There is no evidence that the attacker who managed to penetrate the Ubuquiti cloud environment accessed customer data. There would only have been an attempt to extort Ubiquiti with stolen source code.
Ubiquiti writes this in response to the article written by security journalist Brian Krebs. Krebs spoke to an anonymous security expert who had helped Ubiquiti research the hack. According to the expert, the hack was much bigger than Ubiquiti suspected.
‘No evidence of accessed customer information’
The anonymous expert felt that Ubiquiti had not been honest in its initial announcement about the hack. In that announcement, Ubiquiti mentioned that there had been a breach at an external cloud provider, but that there was no indication that customer data had actually been stolen. However, according to the expert, this is not the full story, as it was Ubiquiti itself that was responsible for the security of its services at the external party, in this case AWS.
It is also true that the attacker only claimed to have had access to the source code of Ubiquiti software. Ubiquiti says that customer data was not the target of the attacker and that there is no evidence that the attacker accessed that data. The attacker himself indeed did not claim to have access to customer data.
However, the whistleblower stressed to Krebs that Ubiquiti did not do any access logging on its databases. This means that Ubiquiti simply does not have the information to prove whether or not the attacker had access to this data. According to the security expert, the attacker could theoretically have had access to this data.
No forced password resets
Since Ubiquiti’s official stance is still that there is no indication of access to customer data, the company is sticking to its advice to users to change their passwords. However, user profiles are not reset, which is what the security expert would like to see.
According to the whistleblower, the attacker managed to gain access to the LastPass account of an Ubiquiti employee. This gave him source access to all Ubiquiti AWS accounts. With this, in addition to Ubiquiti software code, the attacker would also have been able to view the customer data of users of the cloud services and even gain access to their IoT devices.