18 October 2017
WPA2 Vulnerabilities Can Be Used to Attack Industrial Systems
On October 16, 2017 a group of researchers disclosed information on critical vulnerabilities in the WPA2 protocol, which enable attackers to bypass protection and listen to Wi-Fi traffic. According to a report published by the researchers, serious flaws were identified in the key management schemes in the four-way handshake used by WPA2. The four-way handshake is vulnerable to a key reinstallation attack (KRACK), which is essentially a man-in-the-middle attack that tricks a victim into reinstalling already-in-use encryption keys protecting WPA2 traffic. In addition to WPA2, the attack is effective against the obsolete WPA protocol.
The impact on the information transmitted depends on the encryption type used. When using WPA-TKIP or GCMP, attackers can not only decrypt WPA2 traffic or develop replay attacks (which is relevant to AES-CCMP, as well), but also inject arbitrary forged packets into the victim’s data.
According to Kaspersky Lab ICS CERT researchers, WPA2 vulnerabilities can be exploited in attacks against industrial control systems (ICS). Some programmable logic controllers (PLC) use Wi-Fi for wireless configuration and management. However, the WPA2 security problem affects mostly network communication devices, smartphones and tablets used by engineers and operators for remote access to ICS.
The threat of MitM remains particularly relevant to industrial networks. Unlike personal operating systems, where most vulnerabilities in implementations of transport layer network protocols have been patched, numerous vulnerabilities (such as predictable TCP packet ISNs, reusing the nonce, etc.) remain in industrial software, enabling traffic to be intercepted or injected. The vulnerabilities in WPA2 implementations open one more opportunity for MitM attacks on industrial networks that use Wi-Fi to control industrial hardware.
Since the vulnerability is at protocol level, KRACK attacks affect most Wi-Fi devices regardless of the operating systems used. The most vulnerable operating systems inсlude Android 6.0, Android Wear 2.0 and Linux running wpa_supplicant v. 2.4 and 2.5, but other operating systems, including OS X, iOS and Windows, can be successfully attacked as well.
As regards direct impact on industrial processes, it should be noted that Wi-Fi is widely used in some such industrial facilities as warehouses (including ports and sorting terminals), as well as in logistics and factory automation (especially in food and pharmaceutical industries), and to collect data for technical and commercial accounting. Unauthorized access to such information, which can be gained by attackers after decrypting Wi-Fi traffic, could lead to serious damage, including interruptions in transportation of goods and misplaced products.
As a rule, even banning Wi-Fi in industrial enterprises does not solve the problem. Using wireless networks uncontrollably and connecting wireless routers directly to control networks are common violations detected during ICS IT security audits.
This means that the newly-disclosed WPA2 vulnerabilities create a new “entry point” for possible attacks on industrial control systems, significantly expanding their scope. It is highly important that vendors of industrial automation systems assess the relevance of these vulnerabilities for their products.
Some vendors, including Ars, Aruba, Ubiquiti, and Mikrotik, have released security fixes for their products. Kaspersky Lab ICS CERT experts recommend that businesses check whether patches are available and install them as they are released.
Until patches are released and installed, we recommend encrypting data transferred via Wi-Fi connections using protocols that are not related to wireless communications, such as SSL (SSH, VPN etc.), to ensure that the information remains secure even if the Wi-Fi connection is compromised.
Industrial enterprises should also mitigate risks associated with the possible compromise of their corporate Wi-Fi networks, since this can be used as an attack vector targeting control networks. It is also essential to follow standard recommendations, including:
- Implementing network segmentation and firewall protection;
- regularly auditing wireless networks to detect unauthorized networks.