With the ongoing pandemic, more businesses lean toward using the work from home setup. Thus, many adversaries try to exploit all possibilities to do their schemes to employees connected to their company system in their home comfort. This makes them more susceptible to hackers as security is lessened, just like the report submitted by the group of concerned cybersecurity ethical hackers stumble upon a weakness regarding the Fortinet VPN secure connection.
According to the vulnerability report on Fortinet VPN, almost 200,000 companies comprised of small and medium businesses are susceptible to the man-in-the-middle (MITM) attack if the secure connection was left to the default configuration of the Fortinet VPN.
They verified that the secure connection established via the Fortinet VPN is not well protected.
Its only requirement is a certificate authority issued either by Fortigate, even if it is administered using a different Fortigate device and self-signed SSL certificates by companies.
The penetration starts with the compromised IoT device that adversaries will use to spy on the targeted user and capture relevant credentials to access their company VPN. Once they have the credentials, they can now login into the targeted company that uses Fortinet VPN. Upon using fake certificate authority and the hacked credentials, they can directly inject their malicious codes to re-route the traffic to their controlled domain and perform their scheming. In this instance, they can now spread their attack to the different devices connected to the network and serve more lethal damage to the company for their perusal, categorized as a serious business compromise.
Unfortunately, according to Fortinet’s official statement, they do not see the report as a vulnerability. As told, they are fully aware of this situation, and they value their customers’ security. All devices they released are set to work outright using a default configuration in place by Fortinet. Each device is also equipped with a warning GUI that appears if a security-related threat arises. Furthermore, they confirmed that this certificate concern is all customizable to create a more secure network with instruction manuals that are also provided to guide them in configuring the security authentication on the device to avoid such adversaries’ attack.
For a large enterprise, maintenance and hiring experts for the configuration will not be a problem as they have the resources. For small and medium businesses alike, this will be another investment and another cost for the company to survive in this pandemic. Another awareness that such an IT device manufacturer should be considering in developing and releasing new products is that this type of business also needs security in a more cost-efficient approach.
