KRACK vulnerability targeting healthcare devices
Target: Healthcare devices
Attack Vector: Key reinstallation vulnerabilities that targeted the WPA and WPA2 protocol
Summary: Researchers have discovered numerous devices from the medical technology company Becton, Dickinson and Company (BD) that are exposed to the infamous KRACK key reinstallation attacks, which exposes a weakness in the WPA2 protocol that secures all modern Wi-Fi networks.
The KRACK vulnerability was first discovered in October 2017 and detailed a number of related key reinstallation vulnerabilities that targeted the WPA and WPA2 protocol for securing Wi-Fi networks. The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has issued a technical advisory notice (ICSMA-18-114-01), which details the affected products and to date nine individual CVE’s for each vulnerability
Risk assessment summary: This threat has been assessed as 3c MODERATE. Ordinarily, the potential for this kind of attack being successful is unlikely, but in this case is considered to be possible due to the number of vulnerabilities discovered in the volume of products from BD and the fact that the vulnerability is within the WPA – WPA2 protocol, which means that the potential for this to be exposed is heightened. However, the number of actors who could potentially look to exploit this weakness and proximity of the attacker needing to be within radio signaling distance makes this type of attack a targeted or specialised attack. This, coupled with the fact no in the wild attacks of KRACK have been observed to date, further reduces the likelihood.
Successful exploitation of the vulnerability could allow a man in the middle attack to be launched allowing data to be intercepted as well as modified by the actor. If successful the impact could significantly affect brand image and confidence.