WPA/WPA2 Vulnerability (KRACK) & Axon Products

Security Advisory Release Date: November 1st, 2017 Vulnerability Identifier: AXON-1701

Summary

In recent weeks a 3rd party global security research team in Belgium has discovered weaknesses in the WPA2 wireless protocol that is used to secure WiFi networks. Successful exploitation of this weakness could give an attacker the ability to decrypt data that was encrypted using the encryption provided by the WPA2 protocol as well as the ability to inject or manipulate data within such data. Additional information on these “KRACK attacks” can be found here: https://www.krackattacks.com

Many of Axon's connected devices and products use WiFi technologies directly or indirectly leverage implementations from underlying host systems. Axon has determined that only Axon Fleet Cameras and in-car routers used in Axon Fleet deployments may be directly vulnerable to KRACK attacks. Axon is in the process of applying patches to Axon Fleet Cameras and has highlighted below agency next steps for applying patches to in-car WiFi routers as well as other devices an agency may use in support of Axon product deployments.

Axon is committed to providing the most trusted and secure platform for our customers and we will continue our rigorous product assessment and vulnerability discovery practices. You can read more about what we have implemented to protect the Axon platform and customer evidence data on our Security pages.

See the timeline below for Axon updates and take manual steps to review your networks WiFi infrastructure and patch the appropriate products.

Timeline and supporting documentation

  • Axon supported CradlePoint router patches are currently available. Customers should patch their router per the Cradlepoint instructions here: http://knowledgebase.cradlepoint.com/articles/Support/WPA-and-WPA2-Vulnerabilities-KRACK
  • Axon Fleet Cameras updates are scheduled to be deployed by November 30, 2017 . This update will be applied silently and will NOT affect any buffering, recording or evidence gathering.
  • Axon Body Camera 2 and Axon Flex 2 updates are scheduled to be deployed in Q1 2018 as an improved mitigation against further attacks. These updates will be applied normally.

Scope & Mitigation

The vulnerability does not affect the security of Evidence.com or your evidence data residing within. In addition to the per Axon product analysis below, Axon recommends as best practice that all devices providing Wi-Fi technologies be patched as soon as patches are made available by manufacturers.

The scope of this weakness is limited to products which utilize WiFi directly or indirectly. Specifically, Axon products that are impacted directly are Axon Fleet Cameras and Routers and indirectly are Axon View, Axon Capture, Axon Body Camera 2 and Axon Flex 2. For the directly impacted products, the router patch allows your networks to remain protected from outside intrusion and the camera patch allows for protection if your network security is compromised. For indirectly impacted products, Axon will be releasing updated firmware in Q1 2018 that further improves security of the device to mitigate impacts to the network or device.

Mitigation should be to patch your WiFi routers as soon as patches are made available from manufacturers. Please consult your WiFi routers manufacturers support page for further information.

Further details and breakdown of Axon product exposure is outlined below:

Axon Product Impacted? Description Customer Instruction
Axon Fleet Camera

Yes

Axon Fleet Cameras are vulnerable when communicating with View XL

Axon Fleet Camera patches are scheduled to be deployed on November 30, 2017 and will be applied without customer interaction.

Axon View XL

Not Directly

Axon View leverages Wi-Fi technologies from the MDT/MDC. Those should be patched per manufacturer instructions.

Ensure patching of Windows Operating System on MDT/MDC - Microsoft Security Advisory

Axon Router (Cradlepoint IBR900 Series Router - non FIPS version)

Yes

The Axon Router is not vulnerable when operating the in-car network. The Axon router is not vulnerable when facilitating video offload from Axon Fleet to Evidence.com over LTE or in Dock and Walk deployments. The Axon Router is vulnerable when video is offloading to Evidence.com using Wi-Fi over WAN or to the Axon Wireless Offload Server.

Apply patch when it becomes available - Cradlepoint Knowledgebase Support

Non-Axon In-Car Router

Potentially

Impact to In-Car routers may vary between manufacturers and models. However, in-car routers are not vulnerable when facilitating video offload from Axon Fleet to Evidence.com over LTE or in Dock and Walk deployments. In-car routers are vulnerable when video is offloading to Evidence.com using Wi-Fi over WAN or to the Axon Wireless Offload Server.

Contact your in-car router provider for instructions. See below for common in-car routers used for Fleet deployments.

Wireless Offload Server

No

The Axon Wireless Offload Server does not directly leverage Wi-Fi technologies.

No specific action needed. Any Wi-Fi technologies used to support Wireless Offload Server connectivity should be patched as made available by manufacturer.

Axon Body 2

No

Axon Body 2 leverages Wi-Fi for Axon View use cases, however Axon has determined the implementation and usage of Wi-Fi technologies by Body 2 is not vulnerable to KRACK attacks.

No specific action needed at this time

Axon Flex 2

No

Axon Fleet 2 leverages Wi-Fi for Axon View use cases, however Axon has determined the implementation and usage of Wi-Fi technologies by Flex 2 is not vulnerable to KRACK attacks.

No specific action needed at this time

Axon Body

No

Axon Body does not leverage Wi-Fi technologies

No specific action needed.

Axon Flex

No

Axon Flex does not leverage Wi-Fi technologies

No specific action needed.

Axon View

Not Directly

Axon View leverages Wi-Fi technologies in the underlying mobile operating system to connect with Axon cameras.

Ensure patching of iOS and Android devices.

Axon Capture

Not Directly

Axon Capture leverages Wi-Fi technologies in the underlying mobile operating system to provide internet connectivity between Axon Capture and Evidence.com.

Ensure patching of iOS and Android devices.

Axon Interview

No

Axon Interview does not directly leverage Wi-Fi technologies

No specific action needed.

Axon Commander

No

Axon Commander does not directly leverage Wi-Fi technologies.

No specific action needed.

Axon Dock

No

Axon Dock does not leverage Wi-Fi technologies

No specific action needed.

Axon Evidence.com

No

Axon Evidence.com does not directly leverage Wi-Fi technologies.

No specific action needed.

Applicable CVEs (Common Vulnerabilities and Exposures)

  • CVE-2017-13077: Reinstallation of the pairwise encryption key (PTK-TK) in the 4-way handshake.
  • CVE-2017-13078: Reinstallation of the group key (GTK) in the 4-way handshake.
  • CVE-2017-13079: Reinstallation of the integrity group key (IGTK) in the 4-way handshake.
  • CVE-2017-13080: Reinstallation of the group key (GTK) in the group key handshake.
  • CVE-2017-13081: Reinstallation of the integrity group key (IGTK) in the group key handshake.
  • CVE-2017-13082: Accepting a retransmitted Fast BSS Transition (FT) Reassociation Request and reinstalling the pairwise encryption key (PTK-TK) while processing it.
  • CVE-2017-13084: Reinstallation of the STK key in the PeerKey handshake.
  • CVE-2017-13086: reinstallation of the Tunneled Direct-Link Setup (TDLS) PeerKey (TPK) key in the TDLS handshake.
  • CVE-2017-13087: reinstallation of the group key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.
  • CVE-2017-13088: reinstallation of the integrity group key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.

Suggested Manual Actions

Axon recommends as best practice that any Wi-Fi technologies used to support Axon product connectivity should be patched as soon as patches are made available by manufacturers.

1) Patch Mobile Devices and Operating Systems

Patch updates for KRACK issues are being released for all types of mobile devices, we encourage everyone to ensure their devices are updated. Here is a good list of specific devices and information about patches:
https://www.bleepingcomputer.com/news/security/list-of-firmware-and-driver-updates-for-krack-wpa2-vulnerability/

2) Patch In-Car Routers

NOTE: This is not an exhaustive list of in-car routers. Please coordinate with your system administrators to ensure appropriate patching of in-car routers.

Manufacturers Model Website Manufacturer Suggested Action
Calamp

Fusion

Calamp Fusion Router

Cradlepoint

IBR1100

Cradlepoint IBR1100 Router

Cradlepoint Knowledgebase - WPA and WPA2 KRACK Vulnerabilities

Cradlepoint

IBR900

Cradlepoint IBR900 Router

Cradlepoint Knowledgebase - WPA and WPA2 KRACK Vulnerabilities

Digi

Transport WR44

Digi Transport WR44 Router

Pepwave

DCS-RUG

Pepwave DCS RUG Router

Pepwave KRACK Firmware Fix

Pepwave

Surf on the Go

Pepwave Surf on the Go

Pepwave KRACK Firmware Fix

Sierra Wireless

Airlink MP70

Sierra Wireless Airlink MP70 Router

Sierra Wireless

Airlink MG90

Sierra Wireless Airlink MG90 Router

Sierra Wireless

InMotion OMG Series

Sierra Wireless InMotion OMG Series

If you have any further questions, please contact us

Axon Customer Support