is a one-of-a-kind Bugatti Divo Lady Bug, the only one in existence. It has a standard 8.0-liter W16 engine pumping out 1,479 horsepower. Since the Divo weighs less and has more downforce than a regular Chiron, it goes around the Nardo handling circuit a full eight seconds faster than the former.

Continue Reading

Trending