DUHK (Don’t Use Hard-coded Keys) Attack Recovers Encryption Keys & Reveals VPN Connections

DUHK (Don’t Use Hard-coded Keys) is a new crypto implementation attack that could enable attackers to obtain secret keys that secure VPN (Virtual Private Network) connections, web browsing sessions and read encrypted communications crossing over VPN connections. The encrypted data could contain sensitive business data, login credentials, credit card information and other private data.

The DUHK attack has been discovered by two security researchers from the University of Pennsylvania and one researcher from Johns Hopkins University.

According to the researchers:
“DUHK (Don’t Use Hard-coded Keys) is a vulnerability that affects devices using the ANSI X9.31 Random Number Generator (RNG) in conjunction with a hard-coded seed key. The ANSI X9.31 RNG is an algorithm that until recently was commonly used to generate cryptographic keys that secure VPN connections and web browsing sessions, preventing third parties from reading intercepted communications.”

Any traffic from any VPN that use FortiOS 4.3.0 to FortiOS 4.3.18 can be decrypted by a passive network attacker who can monitor the encrypted handshake traffic.

The researchers tested the DUHK attack technique against Fortinet’s FortiGate virtual private network gateway products, which use the FortiOS OS. Also, an Internet scan proved that there are more than 25,000 Fortinet devices that are weak and exploitable.

The researchers who found the attack said they don’t intend to release any code used in their implementation of the method.

Related posts

Hard-Coded Credentials Vulnerability Found In Kubernetes Image Builder

Critical Vulnerability Patched In Jetpack WordPress Plugin

Microsoft Fixed 100+ Vulnerabilities With October Patch Tuesday