A whistleblower said the company played down a “catastrophic” incident
Ubiquiti, a company whose consumer-level routers have become synonymous with security and manageability, is being accused of covering up a “catastrophic” security breach – and after 24 hours of silence, the company has now issued a statement that it does not deny any of the whistleblower’s claims.
Originally, Ubiquiti emailed its customers about an alleged security breach at a “third-party cloud provider” on January 11, but noted that the cybersecurity news site KrebsOnSecurity is reporting that the breach was really very worse than Ubiquiti showed. A company whistleblower who spoke to Krebs claimed that Ubiquiti itself was breached and that the company’s legal team hindered efforts to accurately report dangers to customers.
Krebs’ report is worth reading to see the full claims, but the bottom line is that hackers gained full access to the company’s AWS servers – since Ubiquiti reportedly left root administrator logins on a LastPass account – and they could have been able to access any Ubiquiti network equipment that customers have set up to control via the company’s cloud service (now apparently needed on some of the company’s new hardware).
“They were able to obtain cryptographic secrets for single sign-on and remote access cookies, complete source code control content and exfiltration of signature keys,” the source told Krebs.
When Ubiquiti finally issued a statement tonight, it was not reassuring – it is extremely insufficient. The company reiterated its point that there was no evidence to indicate that any user data was accessed or stolen. But, as Krebs points out, the whistleblower explicitly stated that the company does not keep records, which would serve as evidence, about who accessed or not the hacked servers. Ubiquiti’s statement also confirms that the hacker tried to extort money, but does not address allegations of cover-up. You can read the full statement below.
As we reported on January 11, we were the victims of a cybersecurity incident that involved unauthorized access to our IT systems. Based on Brian Krebs’ account, there is newfound interest and attention in this matter and we would like to provide more information to our community.
At the outset, please note that nothing has changed regarding our analysis of customer data and the safety of our products since our notification on January 11th. In response to this incident, we use external incident response specialists to conduct a thorough investigation to ensure the attacker has been blocked from our systems.
These experts did not identify any evidence that the customer’s information was accessed, or even directed. The attacker, who unsuccessfully tried to extort the company by threatening to release stolen source code and specific IT credentials, never claimed to have accessed any customer information. This, along with other evidence, is the reason why we believe that customer data was not the target, or otherwise accessed in connection with the incident.
At this point, we have well-developed evidence that the perpetrator is an individual with complex knowledge of our cloud infrastructure. As we are cooperating with law enforcement authorities in an ongoing investigation, we cannot comment further.
Having said all that, as a precaution, we still encourage you to change your password, if you have not already done so, including on any website where you use the same user ID or password. We also encourage you to enable two-factor authentication on your Ubiquiti accounts, if you have not already done so.
The other thing you will notice is that Ubiquiti is no longer attributing this to an “outsourced cloud provider”. The company admits that its own IT systems have been accessed. But it doesn’t address much more, and the fact that the statement confirms part of what the whistleblower said, leaving the parties of most concern (for example, the alleged cover-up, lack of records, inadequate security practices, etc.) leaves me with no solution. it bothers being the owner of Ubiquiti.
The company’s network equipment is (or was) reliable for many technicians, including me, because it promised complete control over their home or small business network, without the fear of cloud-based solutions.
Throughout this process, Ubiquiti was unable to communicate properly with its customers. Failure to deny the allegations and indicate that they may be true suggests that the original email was, at the very least, an insufficient warning. He encouraged users to change their passwords – according to Krebs, a more appropriate response would be to immediately block all accounts and require a password reset. Even today, the company is simply encouraging users to change their passwords and allow two-factor authentication.