PHOENIX CONTACT WLAN Capable Devices using the WPA2 Protocol

MonitorCVSS 6.8ICS-CERT ICSA-17-325-01Nov 21, 2017

Phoenix Contact

Attack path

Attack VectorAdjacent

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

Phoenix Contact WLAN-capable devices implement the WPA2 wireless security protocol, which is vulnerable to Key Reinstallation Attacks (KRACK). This flaw allows an attacker within wireless range to intercept encrypted traffic, decrypt communications, and inject malicious packets into the wireless network. Affected products include WLAN access points, industrial Ethernet gateways, and serial-to-WLAN converters across the VMT, FL WLAN, COMSERVER, TPC, BL2, ITC, and RAD product families. All versions of affected products are impacted. The vulnerability exists in the WPA2 protocol design itself, not a firmware implementation error specific to Phoenix Contact.

What this means

What could happen

An attacker within wireless range could intercept, decrypt, or modify network traffic to and from Phoenix Contact WLAN devices, potentially allowing them to capture engineering credentials or alter device configurations that control process operations.

Who's at risk

Water utilities, municipal electric utilities, and other critical infrastructure operators using Phoenix Contact WLAN access points, industrial gateways, or serial-to-WLAN converters for process monitoring or remote engineering access. Affected equipment includes VMT, FL WLAN, COMSERVER, TPC, BL2, ITC, and RAD series devices used to wirelessly connect sensors, programmable logic controllers (PLCs), and engineering workstations.

How it could be exploited

An attacker within wireless range of the device broadcasts a specially crafted WPA2 Key Reinstallation Attack (KRACK) packet to force key reinstallation. Once the key is reset, the attacker can decrypt and modify wireless traffic, capturing plaintext credentials or injecting commands to change device settings.

Prerequisites

Wireless range of the affected device (approximately 300 feet or less depending on environment and antenna)
Ability to intercept WPA2 4-way handshake traffic
No special credentials required to begin attack

Remotely exploitable from wireless rangeNo authentication required to initiate attackLow complexity attack (public exploits available)No patch available for any affected productCould affect safety systems if wireless link is critical to process control

Exploitability

Unlikely to be exploited — EPSS score 0.7%

Affected products (19)

19 EOL

ProductAffected VersionsFix Status

VMT 70xx: all versionsAll versionsNo fix (EOL)

FL WLAN 510x: all versionsAll versionsNo fix (EOL)

FL WLAN SPA: all versionsAll versionsNo fix (EOL)

FL COMSERVER WLAN 232/422/485: all versionsAll versionsNo fix (EOL)

TPC 6013: all versionsAll versionsNo fix (EOL)

Remediation & Mitigation

0/6

Do now

0/2

HARDENINGIsolate affected WLAN devices to a segregated network segment with no access to critical control systems or engineering workstations

WORKAROUNDDisable WLAN on affected devices where wired Ethernet connectivity is available as an alternative

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HARDENINGUse a wireless intrusion detection system (WIDS) to monitor for and alert on suspicious WLAN activity near your facility

HARDENINGEnforce VPN or other encryption tunneling for any engineering access through these WLAN devices to protect credentials and commands in transit

Long-term hardening

0/1

HOTFIXContact Phoenix Contact to request information on potential WPA3 firmware updates or migration path for affected products

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: VMT 70xx: all versions, FL WLAN 510x: all versions, FL WLAN SPA: all versions, FL COMSERVER WLAN 232/422/485: all versions, TPC 6013: all versions, VMT 30xx: all versions, FL WLAN 24 EC 802-11: all versions, BL2 BPC: all versions, FL WLAN 110x: all versions, FL WLAN 24 DAP 802-11: all versions, FL WLAN EPA: all versions, BL2 PPC: all versions, ITC 8113: all versions, VMT 50xx: all versions, RAD-80211-XD: all versions, FL WLAN 210x: all versions, FL WLAN 24 AP 802-11: all versions, RAD-WHG/WLAN-XD: all versions, FL WLAN 230 AP 802-11: all versions. Apply the following compensating controls:

HARDENINGPhysically locate WLAN devices indoors and away from facility perimeter to reduce wireless range exposure to attackers outside the building

CVEs (1)

CVE-2017-13077

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/940fee45-ae9a-43fe-a760-ffa79038a2c9

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.