PHOENIX CONTACT WLAN Capable Devices using the WPA2 Protocol
Monitor6.8ICS-CERT ICSA-17-325-01Nov 21, 2017
Attack VectorAdjacent
Auth RequiredNone
ComplexityHigh
User InteractionNone needed
Summary
Phoenix Contact WLAN-capable devices implement the WPA2 wireless security protocol, which is vulnerable to Key Reinstallation Attacks (KRACK). This flaw allows an attacker within wireless range to intercept encrypted traffic, decrypt communications, and inject malicious packets into the wireless network. Affected products include WLAN access points, industrial Ethernet gateways, and serial-to-WLAN converters across the VMT, FL WLAN, COMSERVER, TPC, BL2, ITC, and RAD product families. All versions of affected products are impacted. The vulnerability exists in the WPA2 protocol design itself, not a firmware implementation error specific to Phoenix Contact.
What this means
What could happen
An attacker within wireless range could intercept, decrypt, or modify network traffic to and from Phoenix Contact WLAN devices, potentially allowing them to capture engineering credentials or alter device configurations that control process operations.
Who's at risk
Water utilities, municipal electric utilities, and other critical infrastructure operators using Phoenix Contact WLAN access points, industrial gateways, or serial-to-WLAN converters for process monitoring or remote engineering access. Affected equipment includes VMT, FL WLAN, COMSERVER, TPC, BL2, ITC, and RAD series devices used to wirelessly connect sensors, programmable logic controllers (PLCs), and engineering workstations.
How it could be exploited
An attacker within wireless range of the device broadcasts a specially crafted WPA2 Key Reinstallation Attack (KRACK) packet to force key reinstallation. Once the key is reset, the attacker can decrypt and modify wireless traffic, capturing plaintext credentials or injecting commands to change device settings.
Prerequisites
- Wireless range of the affected device (approximately 300 feet or less depending on environment and antenna)
- Ability to intercept WPA2 4-way handshake traffic
- No special credentials required to begin attack
Remotely exploitable from wireless rangeNo authentication required to initiate attackLow complexity attack (public exploits available)No patch available for any affected productCould affect safety systems if wireless link is critical to process control
Exploitability
Low exploit probability (EPSS 0.4%)
Affected products (19)
19 EOL
ProductAffected VersionsFix Status
VMT 70xx: all versionsAll versionsNo fix (EOL)
FL WLAN 510x: all versionsAll versionsNo fix (EOL)
FL WLAN SPA: all versionsAll versionsNo fix (EOL)
FL COMSERVER WLAN 232/422/485: all versionsAll versionsNo fix (EOL)
TPC 6013: all versionsAll versionsNo fix (EOL)
Remediation & Mitigation
0/6
Do now
0/2HARDENINGIsolate affected WLAN devices to a segregated network segment with no access to critical control systems or engineering workstations
WORKAROUNDDisable WLAN on affected devices where wired Ethernet connectivity is available as an alternative
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
HARDENINGUse a wireless intrusion detection system (WIDS) to monitor for and alert on suspicious WLAN activity near your facility
HARDENINGEnforce VPN or other encryption tunneling for any engineering access through these WLAN devices to protect credentials and commands in transit
Long-term hardening
0/1HOTFIXContact Phoenix Contact to request information on potential WPA3 firmware updates or migration path for affected products
Mitigations - no patch available
0/1The following products have reached End of Life with no planned fix: VMT 70xx: all versions, FL WLAN 510x: all versions, FL WLAN SPA: all versions, FL COMSERVER WLAN 232/422/485: all versions, TPC 6013: all versions, VMT 30xx: all versions, FL WLAN 24 EC 802-11: all versions, BL2 BPC: all versions, FL WLAN 110x: all versions, FL WLAN 24 DAP 802-11: all versions, FL WLAN EPA: all versions, BL2 PPC: all versions, ITC 8113: all versions, VMT 50xx: all versions, RAD-80211-XD: all versions, FL WLAN 210x: all versions, FL WLAN 24 AP 802-11: all versions, RAD-WHG/WLAN-XD: all versions, FL WLAN 230 AP 802-11: all versions. Apply the following compensating controls:
HARDENINGPhysically locate WLAN devices indoors and away from facility perimeter to reduce wireless range exposure to attackers outside the building
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/940fee45-ae9a-43fe-a760-ffa79038a2c9