Ubiquiti breach puts countless cloud-based devices at risk of takeover

Network devices-maker Ubiquiti has been covering up the severity of a data breach that puts customers hardware at risk of unauthorized access, KrebsOnSecurity has reported, citing an unnamed whistleblower inside the company.

In January, the maker of routers, Internet-connected cameras, and other networked devices, disclosed what it said was unauthorized access to certain of our information technology systems hosted by a third-party cloud provider. The notice said that, while there was no evidence the intruders accessed user data, the company couldnt rule out the possibility that they obtained users names, email addresses, cryptographically hashed passwords, addresses, and phone numbers. Ubiquiti recommended users change their passwords and enable two-factor authentication.

Device passwords stored in the cloud

Tuesdays report from KrebsOnSecurity cited a security professional at Ubiquiti who helped the company respond to the two-month breach beginning in December 2020. The individual said the breach was much worse than Ubiquiti let on and that executives were minimizing the severity to protect the companys stock price.

The breach comes as Ubiquiti is pushingif not outright requiringcloud-based accounts for users to set up and administer devices running newer firmware versions. An article here says that, during the initial setup of a UniFi Dream Machine (a popular router and home gateway appliance), users will be prompted to log into their cloud-based account or, if they dont already have one, to create an account.

Youll use this username and password to log in locally to the UniFi Network Controller hosted on the UDM, the UDMs Management Settings UI, or via the UniFi Network Portal (https://network.unifi.ui.com) for Remote Access, the article goes on to explain. Ubiquiti customers complain about the requirement and the risk it poses to the security of their devices in this thread that followed Januarys disclosure.

Forging authentication cookies

According to Adam, the fictitious name Krebs gave the whistleblower, the data that was accessed was much more extensive and sensitive than Ubiquiti portrayed. Krebs wrote:

In reality, Adam said, the attackers had gained administrative access to Ubiquitis servers at Amazons cloud service, which secures the underlying server hardware and software but requires the cloud tenant (client) to secure access to any data stored there.

They were able to get cryptographic secrets for single sign-on cookies and remote access, full source code control contents, and signing keys exfiltration, Adam said.

Adam says the attacker(s) had access to privileged credentials that were previously stored in the LastPass account of a Ubiquiti IT employee, and gained root administrator access to all Ubiquiti AWS accounts, including all S3 data buckets, all application logs, all databases, all user database credentials, and secrets required to forge single sign-on (SSO) cookies.

Such access could have allowed the intruders to remotely authenticate to countless Ubiquiti cloud-based devices around the world. According to its website, Ubiquiti has shipped more than 85 million devices that play a key role in networking infrastructure in over 200 countries and territories worldwide.

Ubiquiti representatives didnt respond to multiple requests for comment that Krebs sent. The representatives have yet to respond to a separate request I sent on Wednesday morning. Ars Senior Technology Editor Lee Hutchinson reviewed Ubiquiti’s UniFi line of wireless devices in 2015 and again three years later.

At a minimum, people using Ubiquiti devices should change their passwords and enable two-factor-authentication if they havent already done so. Given the possibility that intruders into Ubiquitis network obtained secrets for single sign-on cookies for remote access and signing keys, its also a good idea to delete any profiles associated with a device, make sure the device is using the latest firmware, and then recreate profiles with new credentials. As always, remote access should be disabled unless its truly needed and is turned on by an experienced user.

Source link

Leave a Reply

Your email address will not be published. Required fields are marked *