Defeating your Network Security by plugging in your intercom

As the IoT landscape continues to grow, providing valuable scalable centralized management and business intelligence; we're seeing the lack of device controls is leading to an unprecedented increase in cyber incidents from operational technology and industrial not traditionally managed by IT

Are you ready for a riveting conversation about 802.1x? Well, I for one am all over this. Having problems implementing 802.1x? Have you purchased hardware that claims to be 802.1x capable only to find out it is not capable? Or on a different version of 802.1x and can't support your needs? I'm pretty sure I'm not the only one frustrated.

What are secure certificates and why should we even care? I asked Chat GPT about this and it had a lot to say about the topic you can read it below if you have the time. Here's a summary:

TLDR: 802.1x good for security bad for hackers. What problem does this solve? It prevents a hacker from physically plugging into the network using the port your device is plugged in to.

802.1x secure certificates are good for us but very difficult to implement and maintain on our IoT devices connected via ethernet. We attempted to work with several physical security hardware manufacturers to enable 802.1x and have identified a lot of challenges in our industry. Some companies advertise 802.1x as a feature, but don't actually work. Several reiterations of their firmware during discussions make me wonder if I'm the first one attempting to implement it for their product. I doubt 802.1x worked at any of their other customer sites. I'm not going to call anyone out on this article for now even though some of you think I should.

So what's feeding into this lack of logically secure physical security devices? Why are manufacturers saying they support it when in fact they don't?

Rob Kay Senior Manager, Technical Security, Engineering and Reliability at Rivian weighs in on this topic:

802.1x became an IEEE standard in 2001. Despite undergoing revisions since then, we have had over 20 years to perfect its implementation. However, it is regrettably unsurprising that we continue to face challenges with it even today. I believe both end users and product installers must shoulder responsibility for the risks they introduce to the network. Consider this: if a breach occurs on your network through a port connected to a security-owned device such as a camera or intercom, who bears the ownership of that risk? Is it the IT/network team, the security manager, the installation company, or the engineer who approved it?

As long as we regard this issue as "someone else's problem," we will never attain the unified front necessary to progress toward the secure environment we owe it to ourselves and our employers to establish. This transformation must begin with security by design. We have moved beyond a reality where interoperability reigns supreme. We need to stop shipping devices in modes that makes them easiest to connect to, and hoping technicians or engineers enable security features. Hardware should ship with those features enabled by default, forcing conscious choice to disable them. This requires investment in training and education for all of us to understand the impact of our decisions.

There's a lack of education for IoT device security and logical security in the physical security space.

1. Lack of security awareness
2. Physical Security Practitioners are more worried about functionality than the security of the products they deploy
3. Device manufacturers are more worried about the functionality rather than the security of the products they sell... because that's how their customers think.

What is the prescribed solution?

1. If you're a security professional, continue to stay informed on the logical security side of IoT devices. Begin demanding devices to be both functional AND secure. Work with industry groups (like SIA) and participate in user groups and committees dedicated to improve security.
2. If you're a device manufacturer, remember you're making a security device, do not make it logically unsecure, make sure logical security features are functional and not just part of advertising - because you will be called out eventually. Get some bench strength from logical security, make 3rd party pen testing part of your process to increase product security credibility.
3. If you're an integrator, do your due diligence before selling something to a customer. Test what you're selling in a lab and provide some value to the device selection process. Inform end users of any logical security flaws a product might be known for.

(Everything up to this point was written without the assistance of AI)

For those interested in what Chat GPT had to say about 802.1x, see below:

My question to Chat GPT:

Me: "What is 802.1x secure certificates all about?        

AI Disclaimer: Chat GPT was used in the generation of the below content

802.1X is a network access control protocol that provides an authentication framework for securing network connections. It is commonly used in Wi-Fi networks and Ethernet connections to ensure that only authorized devices and users can access the network. Secure certificates are a crucial component of the 802.1X authentication process.

Here's a breakdown of the key concepts:

1. 802.1X Protocol: 802.1X is a protocol used to control access to network resources by authenticating devices before allowing them to connect to the network. It operates at the Data Link Layer (Layer 2) of the OSI model and is often used in conjunction with the Extensible Authentication Protocol (EAP) for authentication.
2. Authentication Process: When a device attempts to connect to a network using 802.1X, the following authentication process occurs:

• The device sends an initial connection request to the network access point (such as a Wi-Fi access point or switch).
• The network access point responds with an EAP Request Identity message, prompting the device to provide its identity.
• The device sends its identity (usually in the form of a username) back to the access point.
• The access point forwards this identity to an authentication server.
• The authentication server generates a challenge and sends an EAP message to the device.
• The device responds to the challenge, proving its identity through various methods (password, certificate, etc.).
• The authentication server validates the device's credentials and responds to the access point, granting or denying access.

1. Secure Certificates: In the context of 802.1X, secure certificates are used to provide mutual authentication between the client device and the authentication server. These certificates are digital documents that confirm the identity of the device or server and are issued by a trusted Certificate Authority (CA). They are used to encrypt and sign authentication messages exchanged during the 802.1X process.

• Client Certificate: The device attempting to connect (client) usually presents its certificate to the authentication server during the authentication process. This certificate proves the client's identity to the server.
• Server Certificate: The authentication server also presents its certificate to the client. This certificate confirms the server's identity to the client and helps prevent man-in-the-middle attacks.

Using secure certificates enhances the security of the authentication process by preventing unauthorized devices from gaining access to the network and ensuring that the authentication server is legitimate.

In summary, 802.1X with secure certificates helps maintain network security by enforcing strict authentication before allowing devices to connect. This is particularly important in environments where unauthorized access can have serious consequences, such as corporate networks, educational institutions, and government agencies.

Me: "Is 802.1x still relevant today for security? are there other options?        

ChatGPT:

Yes, 802.1X is still very relevant today for network security. It remains one of the most effective methods for securing network access and ensuring that only authorized devices and users can connect to a network. Here are a few reasons why 802.1X is still widely used:

1. Strong Authentication: 802.1X provides strong mutual authentication between client devices and the authentication server, using methods like secure certificates. This helps prevent unauthorized devices from gaining access to the network.
2. Encryption: The authentication process is often carried out within an encrypted tunnel, adding an extra layer of security. This prevents eavesdropping on authentication messages and helps protect sensitive information.
3. Granular Access Control: 802.1X allows for granular access control. Network administrators can define different access policies for different users or devices, ensuring that only authorized users get appropriate access privileges.
4. Guest Network Management: With 802.1X, it's possible to create separate guest networks with limited access while keeping the main network secure. This is commonly used in environments like hotels, cafes, and corporate guest networks.
5. Compliance and Regulations: Many industries and organizations are subject to regulations that mandate secure network access. 802.1X helps fulfill these requirements and maintain compliance.
6. Flexibility: 802.1X can work with various authentication methods, such as username and password, secure certificates, and even more advanced methods like multi-factor authentication (MFA).

While 802.1X remains a strong and widely used option for network security, there are also alternative methods and technologies that can complement or provide additional layers of security:

1. Network Segmentation: Beyond 802.1X, network segmentation involves dividing a network into smaller segments to contain potential threats and limit lateral movement for attackers.
2. Network Access Control (NAC) Systems: NAC systems go beyond 802.1X to provide comprehensive control over network access, including device health checks, compliance checks, and the ability to quarantine non-compliant devices.
3. Software-Defined Perimeters (SDP): SDP solutions create isolated network connections between users and resources, reducing the attack surface by making resources "invisible" to unauthorized users.
4. Zero Trust Architecture: This security approach assumes that no one, whether inside or outside the network, should be trusted by default. It enforces strict identity verification and least privilege access.
5. Multi-Factor Authentication (MFA): Adding an extra layer of authentication beyond the traditional username and password can significantly enhance security.

In summary, while there are alternative security measures available, 802.1X remains a cornerstone of network security, especially for controlling access to wired and wireless networks. Organizations often combine 802.1X with other security technologies to create a comprehensive defense strategy against various types of threats.