Network device maker Ubiquiti has obscured the seriousness of a data breach that puts customers’ hardware at risk for unauthorized access, KrebsOnSecurity reports, citing an unnamed whistleblower within the company.
In January, the maker of routers, internet-connected cameras and other network devices disclosed that it had “unauthorized access to certain of our information technology systems hosted by a third-party cloud provider.” The message said that while there was no evidence that the intruders had access to user data, the company could not rule out the possibility that they obtained names, email addresses, cryptographically hashed passwords, addresses and phone numbers from users. Ubiquiti recommended that users change their password and enable two-factor authentication.
Device passwords stored in the cloud
Tuesday’s report from KrebsOnSecurity quoted a security professional at Ubiquiti who helped the company respond to the two-month breach that began in December 2020. The person said the breach was much worse than Ubiquiti had suspected and executives minimized the severity of the stock. the company’s price to protect.
The breach comes as Ubiquiti is pushing cloud-based accounts — if not required — for users to set up and manage devices with newer firmware versions. An article here says that during the initial setup of a UniFi Dream Machine (a popular router and gateway device for home use), users are prompted to sign in to their cloud account or, if they don’t already have one, to create an account.
“You will use this username and password to log in locally to the UniFi Network Controller hosted on the UDM, the administration settings user interface of the UDM, or through the UniFi Network Portal (https://network.unifi.ui.com ) for Remote Access,” the article explains. Ubiquiti customers complain about the requirement and the risk it poses to the security of their devices in this thread following the January reveal.
Falsifying authentication cookies
According to Adam, the fictitious name that Brian Krebs of KrebsOnSecurity gave the whistleblower, the data accessed was much more extensive and sensitive than Ubiquiti portrayed. Krebs wrote:
In reality, Adam said, the attackers had gained administrative access to Ubiquiti’s servers at Amazon’s cloud service, which secures the underlying server hardware and software, but requires the cloud tenant (client) to secure access to all data stored there.
“They were able to obtain cryptographic secrets for single sign-on and remote access cookies, full source code control, and signing key exfiltration,” Adam said.
Adam says the attacker(s) had access to privileged credentials previously stored in a Ubiquiti IT employee’s LastPass account, and gained root admin access to all Ubiquiti AWS accounts, including all S3 data buckets, all application logs, all databases , all user database credentials and secrets needed to spoof single sign-on (SSO) cookies.
Such access could have allowed the intruders to authenticate remotely to countless Ubiquiti cloud-based devices around the world. According to its website, Ubiquiti has shipped more than 85 million devices that play a key role in network infrastructure in more than 200 countries and territories worldwide.
Ars Senior Technology Editor Lee Hutchinson reviewed Ubiquiti’s UniFi line of wireless devices in 2015 and again three years later.
In a statement released after this message went live, Ubiquiti said that “nothing has changed regarding our analysis of customer data and the safety of our products since our notification on January 11.” The full statement reads:
As we informed you on January 11, we were the victim of a cybersecurity incident involving unauthorized access to our IT systems. Given the coverage by Brian Krebs, there has been renewed interest and focus on this issue, and we are eager to provide more information to our community.
At the outset, please note that nothing has changed regarding our customer data analysis and the security of our products since our notification on January 11. In response to this incident, we engaged external incident response experts to conduct a thorough investigation to determine the attacker was locked out of our systems.
These experts found no evidence that customer information was accessed or even targeted. The attacker, who unsuccessfully attempted to extort the company by threatening to release stolen source code and specific IT credentials, claimed to have never had access to customer information. This, along with other evidence, is why we believe customer data was not targeted or otherwise accessible in connection with the incident.
At this point, we have well-developed evidence that the culprit is a person with intricate knowledge of our cloud infrastructure. As we are cooperating with the police in an ongoing investigation, we are unable to comment further.
That said, as a precaution we still recommend that you change your password if you haven’t already, including on any website where you use the same username or password. We also recommend that you enable two-factor authentication on your Ubiquiti accounts if you have not already done so.
People who use Ubiquiti devices should at least change their password and enable 2-Step Verification if they haven’t already done so. Given the possibility that intruders in Ubiquiti’s network have obtained secrets for remote access single sign-on cookies and key signing, it’s also a good idea to delete all profiles associated with a device, ensure that the device using the latest firmware and then recreate profiles with new credentials. As always, remote access should be disabled unless absolutely necessary and enabled by an experienced user.
Post updated to add comments from Ubiquiti.