An anonymous whistleblower exposes Ubiquiti’s hacking incident as catastrophic and reveals that they attempted to cover it up, putting customers at risk.
On January 11, Ubiquiti Inc. reported a data breach and downplayed it, saying it involved a third-party cloud vendor. However, the IoT (internet of things) device vendor failed to disclose that the breach was far worse than they initially reported. The actual breach, which they hinted had exposed customer credentials, was actually much more serious, and experts believe they minimized the notification to protect their stock price.
The whistleblower is actually a security professional who aided Ubiquiti after the data breach in December 2020. He worked on the issue for two months and has first-hand experience and a full understanding of what occurred.
The man contacted KrebsOnSecurity and said,
“It was catastrophically worse than reported, and legal silenced and overruled efforts to decisively protect customers. The breach was massive; customer data was at risk, access to customers’ devices deployed in corporations and homes around the world was at risk.”
The security professional told KrebsOnSecurity that ‘the hackers obtained full read/write access to Ubiquiti databases at Amazon Web Services (AWS), which was the alleged “third party” involved in the breach. Ubiquiti’s breach disclosure, he wrote, was “downplayed and purposefully written to imply that a 3rd party cloud vendor was at risk and that Ubiquiti was merely a casualty of that, instead of the target of the attack.”’
How Has Ubiquiti Responded?
KrebsOnSecurity contacted Ubiquiti for a comment, and they have not yet responded.
On January 11, Ubiquiti posted a public notice regarding the incident but failed to name the third-party cloud vendor and downplayed the incident considerably. In it, they urged customers to change their passwords and turn on two-factor authentication. In fact, they explicitly deny that they have any knowledge of customer data exposed or stolen.
The whistleblower said that, in truth, the hackers had administrative control of the entire AWS server giving them everything they needed to access all customer and company data stored there.
“They were able to get cryptographic secrets for single sign-on cookies and remote access, full source code control contents, and signing keys exfiltration.”
“The attacker(s) had access to privileged credentials that were previously stored in the LastPass account of a Ubiquiti IT employee, and gained root administrator access to all Ubiquiti AWS accounts, including all S3 data buckets, all application logs, all databases, all user database credentials, and secrets required to forge single sign-on (SSO) cookies.”
The Scope of the Damage
Ubiquiti is responsible for more than 85 million IoT devices in 200 countries. With remote access capabilities and customer logins, that scope of risk is definitely catastrophic, as described by the security professional and whistleblower.
In December, the issue was discovered when they found someone using administrator access who had set up several Linux virtual machines, and they found a backdoor left in the system as well. After the security professionals removed it, the hackers sent them a message demanding $2.8 million in Bitcoin to keep quiet about the data breach. They provided proof that they had source code and could do an immense amount of damage with it.
Ubiquiti did not respond to the hackers, and their team of security professionals eventually found a second backdoor in the system. The company changed all internal credentials for employees, but instead of resetting customer accounts and forcing a password change, they simply notified customers to change their password the next time they logged in. That could keep a lot of customers at risk. Their legal department is the one who made the decision not to reset all accounts and to downplay the incident in the press.
Security experts urge all Ubiquiti customers to reset their passwords immediately, delete any profiles on the device, and update the firmware.