Ubiquiti Cloud Devices Compromised

[plissken]

https://krebsonsecurity.com/2021/03/whistleblower-ubiquiti-breach-catastrophic/

 

“It was catastrophically worse than reported, and legal silenced and overruled efforts to decisively protect customers,” Adam wrote in a letter to the European Data Protection Supervisor. “The breach was massive, customer data was at risk, access to customers’ devices deployed in corporations and homes around the world was at risk.”

[AudioDoctor]

As a home user, how bad is this? I took steps to change passwords, and I always use 2FA if it's available.

[plissken]

7 minutes ago, AudioDoctor said:

As a home user, how bad is this? I took steps to change passwords, and I always use 2FA if it's available.

 

It's bad enough that Ubiquiti has seemed to try and cover up and reading between the lines they don't have a grasp on the breadth or depth of the attack.

 

It's scary because this means that Ubiquiti failed to protect their private signing keys. It's why I push my customers to pay for their own SSL and not rely on vendor built in keys. Then roll our own root CA server and 100% air gap it and just rely on 2ndaries.

 

If you aren't using their Cloud you are fine.

[AudioDoctor]

I have no access to it from the outside world. If I need to manage it, I have to be in the house to do it.

 

edit: Nevermind, bit off topic.

[Bob Stern]

In case anyone's wondering, Ubiquiti Edge and UniFi routers and access points do not require use of cloud servers or registration on Ubiquiti's website.  

 

Although Ubiquiti's marketing encourages you to buy a Cloud Key device to configure a UniFi network, they actually have a free UniFi desktop program that does the same thing without accessing Ubiquiti's servers.  (Edge routers and switches don’t use a desktop program.  Like most routers, their configuration GUI is built-in as an http server you access from a browser on the local network.)

 

I'm not defending Ubiquiti by any means, nor do I know enough about networking to recommend one brand over another, but I thought potential Ubiquiti buyers might appreciate this information.

[Nepherte]

On 4/1/2021 at 10:25 AM, plissken said:

It's scary because this means that Ubiquiti failed to protect their private signing keys. It's why I push my customers to pay for their own SSL and not rely on vendor built in keys. Then roll our own root CA server and 100% air gap it and just rely on 2ndaries.

 

I don't see how having your own SSL is relevant here. Even if you host your own controller, deploy your own SSL certificate, you'd be affected if it's hooked up to their cloud services (which it usually is as it is now mandatory to have a cloud account attached to your devices).

 

PS: Acting as your own root CA server sounds like a terrible idea. These root certificates aren't going to be shipped by any reasonable vendor (unless you're Microsoft or of similar size). That only leaves you with manually adding your own root certificate to your devices. This is most commonly done by people who don't have your best interests at heart...Instead just get your own certificate signed by a root ca and use that certificate to subsequently subsign your other certificates you intend to roll out.

[plissken]

5 hours ago, Nepherte said:

I don't see how having your own SSL is relevant here. Even if you host your own controller, deploy your own SSL certificate, you'd be affected if it's hooked up to their cloud services (which it usually is as it is now mandatory to have a cloud account attached to your devices).

 

Many cloud services allow you to use your own SSL cert. Unsure of Ubiquiti. The issue with using your service providers certs is everyone gets affected.

[plissken]

5 hours ago, Nepherte said:

Acting as your own root CA server sounds like a terrible idea

 

I've rolled out Root and Subordinate CA's since 2003. You have to airgap your root CA. Most situations call for getting a cert from a provider. Some don't. 

 

Any time I've been on a contract with FIPS requirements we've designed in house CA architecture.

[plissken]

5 hours ago, Nepherte said:

Even if you host your own controller, deploy your own SSL certificate, you'd be affected if it's hooked up to their cloud services (which it usually is as it is now mandatory to have a cloud account attached to your devices).

 

That 100% depends on the provider.  This is the risk of cloud services if they aren't enterprise enough.

[Nepherte]

Again, the ubiquiti hack has gotten nothing to do with SSL. Your passwords may have gotten compromised, including the private key on which your 2FA code is based, because hackers somehow breached the cloud infrastructure. Even if you did deploy your own SSL certificate, a hacker can just use the breached password and 2FA token. 
 

Well then, you might say: just disable the cloud service and remote access and completely air gap everything. Sorry, but on recent devices (such as UDM), that is impossible. A cloud account and remote access is mandatory and cannot be disabled. 

[AudioDoctor]

40 minutes ago, Nepherte said:

Sorry, but on recent devices (such as UDM), that is impossible. A cloud account and remote access is mandatory and cannot be disabled. 

 

Are you sure about that?

[plissken]

38 minutes ago, Nepherte said:

Again, the ubiquiti hack has gotten nothing to do with SSL

We are off on a tangent. I just wanted to point out that there was a  breach and that any company relying on a 3rd party cloud solution should understand how that 3rd party works.

 

Ubiquiti hosts on AWS and a LastPass account was compromised, possibly due to a social engineering hack(?), and someone had keys to the kingdom.

 

This reminds me of some organized crime syndicate using a secure email service in Canada and using that services SSL keys. Come subpoena time the service just used their own keys to decrypt the emails for the courts. 

[ASRMichael]

Users should know not only do you need to change your Ubiquiti account password, you also need to disable two factor authentication and reenable it again. Also create new back up keys. 
 

Also if you don’t need remote access disable it. 
 

On top of many many firmware issues Ubiquiti has lost a lot of consumer confidence lately! 

[Nepherte]

10 hours ago, plissken said:

mI just wanted to point out that there was a  breach and that any company relying on a 3rd party cloud solution should understand how that 3rd party works. 

Totally agree with the above

[Nepherte]

10 hours ago, AudioDoctor said:

 

Are you sure about that?

This is true for at least UDM Base, UDM Pro and Cloudkey Gen2 (on recent firmware)

[Bob Stern]

14 hours ago, Nepherte said:

on recent devices (such as UDM), that is impossible. A cloud account and remote access is mandatory and cannot be disabled.

 

Conflating "recent" with UDM is misleading.  Edge, UniFi and UDM are product ranges distinguished by intended user (pro, semi-pro & consumer, respectively), not by newness.  The UniFi and Edge routers, switches and access points do not require a cloud account or remote access, as I stated above.  

 

(In fact, the Edge Routers had a significant firmware update 4 months ago and a dnsmasq security update 2 months ago.  They did not impose a cloud account requirement, and they turn off by default phoning home with usage statistics.)

 

The branding waters are muddied by UniFi Protect video cameras and UniFi Access door locks, which probably do require a cloud account, but I'm not sure.

[Nepherte]

1 hour ago, Bob Stern said:

Conflating "recent" with UDM is misleading.  Edge, UniFi and UDM are product ranges distinguished by intended user (pro, semi-pro & consumer, respectively), not by newness.  The UniFi and Edge routers, switches and access points do not require a cloud account or remote access, as I stated above.  

I agree that the term recent is somewhat misleading. I've later specified what devices I know require a cloud account.