avatarTeri Radichel

Summary

Teri Radichel discusses the importance of considering the supply chain and shipping security when purchasing network devices, emphasizing the risks of tampering and the need for transparency from vendors about their manufacturing and shipping processes.

Abstract

In the article, Teri Radichel emphasizes the need for vigilance in the procurement of network devices, advocating for direct purchases from manufacturers to mitigate supply chain risks. Radichel highlights the potential for tampering when devices are bought from third-party sellers, as evidenced by her personal experience with a delayed and potentially compromised phone shipment. She suggests that vendors should provide detailed information about the manufacturing, testing, and shipping of their devices, including the ability to disable unnecessary services by default to ensure device integrity. Radichel also stresses the importance of assessing vendors' delivery mechanisms as part of a comprehensive security assessment, recommending the inclusion of shipping route monitoring for security-sensitive devices.

Opinions

  • Preference for buying network devices directly from manufacturers to ensure a secure supply chain.
  • Concerns about the potential for tampering with devices purchased through platforms like eBay or Amazon.
  • The belief that vendors should be transparent about the origins of their devices' manufacturing and software development.
  • The opinion that unnecessary services should not be enabled by default on network devices to reduce the risk of unauthorized configuration changes.
  • A personal anecdote underscores the potential risks in the shipping process, including delays and possible tampering.
  • The assertion that vendor assessments should include an evaluation of the delivery process to ensure the security of network devices.
  • A recommendation to monitor shipping routes and delays as part of an organization's security processes for network-related devices.

Considering Where to Buy Network Devices

Have you thought about the path your devices take to get to you?

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

⚙️ Check out my series on Automating Cybersecurity Metrics. The Code.

🔒 Related Stories: Unifi | Dream Machine Pro | Ubiquiti | pfSense | Network Security

💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Update 4/12/24 — I think I need to update this post or write more on this topic. I’ll be speaking on this topic at an IANS event in Boston in October. Doing some additional analysis at this time. Got some helpful information from someone in this space. Follow the blog for updates.

I prefer to try to buy network devices straight from the manufacturer when possible. That is one reason I didn’t choose some alternate brands over my recent Ubiquiti purchase. If you buy an appliance straight from the vendor hopefully you have a better chance of a secure supply chain.

If you’re buying network appliances off eBay or Amazon, it’s hard to know if the seller has messed with the device or not. I read some reviews online for Ubiquiti products where customers said they had problems with a device purchased on Amazon. They returned it and got a device straight from Ubiquiti and it worked fine.

I’m also familiar with and not comfortable with the supply chains of certain security companies.

Networking and Supply Chain Questions

I’ve been writing about issues related to understanding all the network connections required for software updates and configuration. However, it would also be good to understand the supply chain and shipping methods for vendor products as well.

I wish vendors were forced to list the following on their websites:

1. Where is the device manufactured and tested?
2. Where is the software written and tested? (Not always in the same place.)
3. What domain names, ports, and protocols does the device connect to?
4. What is the purpose of each domain name or IP address to which the device connects?
5. How can I turn off the service of function generating the traffic related to any particular domain name, port, IP address?
6. If I cant turn something off, explain why.
7. Explain how you ensure a device is not tampered with during the shipping process?
8. Do you have a methodology to ensure chain of custody after a device gets shipped to maintain its integrity from manufacturer through any third-parties to the end customer?

And please, if it is not necessary, don’t turn services on by default that are not required to start the device. Tell me how to do that after I start-up and as I configure the device for the first time via an advanced configuration. If everything is off by default any tampering with the configuration should be evident upon arrival.

Potential issues in shipping

I recently bought new cell phones from a new vendor. The experience was incredibly painful because the process for obtaining a code from the old vendor was broken. The process to purchase the new phones and verify my ID at the new vendor failed. I spoke to numerous departments at the new vendor, many of whom gave me inaccurate information. Some didn’t listen. Some didn’t understand me. Some talked to fast or had accents so thick I couldn’t understand them (and I have worked with a lot of people from other countries.) I tried going to a store twice and they couldn’t help me. All-in-all it wasted days of my life and was an absolutely horrible experience but I won’t go into all of that here.

What concerned me most was this. Once I finally got the order in, one phone shipped in two days and came instantly. One was on backorder but shipped early than expected and came in two days. The third phone shipped but got stuck at FedEx in Tennessee — for almost two weeks. Who knows what happened to the phone during that time period.

Eventually, I gave up and called the vendor and asked about the phone. I pointed out that an identical phone took that exact same shipping route. The person on the phone noted that it got from Tennessee to Savannah in one day. Why was the other phone sitting in Tennessee for two weeks? I have no idea. The person at the vendor helped me submit a request to mark the phone as stolen. A new phone was shipped. It came in two days.

However, ironically, the “missing” phone came right after I made that call to report the missing phone, and one day before the second phone. When I got the missing phone it appeared that the box had been opened and the shrink-wrap on the phone was also opened. The replacement phone that arrived promptly in two days had bubble wrap to protect the phone and was properly shrink-wrapped. The “missing” phone had no such packaging.

Did someone actually open the phone and tamper with it, or did it just get jostled around so much in shipping that the shrink wrap came undone? Did the box look previously opened simply because it was banged around since one of the corners got dented? Was the missing bubble wrap an oversight at the company? I have no idea. But from here on out, I think I’ll be skipping the online purchasing channel when it comes to phones.

Vendor assessments should consider delivery mechanisms

When you are performing vendor assessments, consider not only the security in the manufacturing process but also the delivery process. How many hands does your device pass through as it makes its way from the manufacturer to your location? Add that to your product security assessment checklist for physical network devices. You may also want to add a mechanism to monitor shipping routes and delays to your security processes for security and network-related devices.

Follow for updates.

Teri Radichel | © 2nd Sight Lab 2022

About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab
Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation
Follow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab
Network Security
Supply Chain
Secure Shipping
Manufacturing Security
Cybersecurity
Recommended from ReadMedium
avatarCloud Hacks
Adopting Zero Trust Network Access Solutions (ZTNA)

Discover the power of zero trust network access solutions (ZTNA) for enhanced security. Explore ZTNA technology in our blog post.

16 min read
avatarTaimur Ijlal
The Ultimate Guide To Creating A Cloud Security Strategy

Practical steps to secure your cloud footprint

8 min read
avatarAlexander Nguyen
The resume that got a software engineer a $300,000 job at Google.

1-page. Well-formatted.

4 min read
avatarTyler Wall
Lessons from 10 years in Cybersecurity

I started in the cybersecurity scene in the early 2000s and becoming mature is about learning what to ignore.

7 min read
avatarJan Kammerath
Why Tech Workers Are Fleeing Germany — A Reality Check

Over the past months and years I have seen a number of friends and colleagues leave Germany for good. Some of them were native Germans…

14 min read
avatarShekhar
Asymmetric and Post Quantum Cryptography In Depth

We had already looked at RSA back in this article for Diffie Helman Key Echange in TLS. Let us understand other modern approaches in this…

13 min read