Ubiquiti, a company whose prosumer-quality routers have become synonymous with security and manageability, has been accused of hiding a ‘catastrophic’ security breach – and after 24 hours of silence, the company has now issued a statement that does not deny anything. the whistleblower’s claims.
Originally, Ubiquiti emailed its customers on Jan. 11 about a supposedly minor security breach with a “third-party cloud provider,” but the cybersecurity news site noted. KrebsOnSecurity reports that the breakthrough was actually much worse than Ubiquiti showed. A company whistleblower who spoke to Krebs claimed that Ubiquiti itself had been breached and that the company’s legal team had prevented attempts to accurately report the dangers to customers.
It’s worth reading Krebs’ report to see the full allegations, but the summary is that hackers were given full access to the company’s AWS servers – as Ubiquiti allegedly left root administrator logins in a LastPass account – and they could have accessed all of the Ubiquiti network equipment that customers had set up to manage through the company’s cloud service (now seemingly required on some of the company’s new hardware).
“They were able to get cryptographic secrets for single sign-on and remote access cookies, full content from source code control and exfiltration of signing keys,” the source told Krebs.
When Ubiquiti finally issued a statement tonight, it was not reassuring – it is hugely inadequate. The company reiterated its position that it had no evidence that user data had been accessed or stolen. But as Krebs points outthe whistleblower stated explicitly that the company does not keep logs that would serve as evidence as to who has or has not accessed the hacked servers. Ubiquiti’s statement also confirms that the hacker tried to extort it for money, but does not address the allegations of a cover. You can read the full statement below.
As we informed you on January 11, we were the victim of a cybersecurity incident involving unauthorized access to our IT systems. Given Brian Krebs’s coverage, there is renewed interest and attention in this issue, and we are eager to provide more information to our community.
At the outset, please note that nothing has changed with regard to our analysis of customer data and the security of our products since our notification on January 11. In response to this incident, we engaged external incident response experts to conduct a thorough investigation to ensure that the attacker has been locked out of our systems.
These experts found no evidence that there was access to, or even targeted, customer information. The attacker, who unsuccessfully tried to extort the company by threatening to release stolen source code and specific IT credentials, never claimed to have had access to customer data. This, along with other evidence, is why we believe that customer data was not targeted or otherwise accessed in connection with the incident.
At this point, we have well-developed evidence that the culprit is a person with intricate knowledge of our cloud infrastructure. As we are working with law enforcement officials in an ongoing investigation, we cannot comment further.
Having said all that, as a precaution, we still recommend that you change your password if you have not already done so, including on any website where you use the same user ID or password. We also recommend that you enable two-factor authentication on your Ubiquiti accounts if you haven’t already.
The other thing to note is that Ubiquiti no longer ties this to an “external cloud provider”. The company admits that it had access to its own IT systems. But it doesn’t handle much differently, and the fact that the statement confirms some of what the whistleblower said, while the most troubling parts (e.g., the alleged cover-up, lack of logs, poor security practices, etc.) make me feel uncomfortable getting a Ubiquiti owner.
The company’s networking equipment is (or has been) trusted by many techies, myself included, because it promised complete control over your home or small business network, without the fear of cloud-based solutions.
During this process, Ubiquiti has failed to communicate correctly with its customers. The fact that it does not deny the allegations and indicates that they may be true suggests that the original email was at the very least an insufficient warning. It encouraged users to change their passwords – according to Krebs, a more appropriate answer would be to immediately lock all accounts and reset the password. Even today, the company simply encourages users to change their passwords and enable two-factor authentication.