We recently received notification that our paper titled "Ethernet Device Authentication via Physical Layer Fingerprinting" was accepted for publication at IEEE SoutheastCon 2023. This paper encompasses a small portion of the work that we completed as part of our Department of Energy Phase I SBIR project titled "Physical layer Authentication of Wired Networks (PAWN)" which was completed in June of 2020. We have included a pre-print of the work at the link below and will be presenting at the virtual IEEE SoutheastCon event in early April.
Over the last two years, we have continued our research into physical layer device authentication beyond what is presented in this paper and hope to publish additional findings in the near future. More recently, we have been focused on the development of our IdentiPHY:Wired prototype system and the corresponding software platform. There is additional content available on the News site.
What about RMF?
If you pay much attention to cybersecurity, especially in the government sector, then you are probably familiar with the National Institute of Standards and Technology (NIST) and their Risk Management Framework (RMF). From the RMF website, "The Risk Management Framework provides a process that integrates security, privacy, and cyber supply chain risk management activities into the system development life cycle." A major portion of RMF is the selection of relevant controls to protect information systems based on risk assessments. These controls are detailed in the NIST Security and Privacy Controls for Information Systems and Organizations (SP 800-53) document which is currently in revision 5. This document lists an array of controls that can be "implemented within any organization or system that processes, stores, or transmits information." They satisfy system-level requirements that must be implemented, in some fashion, to meet security and privacy objectives of the organization.
NIST 800-53 controls are broken up into 20 high-level categories or groups, e.g. Access Control (AC), Media Protection (MP), or Identification and Authentication (IA). The third subsection of the IA category (IA-3) is called Device Identification and Authentication. This subsection is quoted in some detail below...
Control: “Uniquely identify and authenticate [Assignment: organization-defined devices and/or types of devices] before establishing a [Selection (one or more): local; remote; network] connection.”
Enhancement: “(a) Where addresses are allocated dynamically, standardize dynamic address allocation lease information and the lease duration assigned to devices in accordance with [Assignment: organization-defined lease information and lease duration]; and (b) Audit lease information when assigned to a device.
Enhancement: “Handle device identification and authentication based on attestation by [Assignment: organization-defined configuration management process].”
As one can see from above, there are not many options available to implement the device authentication control. The document specifically refers to...
There is also a gaping hole in the above control that basically allows for systems to be accredited with heavy use of the phrase "Not Applicable." Specifically, the allowance for the "challenges of implementing device authentication on a large scale," which basically means that it is reasonable to not perform device authentication in situations where it is too difficult.
We suggest a modification to the IA-3 controls that makes it device authentication a strict requirement and also includes the deployment of physical layer device authentication solutions, like IdentiPHY, as an enhancement to this important security control.
What are your thoughts? Are there other solutions to device authentication that are relevant? Let us know in the comments.
Time-Triggered Ethernet Exploited
The physical introduction of rogue devices is a serious concern for critical infrastructure. These types of attacks are less frequent than those that use phishing, exploits on a company's public Internet-facing endpoints, etc. However, they can be incredibly damaging and are often difficult to detect. IdentiPHY provides the ability to automatically detect these attacks in a manner of seconds. One such attack that is specifically damaging to critical infrastructure systems was recently published by researchers from the University of Michigan. In this blog post, I'll briefly explain the attack and include in the description how IdentiPHY can help.
A recent paper, published in IEEE S&P, found vulnerabilities in Time-Triggered Ethernet (TTE) . TTE provides the ability to isolate time-triggered (TT) traffic from more common best-effort (BE) traffic within the same switches and cabling. TTE reduces message latencies to hundreds of microseconds and almost eliminates jitter , . In this paradigm, TT devices communicate on a tight, predetermined schedule and BE traffic fills in around the synchronous TT traffic. The authors call their technique PCSPOOF and...
"[show] that successful attacks are possible in seconds, and that each successful attack can cause TTE devices to lose synchronization for up to a second and drop tens of TT messages - both of which can result in the failure of critical systems like aircraft or automobiles."
The attack occurs in two stages. First, a single BE device infers the common identifier used by TTE devices by sending phony ARP requests. It tricks other BE devices into sending out messages with potential identifiers and determines which identifier gets dropped by the network. BE devices are forbidden from sending messages with the TTE common identifier. Therefore, the messages that are dropped contain the common identifier. From this identifier, the attacker can craft valid TTE synchronization messages.
Now, the second phase of the attack requires generating electromagnetic interference (EMI) from the malicious BE device using a small, low-power circuit that could be injected into a device as a supply chain attack or custom-crafted by an attacker. The EMI will result in packets that have lost their BE header but still contain a malicious synchronization message buried inside. This is where IdentiPHY detects the attack. The EMI will affect the malicious device's IdentiPHY-generated fingerprint, even if it was validly registered, and it will be flagged as unauthorized.
The overall goal of the IdentiPHY suite of products is to...
To that end, we've been working on the first IdentiPHY prototype for a while now and are finally ready to do a bit more of an introduction to the world. So, here is IdentiPHY:Wired. This initial prototype device is intended to be bolted onto an existing network to demonstrate the IdentiPHY physical layer device authentication concept. The prototype can passively protect 12 ports (12 in / 12 out) and provide authentication information to other network security components, e.g. Network Access Control (NAC), Software Defined Network (SDN) control plane, port security, etc.
The figure above shows an IdentiPHY:Wired sensor connected to 12 edge devices (left) passing through to a network switch (right). The sensor passively taps the TX pins coming from the edge devices and passes that data through a patent pending sampling, processing, fingerprinting, and authentication process shown in the green "Authentication" block. Authentication decisions can then be made part of the overall decision making process as to the authenticity of a connected device.
Where are we going with this? We want to integrate directly into network infrastructure to make IdentiPHY:Wired deployment as simple as possible for the end user.
Any questions? Want to see a demo? Email us at email@example.com.
What is IdentiPHY?
We'd like to introduce you to IdentiPHY! Check out our one-pager below...
IdentiPHY enables true multi-factor device authentication on your network. Two-factor authentication is commonplace these days with username/password, tokens, text messages, and even biometrics being used to authenticate users. However, the same level of authentication is not being applied to devices.
The three pillars of authentication:
For devices, "Something you have" and "Something you know" are the same thing! So, what is the equivalent of "Something you are" for devices? Enter IdentiPHY!
Reach out to learn more or setup a demonstration of IdentiPHY within your network.
Defend the Perimeter (Logically)
In a recent blog posting, Dark Wolf Solutions described some of their techniques for performing penetration testing and a particular assessment job that they executed. The main goal of this job was gaining physical access (which they quickly did) and installing a rogue wireless access point (AP) to the client's production network running Dynamic Host Configuration Protocol (DHCP).
“We configured … our rogue access point (that we would ultimately attempt to plug into their DHCP enabled production network via a vacant and active network jack and/or by changing the MAC (Media Access Control) address on the rogue AP to match something like a VoIP (Voice Over IP), just in case there was any sort of MAC filtering).”
These techniques are commonly employed to gain access to a target's network. In some instances, an attacker will even leave behind a small device (think RaspberryPi) to gain remote network access via the local cellular network. Now they can leave your facility and begin moving laterally throughout your network with relative impunity.
Your network's physical attack surface is present in every office, cubicle, conference room, and lab throughout your facilities. For a wired network, the vulnerable points of attack are the network jacks fixed to wall plates and cube walls. If the first (logical) line of defense for these network jacks is MAC address filtering then your network is vulnerable to attack.
MAC address filtering is a basic Layer 2 protection that should be deployed throughout your network. It limits the hardware devices that can be used on a particular switch port and is provided by most manufacturers of managed switches. This capability is often called Port Security or "Sticky MACs". However, MAC spoofing is a "script kiddie" level of attack these days.
The IdentiPHY:Wired platform adds a novel logical ring of protection around your network's most vulnerable ports. It protects your network from physical layer attacks 24 hours a days, seven days a week by authenticating the devices connected to your network. In most instances, the presence of an unauthorized device can be detected before it can even be issued an IP address from your DHCP server.
Reach out to learn more or see a demonstration of IdentiPHY within your network!