A few months ago, Ubiquiti informed its customers about unauthorised access to its servers. There would be no indication that user information had been stolen. However, according to a security professional, the extent of the breach was much greater than Ubiquiti would like to admit.
In January, Ubiquiti published a message informing its customers of a breach in its systems. “We recently became aware of unauthorized access to certain of our information technology systems by a third party cloud provider. We have no indication that there has been unauthorized activity with respect to any user’s account.” Ubiquiti goes on to say that there is no indication of data theft but recommends that users change their passwords, just to be sure.
Situation much worse than Ubiquiti suggests
However, according to a security expert who investigated the breach together with Ubiquiti, the situation is much more serious than Ubiquiti’s message would suggest. He shares his experiences with security journalist Brian Krebs. Anonymously, for fear of retribution from Ubiquiti.
The security expert, who Krebs gives the pseudonym Adam, has written a letter to the European Data Protection Supervisor. In it he says that the breach was ‘catastrophically worse’ than Ubiquiti had told him. The company is said to have actively overruled efforts to protect its customers. “The breach was massive, customer data was at risk, access to customers’ devices deployed in corporations and homes around the world was at risk.”
Ubiquiti’s message is worded as if the blame for the intrusion can be put on the external cloud provider. Ubiquiti does indeed use Amazon Web Services for its cloud services. According to Adam, AWS only supplies the underlying hardware and software, but Ubiquiti itself is responsible for the security of the data stored there. According to Adam, the breach was the result of gaps in Ubiquiti’s security, not that of AWS.
The attacker allegedly gained access to an Ubiquiti employee’s LastPass account and thereby gained root access to all Ubiquiti AWS accounts, including all S3 data buckets, application logs, databases, login credentials and secrets required to forge single sign-on (SSO) cookies.
Access to all cloud-connected Ubiquiti devices
With this extensive access to Ubiquiti’s database, the hackers also gained immediate access to a huge number of cloud-based Ubiquiti devices distributed around the world. Ubiquiti has sold tens of millions of devices, all of which play a central role in users’ networks. In addition to routers and other network equipment, the company also sells IoT devices such as security cameras and smart door locks.
Incidentally, by no means are all Ubiquiti devices connected to the cloud. Many of the company’s popular network devices only use local software, such as the Unifi Controller software. It’s particularly Ubiquiti’s IoT devices that are dependent on the compromised cloud services.
However, the company has recently released some new network devices that also connect to the cloud. This is supposed to make the products more user-friendly, but users also no longer have full control over the security of their devices. The security of the network equipment of end users and small businesses often does leave much to be desired, but that only makes it extra poignant when there is a security breach at Ubiquiti. Moreover, a security breach at Ubiquiti itself has much greater consequences than an individual poorly secured WiFi network.
Extortion by the attackers
The first signs that something was going on in Ubiquiti’s systems surfaced in late December. The security team noticed that a number of Linux VMs had been set up that could not be accounted for. Then the employees discovered a backdoor in the network.
The backdoor was quickly removed, but the crisis was not yet over. The attackers contacted Ubiquiti and demanded 50 bitcoin (almost 2.5 million euros) for promising to keep quiet about the break-in and to reveal where they had left a second backdoor in the system. They showed stolen source code from Ubiquiti as proof of the break-in.
Ubiquiti did not respond to the extortion attempt and eventually managed to find the second backdoor on its own. The company then had all its employees change their passwords, after which it sent the aforementioned message to its customers.
According to Adam, however, a simple request to change a password is insufficient in this situation. He believes that the company should have immediately invalidated all existing login credentials. Then all users would be forced to reset their accounts. After all, the attackers had already managed to obtain the login data to remotely access users’ IoT devices.
“Ubiquiti had negligent logging (no access logging on databases) so it was unable to prove or disprove what they accessed, but the attacker targeted the credentials to the databases, and created Linux instances with networking connectivity to said databases,” Adam wrote in his letter. “Legal overrode the repeated requests to force rotation of all customer credentials, and to revert any device access permission changes within the relevant period.”
The revelations of the anonymous security expert have caused quite a stir. Block & Leviton, a law firm specialising in securities litigation, has announced that it will investigate whether Ubiquiti or certain members of the company’s board have violated federal securities laws. The firm claims that the company downplayed the extent of the intrusion to avoid a bigger blow to the company’s stock market value. Shareholders with relevant information or questions about their rights are asked to contact Block & Levin.
Block & Leviton is not the only firm to have launched an investigation into Ubiquiti. The Schall Law Firm has also announced that it is looking into the matter. The firm encourages shareholders with losses of more than 100,000 dollars to contact the firm.
How to proceed
Ubiquiti itself has not yet issued an official response to the revelations. Brian Krebs advises users of Ubiquiti devices to delete all profiles on their devices, install the latest firmware and then create new user profiles. It is, of course, wise to use unique credentials for this. Krebs also suggests disabling all forms of remote access for the devices.