I have a fleet of Peplink devices that are managed within InControl.
Do we have the ability to remotely brick the system in case there are any rogue systems out there?
Thank you!
Yes and no. You can build a really secure config that makes system access very very hard.
Then there are methods to overwrite the factory reset config with your really secure config so that for all intents and purposes there are very limited practical ways to repurpose the device.
Curious as to what the primary motivation is.
Is it just device theft or more than that?
To me, “Brick” means “make not work ever again.” Is this the actual intent?
I was thinking of “making it never work again” from a security perspective. This is so that if there a is a rogue device (stolen/etc), I can remove it from my organization completely. (I will also need to kill any cellular/SIM card service).
Seems that a configuration can be done, but as you have noted, a hardware factory reset will bypass that.
If you’re looking to eliminate any lateral movement through your network once inside (via a device configured in your environment) this is not really the way to do it. First, how will you be notified of a breach? After you are notified, then you would have to do a few things: move the device to a different group that essentially puts a vanilla config on the device and removes any tunnels/etc. This is fully dependent on a human taking action unless you have very good detection and response in your network environment and tooling to take automated actions.
I would recommend a different approach: what are your possible threat vectors here? Physical access? You can disable LAN ports, or use different types of authentication (dot1x, MAB, etc.). You could also implement a more zero-trust approach: assume your entire network is exposed, how do you limit application access? I do understand that these aren’t a half-day project, but if you have a relatively sophisticated attacker you “bricking” a device will be long after the attacker has already penetrated your network and identified alternate paths in.
No, I’m saying a factory reset can be configured to apply a secure custom config not a vanilla / open device config.
1 Like