Heat based password cracking | Fortinet Authentication bypass
CyberInsights #66
Guessing passwords using heat from fingertips
An interesting attack vector, but not very practical.
Researchers use heat sensing cameras that can narrow down the key options for a brute force attack. Read more about it here.
It’s an interesting attack vector to consider.
A good plot for a sci-fi, hacker movie. The super-villain would try to guess the password by using a heat signature. The super-hero would freeze his hands before typing the password and all of us would marvel at the movie.
But, impractical.
Take Action:
Nothing. Not a very practical attack vector.
In fact, like Bruce Schneier says in his blog - “… if someone can train a camera at your keyboard, you have bigger problems.”
Authentication bypass in Fortinet devices
An actively exploited vulnerability coupled with slow patching is never good news.
“An authentication bypass using an alternate path or channel [CWE-88] in FortiOS and FortiProxy may allow an unauthenticated attacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests,” reads the advisory issued by the company PSIRT. - from this website.
Firewalls are difficult to patch because they are at the centre of all traffic. Any network engineer worth her salt would be wary of just applying a firewall patch as soon as it arrives. And waiting for downtime will take forever.
The vulnerability, however, is remotely exploitable and is being actively exploited. Not a good time to be a network security engineer.
Take Action:
If you use FortiOS devices, check your advisories from Fortinet. An upgrade of the OS is sufficient to mitigate the vulnerability. Read more about it here.
Seek downtime NOW. And patch your firewall.
Enjoyed reading? Receive this in your email every week.
P.S. - We will be off next week. Have a happy Diwali. 🪔