KRACK Attack Additional Information

Zebra Lifeguard Android security program logo

 

KRACK vulnerability addressed by November LifeGuard updates.

What is KRACK Attack?

KRACK (Key Reinstallation Attacks) is a security vulnerability that affects the standard implementations of WPA and WPA2 Wi-Fi protocols. Zebra products for both Android and Microsoft are impacted. 

These vulnerabilities could enable a proximate attacker (within Wi-Fi range of both the client device and the access point) to access and tamper with Wi-Fi packets over connections that are protected by WPA/WPA2 encryption. However, the attacker could not read or tamper with packets that are protected by a higher layer protocol such as SSL/TLS (i.e. https). Multiple conditions would need to be met in order for an attacker to exploit the vulnerability – the attacker would need to be within the physical proximity of the targeted user, and the user's device would need to have wireless networking enabled. The attacker would then need to execute a man-in-the-middle (MitM) attack to intercept traffic between the target computer and wireless access point. While the attacker can decrypt client-to-AP traffic, the attacker cannot inject arbitrary traffic into a WPA2-AES session and cannot get any authentication tokens or keys. There have been no reports of active user exploitation or abuse of this issue.

What products are impacted?

KRACK may affect computers, mobile phones, and other IoT devices running both Android and Windows operating systems. If your device supports Wi-Fi, it is most likely affected.

What does Zebra recommend I do?

Zebra takes security seriously and recommends that customers update to the latest release and accept the latest updates to minimize security risk.

Download and install the latest update for the device. Device specific updates can be located on the KRACK Attack Security Vulnerability page. If your device is not listed on that page, contact Technical Support. 

I'm not able to install the update immediately. What steps can I take?

Non-Patch Remediation

  1. Disabling 802.11r can help mitigate the attack by eliminating one source of vulnerability (Fast BSS Transitions, otherwise known as 802.11r roaming). 
  2. Enable Rogue Access Point Detection to mitigate the risks caused by the MitM attack. MitM attack is required prior because the 4th EAPOL message (part of the handshake) must be intercepted/prevented in order to allow retries of handshake message 3. This means that the attacker must spoof the MAC of the access point.
Why am I being asked to login to Zebra.com to download the update?

For mobile computers and scanners, updates are available to registered Zebra.com users with a valid warranty or service contract. 

For printers, firmware updates are available to registered Zebra.com users.

My mobile computer or scanner is not covered by a valid warranty or service contract. What steps can I take?
  1. See Non-Patch Remediation above.
  2. Contact Technical Support for details about purchasing a short-term contract.

 

I am logged into zebra.com. Why am I not able to download the update for the KRACK security vulnerability?

For mobile computers and scanners, the device must have a valid warranty or service contract. If you do not have a valid warranty or service contract, the update cannot be downloaded. Refer to question above for additional options.

If you have a valid warranty or service contract and the download fails, contact Zebra’s Technical Support Help Desk.

For printer firmware download failures, contact Zebra’s Technical Support Help Desk.

Disclaimer: Zebra makes every attempt to release security updates on or about the time that Google releases its respective security bulletin. However, delivery time of security updates may vary depending on the region, product model, and third party software suppliers. Under some circumstances, the OS must be updated to the latest maintenance release prior to installing the security updates. Individual product updates will provide specific guidance.

Unless otherwise noted, there have been no reports of active customer exploitation or abuse from these newly reported issues.



Are you aware of a potential security issue with a Zebra Technologies product?