COVID-19 EMERGENCY RESPONSE We stand with our partners, business customers, and especially our first and emergency responders on the front lines of this crisis. Read More

Protecting your data, from code to cloud and endpoints

Protecting people, places, things, and data is at the core of everything Cradlepoint builds — from wireless edge endpoints to the NetCloud platform that drives them. Just as our customers use actionable security information through NetCloud platform to make informed security decisions regarding their network, Cradlepoint has foundational processes and strategies in place to ensure everything we do is secure.

Our developers are trained in and implement secure coding best practices, ensuring security is baked into our software development lifecycle. They utilize static and dynamic analysis during the development process, implementing a development framework to evaluate code in real time against a constantly updated library of attack vectors, flagging risky code for further review and revision.

From incident response to acceptable use, Cradlepoint’s documented IT policies, baselines, and procedures meet and often exceed industry standards. Under NDA, our security team collaborates with customers’ security teams, and answering security questionnaires and penetration tests.

NetCloud Manager Security

Cradlepoint’s unique model leverages purpose-built networking endpoints that are managed via a cloud service. While moving an organization’s distributed network configuration data to the cloud can provide a significant ROI in terms of reduction of IT man-hours, configuration errors, and downtime, this shift includes a valid concern of how secure the “cloud” can be.

NetCloud Manager is a control-plane solution and customer data that traverses our devices is never sent to the cloud, leaving customer data under the full control and ownership of our customers. However, because NetCloud Manager orchestrates the control of distributed networks, the security controls used to secure NetCloud Manager are of paramount importance to both Cradlepoint and our customers.

Securing the Back End

Cradlepoint’s cloud services are stored and operated within Amazon Web Services US Regions, providing physical security, redundancy, and recovery capabilities of a world-class cloud service provider, such as SOC2 audited data centers, continuous monitoring, multiple availability zones, and offsite backups.

Leveraging cloud services is a shared responsibility model. While Cradlepoint inherits infrastructure security from AWS, we are responsible for the security of the NetCloud platform itself. Access to the backend systems that run NetCloud Manager is restricted to authorized DevOps engineers utilizing multi-factor authentication and originating within the Cradlepoint network.

NetCloud Manager is engineered for high availability, being clustered and distributed across different geographical zones with the ability to auto-scale, while confidentiality of customer network configuration data is maintained via encryption at rest using AES 256-bit encryption and encrypted in transit using Transport Layer Security version 1.2.

Additionally, our NetCloud Manager achieves a annual PCI DSS Attestation of Compliance that can be shared with customers under NDA. Although NetCloud Manager does not store, process or have access to cardholder or financial information our customers are often subject to PCI audits and implementing the security controls in line with PCI help reduce risk and expediate the auditing process.

NetCloud Manager Account Security

While the infrastructure security inherited through Amazon Web Services ensures NetCloud is physically secure and highly available, a customer’s account is a far more common avenue of attack when it comes to cloud services. Leveraging cloud services is a shared responsibility mode. While Cradlepoint is responsible for the security of NetCloud as a whole, customers are responsible for the security of their NCM account. NCM provides optional, although highly recommended, user configurable security options:

  • Force Multi-Factor Authentication: Enabling this feature requires every user within the NCM account to configure and log in to NCM using a Multi-Factor Authentication application, such as Google Authenticator. This prevents an attacker from being able to access NetCloud Manager even with the compromised credentials of a valid NCM user. For more information, review our Multi-Factor Authentication FAQ.
  • Federated ID/Single-Sign-On: Federated ID is for customers that want to use their Active Directory environment to authenticate their NetCloud Manager users. This creates a transparent login experience for Active Directory users to access NCM services, while easing user administration overhead and allowing system administrators to enforce internal security policies on users. For more information, review our Federated ID knowledgebase article.
  • Enhanced Security Login: For customers that don’t implement Federated ID, they can still implement some basic account security features by enabling Enhanced Login Security, which enforces:
    • User lockouts after six failed login attempts
    • Auto disabling of inactive account users after 90 days
    • Requiring passwords to be changed every 90 days
    • Preventing users from using their last four passwords when changing their password
  • Granular User Permissions: This allows administrators to implement the principle of least privilege by restricting users by role and subaccount, ensuring users have access only to the devices and groups to which they’ve been granted permission.
  • Device Alerts: NCM provides several device alert types that can be applied to groups and subaccounts that provide actionable security notifications regarding a customer’s distributed network, such as unauthorized configuration changes, device failed login attempts, WAN interface disconnections, and many more.

Secure Transport of Device Configuration

With a pedigree in cellular connectivity and Software-Defined WAN, Cradlepoint understands the challenges and limitations of centralized control of distributed networks. Therefore, we developed a secure stream protocol that is far more efficient and scalable than SNMP, allowing our devices to securely communicate with NetCloud Manager across several layers of Network Address Translation.

This management stream is client initiated, meaning our devices don’t require a publicly routable address or an external facing open port to establish connection to NetCloud. The connection is secure because it is certificate-based — providing authentication, authorization, and accountability of our devices — and is encrypted using Transport Layer Security version 1.2.

Once the secure client-initiated session is established, both NetCloud Manager and the device send periodic session keep alive packets allowing bi-directional real-time communication. If the session is dropped, the Cradlepoint endpoint will continue to attempt to re-establish the connection across any available WAN interface, minimizing downtime.

Hardware Security Measures

Using the principle of secure by default, the moment a Cradlepoint device goes online, customers are already taking advantage of a secure configuration that blocks inbound traffic and uses unique default credentials on every device. NetCloud OS (NCOS) is the operating system that resides on Cradlepoint endpoints, allowing centralized orchestration through NetCloud Manager. The security of our devices is just as important as the security of our cloud services, but it’s NetCloud OS that provides the security features that enable our customers to develop a secure network configuration. However, before a customer even logs into NCOS, there are several security measures already baked into our hardware:

  • Penetration Testing: Cradlepoint hardware and NetCloud OS are continually being tested via continual bug bounty security assessments to quickly identify and remediate vulnerabilities.
  • Secure Storage of Passwords: Device passwords are salted, hashed, and stored using strong, nonreversible encryption.
  • Secure by Default Configuration:
    • Unique default passwords for every device based on serial number
    • Stateful zone-based firewall with explicit deny for all inbound traffic
    • Remote administration, GPS, and uPNP disabled by default
    • Ban-IP Address enabled by default, which temporarily blocks IP addresses after five failed login attempts into NCOS
  • Signed NCOS Upgrades: All NCOS versions are signed by Cradlepoint and verified by the device before installation, preventing unauthorized, modified, and/or malicious installation of NCOS or other software.

Addressing Security Vulnerabilities

Cradlepoint recognizes the importance of security and privacy, and we take security issues very seriously. We report and address security issues in a timely and proactive manner in order to offer the greatest level of protection. Whether you’re a user of Cradlepoint solutions, a Cradlepoint employee, a software developer, or a security specialist, you’re an important part of this process, and Cradlepoint is committed to a transparent process in how we react to potential vulnerabilities.

Here is the Cradlepoint vulnerability process flow:

  • Cradlepoint is committed to communicating and working in a timely manner for any reported security vulnerability from an employee, customer, partner, or outside party.
  • Cradlepoint recommends submitters of vulnerabilities to follow our responsible disclosure process to minimize the risk to all customers and users of our technology.
  • To submit a vulnerability, send an email to with the following information:
    • Product and NCOS versions
    • Steps taken to expose the vulnerability
    • Contact information and preferences
    • Copies of screen shots, code snippets, and logs that might be helpful
        • Cradlepoint follows a responsible disclosure process for communicating vulnerabilities. As such, we will first privately notify customers and partners before any public disclosure in order to minimize risk to customers from exploitation of vulnerabilities. The private disclosure includes details for the risk, severity, remediation steps, and/or fixes.

View All Alerts