Ubiquiti is accused of covering up a ‘catastrophic’ data breach — and it’s not denying it

Illustration by Alex Castro / The Verge

Ubiquiti, a company whose prosumer-grade routers have become synonymous with security and manageability, is being accused of covering up a “catastrophic” security breach — and after 24 hours of silence, the company has now issued a statement that doesn’t deny any of the whistleblower’s claims.

Originally, Ubiquiti emailed its customers about a supposedly minor security breach at a “third party cloud provider” on January 11th, but noted cybersecurity news site KrebsOnSecurity is reporting that the breach was actually far worse than Ubiquiti let on. A whistleblower from the company who spoke to Krebs claimed that Ubiquiti itself was breached, and that the company’s legal team prevented efforts to accurately report the dangers to customers.

It’s worth reading Krebs’ report to see the full allegations, but the summary is that hackers got full access to the company’s AWS servers — since Ubiquiti allegedly left root administrator logins in an LastPass account — and they could have been able to access any Ubiquiti networking gear that customers had set up to control via the company’s cloud service (now seemingly required on some of the company’s new hardware).

“They were able to get cryptographic secrets for single sign-on cookies and remote access, full source code control contents, and signing keys exfiltration,” the source told Krebs.

When Ubiquiti finally issued a statement this evening, it wasn’t a reassuring one — it’s wildly insufficient. The company reiterated its point that it had no evidence to indicate that any user data had been accessed or stolen. But as Krebs points out, the whistleblower explicitly stated that the company doesn’t keep logs, which would act as that evidence, on who did or didn’t access the hacked servers. Ubiquiti’s statement also confirms that the hacker did try to extort it for money, but doesn’t address the allegations of a cover up. You can read the full statement below.

As we informed you on January 11, we were the victim of a cybersecurity incident that involved unauthorized access to our IT systems. Given the reporting by Brian Krebs, there is newfound interest and attention in this matter, and we would like to provide our community with more information.

At the outset, please note that nothing has changed with respect to our analysis of customer data and the security of our products since our notification on January 11. In response to this incident, we leveraged external incident response experts to conduct a thorough investigation to ensure the attacker was locked out of our systems.

These experts identified no evidence that customer information was accessed, or even targeted. The attacker, who unsuccessfully attempted to extort the company by threatening to release stolen source code and specific IT credentials, never claimed to have accessed any customer information. This, along with other evidence, is why we believe that customer data was not the target of, or otherwise accessed in connection with, the incident.

At this point, we have well-developed evidence that the perpetrator is an individual with intricate knowledge of our cloud infrastructure. As we are cooperating with law enforcement in an ongoing investigation, we cannot comment further.
All this said, as a precaution, we still encourage you to change your password if you have not already done so, including on any website where you use the same user ID or password. We also encourage you to enable two-factor authentication on your Ubiquiti accounts if you have not already done so.

Thanks,
Team UI

The other thing you’ll notice is that Ubiquiti is no longer pinning this on a “third party cloud provider.” The company admits that its own IT systems were accessed. But it doesn’t address much else, and the fact that the statement confirms some of what the whistleblower said while leaving the most worrying parts (e.g., the alleged cover-up, lack of logs, poor security practices, etc.) unaddressed makes me uncomfortable to be a Ubiquiti owner.

The company’s networking gear is (or was) trusted by many techies, myself included, because it promised full control over your home or small business network, without the fears of cloud-based solutions.

Throughout this process, Ubiquiti has failed to communicate properly with its customers. The fact that it’s not denying the allegations, and indicates that they could be true, suggests that the original email was, at the very least, an insufficient warning. It encouraged users to change their passwords — according to Krebs, a more appropriate response would be immediately locking all accounts and requiring a password reset. Even today, the company is simply encouraging users to change their passwords and enable two-factor authentication.

Comments

the whistleblower explicitly stated that the company doesn’t keep logs

This is why I take the oh so common "no evidence data was accessed" with a grain of salt. Is there "no evidence" because your controls show this or because you conveniently don’t have audit controls?

> since Ubiquiti allegedly left root administrator logins in an LastPass account

Wait, so they had root accessible just through a password, with no SSH certificate or two-factor authentication required?? That’s crazy. I would have assumed that Ubiquiti would know what they’re doing in terms of security, but this makes me seriously doubt the security of their products.

So I understand that everything shouldn’t have been accessible with just a password, but does this mean that having logins in LastPass is as good as leaving it out in the open?

It’s fine having passwords in LastPass, but important things should also have two-factor authentication (the LastPass account should also have two-factor authentication). LastPass is generally quite secure so I have no idea how attackers could have gotten into their LastPass account.

prosumer-grade routers have become synonymous with security

which require a cloud connection. yeeeaaahhhh…

They don’t require a cloud connection. You don’t have to turn that feature on.

Many of their newer device DO require a cloud connection, and some allow you to turn it off only after you complete the setup.

So they just downgraded themselves to strictly low end consumer grade products at a high end price

Their obsession with everything being managed by their cloudkeys is why I wouldn’t touch their products. It’s a wireless router. I don’t really need to actively access it remotely and I certainly don’t want to share access with another company of my home network. Why can’t companies just sell us a damn product and leave us the hell alone? No, I don’t want to sign up for a subscription and, no, I don’t want you further involved except for warranty or technical issues.

That’s exactly why I used to like Unifi products. I deployed a Unifi CCTV system at work, you could run the controller / NVR software on anything you wanted, without having to pay subscriptions.

However the NRV software got discontinued, so their forcing you down the path of buying a UniFi Protect Network Video Recorder or a UniFi Cloud Key Plus. Granted the current setup we have could run indefinitely, however i’m sure a point will come where we need new Cameras which are not supported by the older Unifi NVR software.

Even Netgate / pfSense are having a bad time recently, another thing I’m slowing going off sadly.

try opnsense rather than pfsense.

Thanks, this looks really interesting. Any idea on how well the traffic shaping/QOS works? I know that is a bit of a weakness for pfSense when we looked at it a couple years ago.

I recently bought and started using UniFi equipment based on their reputation for enterprise-grade features and security. I’ve found a slick interface that’s extremely brittle underneath.

I’m running the Controller software on my home Debian box. You can’t install their software on any modern version of Debian out of the box. There’s a guy on their forums who makes a (n excellent) script that pulls down the versions of MongoDB and other utilities needed to install it, but that’s a third-part doing it. I then tried to load the configuration from the Windows system I was testing on to my Debian box, and the controller wouldn’t load. I go to the UI forums and people are all like "Yeah, that doesn’t work." So I had to rebuild my config from scratch and "import" the devices to the new controller—which ultimately involves grabbing SSH passwords from the old Controller and copy/pasting them into the new one.

Then I’ve had weird issues with firmware upgrades and whatnot.

A few days ago I got a prompt to upgrade the controller software. I clicked on it and it downloaded the .deb installer to my desktop. Great, but that’s not where I’m running it (maybe you can download it to the server? I have plenty of software that knows how to do that.) Anyway, I move it over to the server and run the installer. The first thing it asks is "did you do a backup"? I wanted to check that the automated backup worked, so I said no and exited out. The Controller then died and wouldn’t restart. Again to the forums and people are like "Yeah, that doesn’t work"—the installer has already removed files when it asks that question, and doesn’t restore them if you say "no". I had to finish the upgrade (which went fine) to find out if I had done a backup or not.

So to hear they had a major breach like this didn’t surprise me after my first few weeks with the software. Having said that it’s pretty neat and powerful, but it is so brittle if anything goes wrong. We wouldn’t accept this from Cisco, Extreme, or any "real" enterprise networking vendor. I guess I’m still looking for the "prosumer" networking equipment of my dreams.

Same here. Because of that I keep a Windows virtual machine dedicated exclusively to manage my home APs.

Spent over $2500 late last year on Ubiquiti gear to completely overhaul my home network. I chose them based on their "stellar" reputation for being a pro-sumer friendly option. I have had nothing but problems (like many other members, just check their forums). That reputation is now completely shot, and I wouldn’t recommend Ubiquiti to anyone I know. They don’t offer many features that you can’t find on a high-end consumer router nowadays, and they are wildly inconsistent and buggy. I agree with the above comment on the fragility of the software under the slick UI. Now to find out that they have poor security practices and are lying to their consumers? Despicable. We certainly wouldn’t expect this from Cisco etc. Ubiquiti, get it together! Just make great hardware and software and don’t require us to connect everything to your (laughably insecure) cloud!

View All Comments
Back to top ↑