Ubiquiti breach puts countless cloud-based devices at risk of takeover

Stylized image of rows of padlocks.

Network devices maker Ubiquiti has been covering up the severity of a data breach that puts customers’ hardware at risk of unauthorized access, KrebsOnSecurity has reported, citing an unnamed whistleblower inside the company.

In January, the maker of routers, Internet-connected cameras, and other networked devices, disclosed what it said was “unauthorized access to certain of our information technology systems hosted by a third-party cloud provider.” The notice said that, while there was no evidence the intruders accessed user data, the company couldn’t rule out the possibility that they obtained users’ names, email addresses, cryptographically hashed passwords, addresses, and phone numbers. Ubiquiti recommended users change their passwords and enable two-factor authentication.

Device passwords stored in the cloud

Tuesday’s report from KrebsOnSecurity cited a security professional at Ubiquiti who helped the company respond to the two-month breach beginning in December 2020. The individual said the breach was much worse than Ubiquiti let on and that executives were minimizing the severity to protect the company’s stock price.

The breach comes as Ubiquiti is pushing—if not outright requiring—cloud-based accounts for users to set up and administer devices running newer firmware versions. An article here says that during the initial setup of a UniFi Dream Machine (a popular router and home gateway appliance), users will be prompted to log in to their cloud-based account or, if they don’t already have one, to create an account.

“You’ll use this username and password to log in locally to the UniFi Network Controller hosted on the UDM, the UDM’s Management Settings UI, or via the UniFi Network Portal (https://network.unifi.ui.com) for Remote Access,” the article goes on to explain. Ubiquiti customers complain about the requirement and the risk it poses to the security of their devices in this thread that followed January’s disclosure.

Forging authentication cookies

According to Adam, the fictitious name that Brian Krebs of KrebsOnSecurity gave the whistleblower, the data that was accessed was much more extensive and sensitive than Ubiquiti portrayed. Krebs wrote:

In reality, Adam said, the attackers had gained administrative access to Ubiquiti’s servers at Amazon’s cloud service, which secures the underlying server hardware and software but requires the cloud tenant (client) to secure access to any data stored there.

“They were able to get cryptographic secrets for single sign-on cookies and remote access, full source code control contents, and signing keys exfiltration,” Adam said.

Adam says the attacker(s) had access to privileged credentials that were previously stored in the LastPass account of a Ubiquiti IT employee, and gained root administrator access to all Ubiquiti AWS accounts, including all S3 data buckets, all application logs, all databases, all user database credentials, and secrets required to forge single sign-on (SSO) cookies.

Such access could have allowed the intruders to remotely authenticate to countless Ubiquiti cloud-based devices around the world. According to its website, Ubiquiti has shipped more than 85 million devices that play a key role in networking infrastructure in over 200 countries and territories worldwide.

Ars Senior Technology Editor Lee Hutchinson reviewed Ubiquiti’s UniFi line of wireless devices in 2015 and again three years later.

In a statement issued after this post went live, Ubiquiti said “nothing has changed with respect to our analysis of customer data and the security of our products since our notification on January 11.” The full statement is:

As we informed you on January 11, we were the victim of a cybersecurity incident that involved unauthorized access to our IT systems. Given the reporting by Brian Krebs, there is newfound interest and attention in this matter, and we would like to provide our community with more information.

At the outset, please note that nothing has changed with respect to our analysis of customer data and the security of our products since our notification on January 11. In response to this incident, we leveraged external incident response experts to conduct a thorough investigation to ensure the attacker was locked out of our systems.

These experts identified no evidence that customer information was accessed, or even targeted. The attacker, who unsuccessfully attempted to extort the company by threatening to release stolen source code and specific IT credentials, never claimed to have accessed any customer information. This, along with other evidence, is why we believe that customer data was not the target of, or otherwise accessed in connection with, the incident.

At this point, we have well-developed evidence that the perpetrator is an individual with intricate knowledge of our cloud infrastructure. As we are cooperating with law enforcement in an ongoing investigation, we cannot comment further.

All this said, as a precaution, we still encourage you to change your password if you have not already done so, including on any website where you use the same user ID or password. We also encourage you to enable two-factor authentication on your Ubiquiti accounts if you have not already done so.

At a minimum, people using Ubiquiti devices should change their passwords and enable two-factor-authentication if they haven’t already done so. Given the possibility that intruders into Ubiquiti’s network obtained secrets for single sign-on cookies for remote access and signing keys, it’s also a good idea to delete any profiles associated with a device, make sure the device is using the latest firmware, and then recreate profiles with new credentials. As always, remote access should be disabled unless it’s truly needed and is turned on by an experienced user.

Post updated to add comment from Ubiquiti.

https://arstechnica.com/?p=1753568