Sponsored

Stronger Wifi Encryption

succeed23

Well-known member
Joined
Apr 23, 2021
Threads
1
Messages
361
Reaction score
14
Location
Florida
Vehicles
2021 F150 Lariat
As a cyber engineer, I'm wired to look at the security settings for all the features/apps I use. I noticed the truck's wifi only has WPA encryption. I'm alarmed that Ford is using this level of encryption as it is easy to break, so I'm hoping an over-the-air update can address this change. Android Auto and likely Apple Car Play connect to the truck's wifi as well as the Bluetooth connection. I'll likely have to connect to Android auto via USB and disable the truck's wifi rather than use the wireless connection to reduce any potential risks. I'll update this if I'm mistaken, and can change the encryption level. Hopefully @Ford Motor Company can give this feedback to the proper team(s).
Sponsored

 

dweller

Well-known member
First Name
Jonathan
Joined
Jul 26, 2021
Threads
0
Messages
65
Reaction score
13
Location
Maryland, USA
Vehicles
Soon maybe 2021 F-150 Lariat 3.5EB 4x4 Lead Foot
Occupation
Army
EDIT: Where did you find that the hotspot “only has WPA encryption”?

This video shows a 2021 with WPA/WPA2 mixed mode:

While a WPA2-only network would be more secure, mixed mode allows clients to negotiate the encryption protocol. Most modern clients should be using WPA2 by default or at least negotiating WPA + TKIP/AES vs the vulnerable WPA/TKIP only.

Yes, WPA2-only would be ideal, but mixed mode is very common and should be just fine for the vast majority of users in a non-enterprise environment.

END EDIT


Why do you say it’s insecure? The insecurity of WPA is a result of using a weak WiFi password. If you use a secure password it’s virtually impossible to “break” WPA. Are you referring to retrieving the password hash from the 4 way handshake or is there something else?
 
Last edited:

Roady

Well-known member
First Name
Cory
Joined
Jan 10, 2021
Threads
3
Messages
435
Reaction score
48
Location
Northeast PA
Vehicles
2021 F150 XLT FX4
Occupation
Information Technology
I have not looked at this I would think WPA would be satisfactory as long as, like @dweller said, you're using a strong password. I would also hope that Ford uses 802.1 authentication vs PSK mode, which is definitely less secure.

But........How long before we have Russian hackers installing ransomware on our trucks requesting bitcoins to unlock? o_O:cautious::cry:
 

Lippy

Well-known member
Joined
Feb 23, 2021
Threads
17
Messages
487
Reaction score
127
Location
CA
Vehicles
2021 F-150 Powerboost

dweller

Well-known member
First Name
Jonathan
Joined
Jul 26, 2021
Threads
0
Messages
65
Reaction score
13
Location
Maryland, USA
Vehicles
Soon maybe 2021 F-150 Lariat 3.5EB 4x4 Lead Foot
Occupation
Army
This information is misleading. The vehicle hotspot uses WPA/WPA2 mixed mode. The truck does NOT “only have WPA encryption” like the OP states.

Mixed mode allows clients to use the more secure encryption algorithms supported by WPA2 and is therefore more secure. Older clients could technically fall back on the less secure WPA/TKIP, but modern devices will not do that. An attacker could still retrieve your hashed password, but as long as you use a secure password you will be fine.

WPA/WPA2 mixed mode is still used by the vast majority of commercial off-the-shelf devices.
 

Sponsored
OP
OP
succeed23

succeed23

Well-known member
Joined
Apr 23, 2021
Threads
1
Messages
361
Reaction score
14
Location
Florida
Vehicles
2021 F150 Lariat
Why do you say it’s insecure? The insecurity of WPA is a result of using a weak WiFi password. If you use a secure password it’s virtually impossible to “break” WPA. Are you referring to retrieving the password hash from the 4 way handshake or is there something else?
I didn't mean to turn this into a cybersecurity debate. In short, there are known vulnerabilities which anyone can Google about WPA. Anything is insecure when a weak password is being used, so I'm not following you there. I never heard of WPA being virtually impossible to break with a strong password. That's news to me. WPA2 and WPA3 have better encryption, but again anything is insecure when a weak password.

I'm not one of those dudes that acts like he knows everything there is to know about cybersecurity, so if you have links to information on how secure WPA is I'll read up on it. Know that CISA, as one example, recommends that home networks use WPA3.
https://us-cert.cisa.gov/ncas/tips/ST15-002

WPA2 is still secure, but of course CISA is shooting for the stars. Lol
 
OP
OP
succeed23

succeed23

Well-known member
Joined
Apr 23, 2021
Threads
1
Messages
361
Reaction score
14
Location
Florida
Vehicles
2021 F150 Lariat
This information is misleading. The vehicle hotspot uses WPA/WPA2 mixed mode. The truck does NOT “only have WPA encryption” like the OP states.

Mixed mode allows clients to use the more secure encryption algorithms supported by WPA2 and is therefore more secure. Older clients could technically fall back on the less secure WPA/TKIP, but modern devices will not do that. An attacker could still retrieve your hashed password, but as long as you use a secure password you will be fine.

WPA/WPA2 mixed mode is still used by the vast majority of commercial off-the-shelf devices.
I didn't mention the Hotspot. To your point, I can make that clearer. I'm speaking about the truck's wifi that's used for wireless app projection. Just because a majority of commercial companies use WPA doesn't mean it's secure. Lol. Script kiddies can crack WPA.
WPA2/3 are completely different beasts. I appreciate you mentioning the Hotspot, because that did allow me to clarify the setting I was referring to. ?
 

dweller

Well-known member
First Name
Jonathan
Joined
Jul 26, 2021
Threads
0
Messages
65
Reaction score
13
Location
Maryland, USA
Vehicles
Soon maybe 2021 F-150 Lariat 3.5EB 4x4 Lead Foot
Occupation
Army
I didn't mention the Hotspot. To your point, I can make that clearer. I'm speaking about the truck's wifi that's used for wireless app projection. Just because a majority of commercial companies use WPA doesn't mean it's secure. Lol. Script kiddies can crack WPA.
WPA2/3 are completely different beasts. I appreciate you mentioning the Hotspot, because that did allow me to clarify the setting I was referring to. ?
Do you have a source on that? The hardware obviously supports other protocols. It doesn’t make sense that it’d force WPA. But also WPA isn’t the encryption, it’s the protocol. And with hardware that supports mixed mode, even WPA can use the more secure encryption provided by WPA2, making it just as secure.

are you saying it forces you to connect with WPA + TKIP? What exactly is insecure about the trucks use of WPA?
 
OP
OP
succeed23

succeed23

Well-known member
Joined
Apr 23, 2021
Threads
1
Messages
361
Reaction score
14
Location
Florida
Vehicles
2021 F150 Lariat
I have not looked at this I would think WPA would be satisfactory as long as, like @dweller said, you're using a strong password. I would also hope that Ford uses 802.1 authentication vs PSK mode, which is definitely less secure.

But........How long before we have Russian hackers installing ransomware on our trucks requesting bitcoins to unlock? o_O:cautious::cry:
Yea I think the progression is definitely leaning towards attackers targeting vehicles. Here's some good news about ransomeware concerns. I've studied malware and malware attacks, and a large majority of ransomware attacks occur on organizations organizations/businesses. Surprisingly, home networks make a small percentage of the overall ransomeware attacks*. I hope this trend will be seen in vehicles too, but putting on my blackhat, I think I'd target vehicles of a particular value. Rich cars =rich owners that can fork out serious cash. I'm clearly speculating here, but it'll be interesting to see how things shape out.

*As with all trends is cybersecurity, the aforementioned trend may have already changed since I studied ransomeware attacks.
 
OP
OP
succeed23

succeed23

Well-known member
Joined
Apr 23, 2021
Threads
1
Messages
361
Reaction score
14
Location
Florida
Vehicles
2021 F150 Lariat
Do you have a source on that? The hardware obviously supports other protocols. It doesn’t make sense that it’d force WPA. But also WPA isn’t the encryption, it’s the protocol. And with hardware that supports mixed mode, even WPA can use the more secure encryption provided by WPA2, making it just as secure.

are you saying it forces you to connect with WPA + TKIP? What exactly is insecure about the trucks use of WPA?
Assuming you have a gen 14 truck, you can check it out for yourself. ?. I haven't seen a way to change it. It definitely is weird for sure. Whenever I talk about wifi protocols I tend to lump in the encryption they use. Again, there are several WPA vulnerabilities that. Literally Google "WPA vulnerabilities" and you'll have all the links you can handle. I haven't checked out the link another user provided, but take a look at that one too. Based on your edit, it seems you still are focused on the Hotspot. Like I said, I didn't mean for this to be a debate of sorts. Especially on something as trivial as known WPA security concerns. I don't have anything else to add. ??‍♂
 

Sponsored

dweller

Well-known member
First Name
Jonathan
Joined
Jul 26, 2021
Threads
0
Messages
65
Reaction score
13
Location
Maryland, USA
Vehicles
Soon maybe 2021 F-150 Lariat 3.5EB 4x4 Lead Foot
Occupation
Army
Assuming you have a gen 14 truck, you can check it out for yourself. ?. I haven't seen a way to change it. It definitely is weird for sure. Whenever I talk about wifi protocols I tend to lump in the encryption they use. Again, there are several WPA vulnerabilities that. Literally Google "WPA vulnerabilities" and you'll have all the links you can handle. I haven't checked out the link another user provided, but take a look at that one too. Based on your edit, it seems you still are focused on the Hotspot. Like I said, I didn't mean for this to be a debate of sorts. Especially on something as trivial as known WPA security concerns. I don't have anything else to add. ??‍♂
I don’t understand the point of the post then. The WiFi technology that the truck uses is no less secure than everything else out there that 99% of people use. Any modern device (i.e. your smart phone) is going to negotiate and use WPA2 not WPA like you imply in the OP. Having mixed mode for legacy devices does not compromise the security of the network.

You’re sounding the alarm and raising concerns for no reason.
 
OP
OP
succeed23

succeed23

Well-known member
Joined
Apr 23, 2021
Threads
1
Messages
361
Reaction score
14
Location
Florida
Vehicles
2021 F150 Lariat
I have not looked at this I would think WPA would be satisfactory as long as, like @dweller said, you're using a strong password. I would also hope that Ford uses 802.1 authentication vs PSK mode, which is definitely less secure.

But........How long before we have Russian hackers installing ransomware on our trucks requesting bitcoins to unlock? o_O:cautious::cry:
I looked into this further and you're spot on. I expect nothing less from a 4/26 gang member. ?. Apparently, the latest WPA can use AES too. Assuming these two blocks are checked, there's no concern on my end.

I'm curious if anyone thinks the two aforementioned updates to WPA wouldn't be enough to deal with the security concerns it inherited from WEP. Great discussion, gents!
 
OP
OP
succeed23

succeed23

Well-known member
Joined
Apr 23, 2021
Threads
1
Messages
361
Reaction score
14
Location
Florida
Vehicles
2021 F150 Lariat
I don’t understand the point of the post then. The WiFi technology that the truck uses is no less secure than everything else out there that 99% of people use. Any modern device (i.e. your smart phone) is going to negotiate and use WPA2 not WPA like you imply in the OP. Having mixed mode for legacy devices does not compromise the security of the network.

You’re sounding the alarm and raising concerns for no reason.
Ok. Lol. You got it, bro.
 

Infotroll

Well-known member
Joined
Mar 25, 2021
Threads
5
Messages
206
Reaction score
31
Location
NH
Vehicles
F 150 2022
Very little tech here but agree hacking a car is the next evolution in the world. Sounding an alarm ehh not so much as a thought . Just my 2 cents
 

sglide05

Well-known member
First Name
Todd
Joined
Feb 17, 2021
Threads
0
Messages
142
Reaction score
21
Location
Vancouver, Washington
Vehicles
2021 XLT
I'm a little confused about the Hotspot and wireless app projection. What's the difference? I know one lets your phone have wireless connectivity, what's the other for? Sorry for the dumb question.
Sponsored

 
 





Top