Close

IoT Security and Pre-Shared Keys

By Richard McIntosh, Blog Contributor
Share Post

Ever since the inception of IoT devices, their use in the enterprise continues to explode. While the added functionality of these devices is increasingly more and more valuable, the security implications they pose remains constant. Facilities and other teams within your organization can install sensors anywhere in the building and automate tasks, keep track of inventory and get better information than ever before.

How do they all get connected? Typically, these devices only connect to your Wi-Fi using a pre-shared key (PSK). IT administrators already know handing out PSKs can be a security vulnerability in itself especially when they have to hand their PSKs over to any vendor wanting to install a sensor.

I have seen an organization with 15 broadcasting SSIDs. 15! We have all fought the horrors of “Just add a new SSID,” but sometimes we are pressured into configuring things against best practice. Usually, the pressure comes from business owners who are just trying to get their projects done and start using the products they spent all this time and money deploying.

When we don’t give them a new SSID, they ask for the existing PSK. Unfortunately, handing out the PSK opens our clients to a vulnerability that enables traffic to be decrypted. To attack this vulnerability only requires an attacker to capture the four-way handshake during client authentication. While this is a small-scale attack, it can be easily executed with a few deauthentication packets and a capture streaming in Wireshark.

Now, we have really upset our business partners. We won’t give them a SSID and we won’t hand them our PSK. Honestly, why should they have to wait for us? Why can't we give our business partners a wireless experience they expect? Why can’t we have a way for IoT devices to get on the network without anything special from IT?

In comes Aruba’s multiple pre-shared key (MPSK) solution. MPSK allows an IT administrator to maintain a centralized environment with all their IoT PSKs living within their existing ClearPass 6.8+ deployment. Users with permissions to enroll new devices can simply enter the MAC address of a new device, receive a PSK, and be off to the races.

Since we are utilizing the robust abilities of ClearPass, we can assign a tag to devices during the enrollment process that can be used to assign a device role. For example, this would allow your medical pumps to have their correct access while allowing an HVAC controller on the same SSID restricted from any communicating with your medical systems. The further expansion of segmentation closer to the end device itself helps further minimize the chances of you becoming the next Target data breach.

For further explanation of dynamic segmentation and ClearPass Device Insight can help secure your IoT devices once they are on your network, check out my post on Segmentation and Visibility Simplify Network Management and Security.

Related Content
Simplify IoT Authentication with MPSK

Read My Other Blogs

Getting off the Ground with Python and APIs

Cybersecurity in a Zero Trust Architecture

Intelligent Networks Require Intelligent Solutions

Gaining Altitude with Python and APIs