PEPPERL+FUCHS/ecom instruments WLAN Capable Devices using the WPA2 Protocol
Plan Patch8.1ICS-CERT ICSA-17-353-02Dec 19, 2017
Attack VectorAdjacent
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
Pepperl+Fuchs WLAN-capable ATEX devices (CK71A-ATEX, Smart-Ex 201, Ex-Handy 09, CN70E-ATEX, CN70A-ATEX, CK70A-ATEX, i.roc Ci70-Ex, Tab-Ex 01, Smart-Ex 01, Pad-Ex 01, Ex-Handy 209) use the WPA2 wireless protocol, which is vulnerable to key recovery attacks that allow an attacker within WiFi range to decrypt and potentially modify wireless communications without authentication. The vulnerability affects Android-based models: Tab-Ex 01, Ex-Handy 09, Ex-Handy 209, Smart-Ex 01, Smart-Ex 201. Pepperl+Fuchs has not announced availability of firmware patches for any affected product.
What this means
What could happen
An attacker within WiFi range could intercept encrypted wireless communications on these ATEX-certified devices (used in hazardous locations), compromising the confidentiality and integrity of control commands or sensor data. This could allow an attacker to read sensitive process information or alter communications between field devices and control systems.
Who's at risk
Water treatment and power utilities, refineries, chemical plants, and other organizations operating in hazardous (ATEX-rated) environments using Pepperl+Fuchs wireless survey instruments, mobile terminals, and data acquisition devices—specifically any facility using CK71A-ATEX, Smart-Ex 201, Ex-Handy 09, CN70E-ATEX, CN70A-ATEX, CK70A-ATEX, i.roc Ci70-Ex, Tab-Ex 01, Smart-Ex 01, Pad-Ex 01, or Ex-Handy 209 devices for process monitoring or configuration in explosive atmospheres.
How it could be exploited
An attacker with WiFi proximity to the device can perform a WPA2 protocol attack (such as a KRACK attack) to decrypt wireless traffic without authentication. Once the encryption is broken, the attacker can eavesdrop on or modify communications between the device and its network peers.
Prerequisites
- Wireless network proximity to an affected WLAN-capable device
- Device must be in operation and transmitting on the vulnerable WiFi network
- No credentials required for the initial WPA2 protocol attack
Remotely exploitable via WiFiNo authentication requiredLow complexity attackNo fix available from vendorPublic exploits availableAffects ATEX safety-certified devices
Exploitability
Low exploit probability (EPSS 0.4%)
Affected products (11)
11 EOL
ProductAffected VersionsFix Status
CK71A-ATEX: All versionsAll versionsNo fix (EOL)
Smart-Ex 201: All versionsAll versionsNo fix (EOL)
Ex-Handy 09: All versionsAll versionsNo fix (EOL)
CN70E-ATEX: All versionsAll versionsNo fix (EOL)
CN70A-ATEX: All versionsAll versionsNo fix (EOL)
CK70A-ATEX: All versionsAll versionsNo fix (EOL)
i.roc Ci70-Ex: All versionsAll versionsNo fix (EOL)
Tab-Ex 01: All versionsAll versionsNo fix (EOL)
Remediation & Mitigation
0/3
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
WORKAROUNDMonitor vendor advisory updates from Pepperl+Fuchs for any future firmware patches or WPA2 security updates
Mitigations - no patch available
0/2The following products have reached End of Life with no planned fix: CK71A-ATEX: All versions, Smart-Ex 201: All versions, Ex-Handy 09: All versions, CN70E-ATEX: All versions, CN70A-ATEX: All versions, CK70A-ATEX: All versions, i.roc Ci70-Ex: All versions, Tab-Ex 01: All versions, Smart-Ex 01: All versions, Pad-Ex 01: All versions, Ex-Handy 209: All versions. Apply the following compensating controls:
HARDENINGEvaluate transition to alternative ATEX-certified devices with WPA3 or newer WiFi security protocols as replacements for CK71A-ATEX, Smart-Ex 201, Ex-Handy 09, CN70E-ATEX, CN70A-ATEX, CK70A-ATEX, i.roc Ci70-Ex, Tab-Ex 01, Smart-Ex 01, Pad-Ex 01, and Ex-Handy 209 devices
HARDENINGImplement network segmentation to isolate WiFi-connected ATEX devices from direct access to critical control systems; deploy a DMZ or firewall rules to restrict device-to-PLC/HMI communications
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/5c0726c2-ec46-475b-aa58-9282525c729c