Update, February 2nd, 2023: A former Ubiquiti employee Nickolas Sharp, pled guilty to federal charges of hacking and wire fraud for claiming to be a whistleblower and making false claims after he perpetrated the security breach. KrebsOnSecurity has posted the following regarding the incident:
Last year, I posted a series of articles about a purported “breach” at Ubiquiti. My sole source for that reporting was the person who has since been indicted by federal prosecutors for his alleged wrongdoing – which includes providing false information to the press.
As a result of the new information that has been provided to me, I no longer have faith in the veracity of my source or the information he provided to me. I always endeavor to ensure that my articles are properly sourced and factual.
This time, I missed the mark and, as a result, I would like to extend my sincerest apologies to Ubiquiti, and I have decided to remove those articles from my website.
Original story below:
Ubiquiti, a company whose prosumer-grade routers have become synonymous with security and manageability, is being accused of covering up a “catastrophic” security breach — and after 24 hours of silence, the company has now issued a statement that doesn’t deny any of the whistleblower’s claims.
Originally, Ubiquiti emailed its customers about a supposedly minor security breach at a “third party cloud provider” on January 11th, but noted cybersecurity news site KrebsOnSecurity is reporting that the breach was actually far worse than Ubiquiti let on. A whistleblower from the company who spoke to Krebs claimed that Ubiquiti itself was breached, and that the company’s legal team prevented efforts to accurately report the dangers to customers.
It’s worth reading Krebs’ report to see the full allegations, but the summary is that hackers got full access to the company’s AWS servers — since Ubiquiti allegedly left root administrator logins in an LastPass account — and they could have been able to access any Ubiquiti networking gear that customers had set up to control via the company’s cloud service (now seemingly required on some of the company’s new hardware).
“They were able to get cryptographic secrets for single sign-on cookies and remote access, full source code control contents, and signing keys exfiltration,” the source told Krebs.
When Ubiquiti finally issued a statement this evening, it wasn’t a reassuring one — it’s wildly insufficient. The company reiterated its point that it had no evidence to indicate that any user data had been accessed or stolen. But as Krebs points out, the whistleblower explicitly stated that the company doesn’t keep logs, which would act as that evidence, on who did or didn’t access the hacked servers. Ubiquiti’s statement also confirms that the hacker did try to extort it for money, but doesn’t address the allegations of a cover up. You can read the full statement below.
As we informed you on January 11, we were the victim of a cybersecurity incident that involved unauthorized access to our IT systems. Given the reporting by Brian Krebs, there is newfound interest and attention in this matter, and we would like to provide our community with more information.
At the outset, please note that nothing has changed with respect to our analysis of customer data and the security of our products since our notification on January 11. In response to this incident, we leveraged external incident response experts to conduct a thorough investigation to ensure the attacker was locked out of our systems.
These experts identified no evidence that customer information was accessed, or even targeted. The attacker, who unsuccessfully attempted to extort the company by threatening to release stolen source code and specific IT credentials, never claimed to have accessed any customer information. This, along with other evidence, is why we believe that customer data was not the target of, or otherwise accessed in connection with, the incident.
At this point, we have well-developed evidence that the perpetrator is an individual with intricate knowledge of our cloud infrastructure. As we are cooperating with law enforcement in an ongoing investigation, we cannot comment further.
All this said, as a precaution, we still encourage you to change your password if you have not already done so, including on any website where you use the same user ID or password. We also encourage you to enable two-factor authentication on your Ubiquiti accounts if you have not already done so.
The other thing you’ll notice is that Ubiquiti is no longer pinning this on a “third party cloud provider.” The company admits that its own IT systems were accessed. But it doesn’t address much else, and the fact that the statement confirms some of what the whistleblower said while leaving the most worrying parts (e.g., the alleged cover-up, lack of logs, poor security practices, etc.) unaddressed makes me uncomfortable to be a Ubiquiti owner.
The company’s networking gear is (or was) trusted by many techies, myself included, because it promised full control over your home or small business network, without the fears of cloud-based solutions.
Throughout this process, Ubiquiti has failed to communicate properly with its customers. The fact that it’s not denying the allegations, and indicates that they could be true, suggests that the original email was, at the very least, an insufficient warning. It encouraged users to change their passwords — according to Krebs, a more appropriate response would be immediately locking all accounts and requiring a password reset. Even today, the company is simply encouraging users to change their passwords and enable two-factor authentication.