Ubiquiti massive data breach 'catastrophically worse' than reported, says whistleblower

Hackers potentially gained access to sensitive Ubiquiti user data

The whistleblower is a Ubiquiti security professional who helped the company respond to the two-month hack. The anonymous employee spoke to Krebs on Security after his concerns fell on deaf ears with Ubiquiti's whistleblower hotline and European data protection authorities.

In a public notice Ubiquiti released on January 11, the router maker had said it "became aware of unauthorized access to certain of our information technology systems hosted by a third party cloud provider." It continued, "We are not currently aware of evidence of access to any databases that host user data, but we cannot be certain that user data has not been exposed."

The letter said that Ubiquiti "had no indication that there has been unauthorized activity with respect to any user's account." However, according to the security expert, that statement was deliberately misleading and didn't come close to fully capturing the severity of the hack.

The attackers allegedly obtained full read/write access to Ubiquiti's databases at Amazon Web Services (AWS), the third party the initial response blamed.

The whistleblower says Ubiquiti's January statement about the hack was "downplayed and purposefully written to imply that a third-party cloud vendor was at risk and that Ubiquiti was merely a casualty of that, instead of the target of the attack."

"It was catastrophically worse than reported, and [Ubiquiti's] legal [department] silenced and overruled efforts to decisively protect customers," the anonymous employee wrote in a letter to the European Data Protection Supervisor. "The breach was massive, customer data was at risk, access to customers' devices deployed in corporations and homes around the world was at risk."

The informant says the attackers allegedly gained access to Ubiquiti's servers at AWS after using stolen credentials stored in a Ubiquiti employee's LastPass account. The attackers then gained "root administrator access to all Ubiquiti AWS accounts, including all S3 data buckets, all application logs, all databases, all user database credentials, and secrets required to forge single sign-on (SSO) cookies."

The level of access the intruders gained would have allowed the attackers to authenticate Ubiquiti cloud-based devices remotely.

After Ubiquiti's security team identified one backdoor that the intruders were using, the hackers contacted them, demanding a ransom of 50 bitcoin ($2.8 million) to keep quiet about the hack. Ubiquiti did not respond.

The company eventually found the second backdoor and began the process of securing employee credentials.

The company asked customers to change their passwords in a January 11 statement. However, the whistleblower believes Ubiquiti "should have immediately invalidated all of its customer's credentials and forced a reset on all accounts, mainly because the intruders already had credentials needed to remotely access customer IoT systems."

The whistleblower says the company's claim that it had no proof of customer data exposure was highly misleading. Ubiquiti doesn't keep data logs, so it could not know one way or the other what hackers had accessed.

"Ubiquiti had negligent logging (no access logging on databases) so it was unable to prove or disprove what they accessed, but the attacker targeted the credentials to the databases, and created Linux instances with networking connectivity to said databases," the informant says. "Legal overrode the repeated requests to force rotation of all customer credentials, and to revert any device access permission changes within the relevant period."

He says Amazon Web Services (AWS) was the alleged third party that the company initially blamed. Amazon's servers "secure the underlying server hardware and software but requires the cloud tenant (client) to secure access to any data stored there."

After the KrebsonSecurity report, Ubiquiti released a second statement that didn't deny the whistleblowers claims and appeared to backtrack on its initial blaming of a third party.

"At this point, we have well-developed evidence that the perpetrator is an individual with intricate knowledge of our cloud infrastructure," the statement said. "As we are cooperating with law enforcement in an ongoing investigation, we cannot comment further."

Ubiquiti has shipped more than 85 million devices. Countless users of Macs, iPads, and other Apple devices connect to Ubiquiti-make networking products. Anyone using Ubiquiti routers or other devices should immediately reset their Ubiquiti account passwords and update their networking products to the latest firmware.

Stay on top of all Apple news right from your HomePod. Say, "Hey, Siri, play AppleInsider," and you'll get latest AppleInsider Podcast. Or ask your HomePod mini for "AppleInsider Daily" instead and you'll hear a fast update direct from our news team. And, if you're interested in Apple-centric home automation, say "Hey, Siri, play HomeKit Insider," and you'll be listening to our newest specialized podcast in moments.