Question

I've setup RMS with TOTP MFA but the OpenVPN client configuration is still downloadable.

Assuming that Teltonika is hacked - nobody is safe these days - , a hacker could simply download the openvpn config file and access the internal network of all Teltonika customers. A real nightmare scenario.

I would strongly recommend that Teltonika doesn't save the client configuration files including the private keys used to make the connection. The file could be offered for a one-time download at setup time, and that's it.

Anyone else has similar concerns and if so, how do you mitigate against it ?

Answer 1

Hello,

Thank you for your suggestion.

Security concerns is one of the main focus areas in Teltonika and we are constantly working to improve it as well as provide general availability and ease of access of the service. Allowing to download the same config file can be regarded as a security flaw, however, there are reasons to allow it. Due to this more security measures are taken to protect the access to the system itself. 

You can read more about it in the following page: https://teltonika-networks.com/lt/resources/articles-archive/security-mechanism-of-teltonika-remote-management-system/.

Best regards,

Žygimantas

Comments

You guys are essentially storing your user's passwords in the clear. There is no amount of ease of usability that warrants this. The internet is littered with hacked SasS providers that leaked their user's credentials and in your case it's 1000% worse because a hack in your systems can lead to direct access to your customer's internal networks. Why take this risk ?

This is a huge red flag for me.

Please pass on to your dev teams to have a second look at this matter. At least make it an option in RMS so the user can choose to remove their private keys from their service and those who don't, to mange their own risks.

Or you can add a passphrase to the configuration, that the user must enter at each connection