Wi-Fi transport layer security (WPA/WPA2) vulnerability - KRACK (Key Re-installation Attack)
Discovered Wi-Fi transport layer security (WPA/WPA2) vulnerabilities within Digi International products supporting Wi-Fi interfaces. This is also known as the KRACK (Key Re-installation Attack) vulnerability.
On October 16th, 2017, a public vulnerability was released that impacted the Wi-Fi "over the air" encryption protocol known as WPA/WPA2. The name of this attack was called "KRACK" for "Key Reinstallation Attacks." These vulnerabilities allow an attacker to intercept and, in some special cases, inject network traffic between a Wi-Fi client and a Wi-Fi access point. This attack can only be performed if the attacker is within radio intercept distance of a client and Access Point (AP). It is noted that with the discovered vulnerabilities, both the client and the AP must be corrected to fully protect the network traffic. The impact of this vulnerability is only in regards to the transport layer. Other encryption that is done at other layers, like TLS 1.2, is not impacted and can be considered safe. Keep in mind, with a corrupted transport layer it may be possible to conduct other attacks, like man in the middle (MitM), by tricking end users.
At this time, we believe only Digi Wi-Fi Client mode is impacted by KRACK, however we will continue to evaluate all Digi products. Please check back to this notice for any updates, or new information on impacted devices.
Digi Affected CVE's
The official KRACK notice includes 10 CVEs. However, only the CVEs listed below impact Digi devices:
Reinstallation of the pairwise encryption key (PTK-TK) in the 4-way handshake
Reinstallation of the group key (GTK) in the 4-way handshake
Reinstallation of the integrity group key (IGTK) in the 4-way handshake
Reinstallation of the group key (GTK) in the group key handshake
Reinstallation of the integrity group key (IGTK) in the group key handshake
Wi-Fi Client Access: Digi Transport® WR41, WR44, WR44R, WR44RR and LR54W routers, Digi XBee® Gateway Wi-Fi, Digi Wireless Vehicle Bus Adapter (WVA), Digi Connect WS, Digi Embedded Linux, Digi Embedded Yocto, Digi Embedded Android, NET+OS, Digi ConnectPort® X2e Wi-Fi, Connect Wi-ME, Connect Wi-SP,and Dynamic C libraries and products.
Wi-Fi Access Point (AP) Mode: At this time, no known products are impacted in AP mode.
Note: Information is based on current available information and tests provided by the Wi-Fi Alliance.
Firmware Patching Status
For a complete list of available patches, release versions and dates, go to: https://www.digi.com/krack-patch-status.
The KRACK, or Key Re-installation Attacks, were discovered by Mathy Vanoef of imec-DistriNet. It was found during review of the Wi-Fi WPA2 4-way handshake code. In review, the author theorized an attack and validated assumptions. Upon confirmation, a demonstration attack was generated to prove the weakness. For completeness on the attack, see the link below at www.krackattacks.com. Although a demonstration of the attack was given and special testing tools are available to Wi-Fi Alliance vendors, at this time there are no known exploit toolsets out in the wild. It is noted that this attack affects both pairwise and group wise transient keys that are negotiated. Since this attack is not based on an implementation, but on the standard itself, virtually all Wi-Fi Clients and Access Points that support the impacted modes are impacted by this vulnerability.
CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081
Reinstallation of the pairwise/group/integrity key (GTK) in the group key or 4-way handshake
Digi Customer Rating – Medium - CVSS v2 Vector - (AV:A/AC:M/Au:N/C:C/I:P/A:N) - Overall CVSS 6.4
The KRACK vulnerabilities allow an attacker to re-play the unencrypted message “3” of the 4-way handshake. When this occurs, a client will “re-install” the encryption key into the Wi-Fi driver. This key is only a temporary key that is negotiated between the client and AP. Although this does not impact the client/AP communication directly, one unintended consequence is that the nonce that is used to encrypt the data is reset back to “0.” A nonce should never be used more than once. If a nonce is used more than once, it can impact the security of encrypted data provided the same encryption key is being re-used. With this nonce replay weakness, it is possible that packets can be replayed, decrypted and or forged.
Among the ten vulnerabilities, only one (CVE-2017-13082) may affect components of the wireless infrastructure (for example, Access Points). The other nine vulnerabilities affect only client devices. At this time, we do not know of any AP modes that are impacted.
Overall Summary of Vulnerabilities
These vulnerabilities allow an attacker to replay, decrypt or forge data between a Wi-Fi Client and AP. This only affects the transport layer, as other protocols could protect the communication from this type of tampering like TLS 1.2. If unencrypted network level communications are being used, this type of network traffic could be compromised. Note, the KRACK WPA2 attacks do not impact the Wi-Fi AP pre-shared joining key.
Attack Vectors - Evaluation of risk
KRACK is especially relevant for enterprise networks. It applies to a pre-shared key (PSK) and enterprise Wi-Fi clients who need to provide a full username and password and accept a corporate certificate to join. The attack is not in the PSK or enterprise joining processes, but in the negotiation of the WPA2 encryption process.
This vulnerability does not give up a "pre-shared key" for joining a secure Wi-Fi WPA2 network. This attack works with the joining protocol of a client that already has access. A rogue attacker can see this information and guess the "temporary session," also known as the Pairwise Transient Key (PTK) that is used. When this happens, the attacker can decrypt the WPA2 encrypted traffic, and in some cases inject traffic into the network. This means that a man in the middle (MitM) attack against the client could occur.
These attacks require local Wi-Fi sniffing access. An attacker who is not within the Wi-Fi broadcast areas cannot exploit KRACK.
Below are suggested tasks that could be taken to mitigate or stop any attacks that a Digi customer could perform without a firmware upgrade to either the Access Point or the Wi-Fi Client. It is noted that both need to be patched to provide full protection.
For impacted devices acting as a Wi-Fi Client:
Review to see if the Wi-Fi Client feature is needed. At this time, there is no user level mitigation to prevent this from being attacked.
The client side attack only affects the Transport/Link Layer encryption of Wi-Fi. If TLS/SSL encrypted tunnels with X.509 certificate authentication (this is your standard web https) are used, then your data is protected by a second layer of security.
Configure a VPN so that all endpoint data goes through a VPN connection on the Wi-Fi network
With security being a critical part of many products in the Internet of Things, Digi is committed to making sure that our products are safe and usable within critical infrastructures and other business areas. With vulnerabilities and risks part of our daily routine, Digi takes a risk-based approach to fixing vulnerabilities where they are needed most, and at the most critical times. Although we try to understand every customer and the use of our products, we understand that each customer needs to go through their own risk analysis, as well, with our products. If you believe that the analysis above is missing information, or there is a significant difference in your evaluation of risk; contact Digi Technical Support by emailing email@example.com.