Follow

Wow, Ubiquiti got owned HARD. Hackers got full RW access to their Amazon buckets and pretty much exfiltrated everything including all passwords/credentials used to authenticate to and manage networks that use their cloud based admin. Rather than immediate revoke all credentials, Ubiquiti made users change credentials on next login, which means if you don't often log in to make changes, then someone may have been creeping around your network for months.

krebsonsecurity.com/2021/03/wh

· · Web · 2 · 12 · 8

@Infoseepage currently feeling very happy I didn’t get anything Ubiquiti when I was upgrading to a mesh network recently damn

@aspie4K I think it really underscores the dangers of cloud based administration of networks. Cloud computing remains clown computing imo.

@Infoseepage definitely, any kind of remote access into a LAN from the public internet is an inherent unnecessary security risk.

@aspie4K It has always astounded me the degree to which ease of access/convenience gets pushed forward often to the exclusion of security in products that often end up in high security environments. There are so many things that have become common practice such as SMS based 2FA that we know are deeply problematic and for which better solutions exist, yet SMS is still the norm.

@aspie4K @Infoseepage

I totally agree...

I had my personal nextcloud on OpenBSD in my private LAN exposed with ports 80/443 for some days. Despite nothing happened (no login attempts, etc.) I was so uncomfortable with this, that I decided to close ports and go return to VPN access.

@Infoseepage have a bunch of their APs that were installed in the walls of this house by a previous tenant. They were EOL'd about a month ago, which means no updates. So the final update may have been backdoored, and no further are forthcoming? Awesome work.

@Infoseepage not using their cloud bullshit, but I am running their controller software internally, so who knows if that's owned. Yay

@phooky The article mentions source code and signing secrets, but it was unclear to me whether what was stolen would have been enough to build and push a firmware update. It sounds like they could probably connect into any network they wanted and view/change settings. They could have added new users during the long interval of compromise and possibly done things like add themselves to 2fa reset processes as a way of gaining later reentry.

@phooky Just so many ways what the hackers got could be leveraged if they were prepared and really went to work on it. And much of what they stole may have long term value if they do a slow walk through it. This is really the sort of incident that demands a "you are dead to me and all your gear goes in the dumpster" response, both due to the severity and how Ubiquiti did not come forth fully and in a manner both timely and which prioritized their customer's security and mitigation of risks.

@Infoseepage I'm unlikely to dumpster anything both because it's wasteful and I know just enough about infosec to assume that every device I have is owned to some degree anyway. :P

That said I've gotten on a ladder and done a bunch of factory resets lately, and it would suck to do it again.

Sign in to participate in the conversation
Mastodon

Server run by the main developers of the project 🐘 It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!