Ubiquiti hack was much more serious than company reported, according to whistleblower

The break-in to servers from networking equipment manufacturer Ubiquiti was much more serious than the company made out, according to a KrebsOnSecurity source. According to him, the criminals had administrator rights on the servers at AWS.

Ubiquiti reported “a possible hack at a third-party cloud provider” in January and advised customers to change their passwords as a precaution, but according to a security expert involved in investigating the hack, the announcement did not reflect the seriousness of the matter. He reports this anonymously to KrebsOnSecurity and has reported this in a letter to the European privacy regulator European Data Protection Supervisor.

The whistleblower calls the hack “catastrophic” and according to him Ubiquiti deliberately concealed the impact: “The hack was huge, customer data was at risk and there was a risk of access to customer devices at companies and households.” According to the man, the criminals had read and write access to the Ubiquiti servers at Amazon Web Services via backdoors.

This allowed them to access secret data for single sign-on cookies and keys, IT employee credentials, and ultimately Ubiquiti AWS accounts, application logs, source code, databases and user credentials. The access allowed the criminals to authenticate large numbers of cloud-enabled devices worldwide, according to the security researcher.

The hack was already noticed in December last year after the discovery of Linux VMs set up by the criminals and the installation of a backdoor. The criminals then announced that they would demand 50 bitcoins, currently converted almost two and a half million euros, and in return they would keep their break-in secret and provide details about a second backdoor. Ubiquiti did not comment on that. Security researchers then discovered the second backdoor themselves.

According to the whistleblower, Ubiquiti should have reset all customer passwords as a precaution, also because the impact was unclear due to faulty logging of who had access to the databases. KrebsOnSecurity recommends that users do so. The security researcher also states that it is a good idea to delete profiles, update the firmware and create new profiles with new credentials.