What is Going on with Ubiquiti? Alleged Data Breach Cover-Up

What is Going on with Ubiquiti? Alleged Data Breach Cover-Up

Multiple reports are coming in suggesting that Ubiquiti, a producer of cloud-enabled Internet of Things (IoT) devices including routers and security cameras, potentially covered up or downplayed a severe data breach. 

A recent article from KrebsonSecurity.com shares the full story. To summarize, on January 11 Ubiquiti disclosed unauthorized access to certain networks hosted by an unnamed third-party cloud provider. It encouraged users to change their passwords and deploy multifactor authentication. In that original message, Ubiquiti claimed it had no evidence of user data being exposed, but did not rule out the possibility.

However, Brian Krebs from KrebsonSecurity.com reports receiving contact from an individual claiming to have participated in the Ubiquiti breach response. This individual, referred to as “Adam” to protect their identity, claimed the actual extent of the breach was “catastrophic,” and that Ubiquiti had actually downplayed its severity in its original disclosure. Further, the implication that the breach occurred due to the third-party cloud provider was a lie. 

The whistleblower contacted KrebsonSecurity.com after contacting the company’s own whistleblower hotline and European data protection agencies. 

Adam claims that the attackers gained administrative access to Ubiquiti’s servers hosted by Amazon, which requires the cloud tenant to secure its own data access. According to the whistleblower, “they were able to get cryptographic secrets for Single Sign-On cookies and remote access, full source code control contents, and signing keys exfiltration.”

How did the attackers gain these privileged credentials? Apparently, the company left root administrator logins in a password vault, which the attackers accessed. 

Ubiquiti Response Raises More Questions

In the wake of these new allegations, Ubiquiti released a statement. Unfortunately, cybersecurity experts and observers agreed the statement leaves much to be desired and perhaps raises further questions. 

The statement, which can be read in full here, does not actually deny the allegations by Adam. Additionally, it drops all mention of a “third-party cloud provider” as being responsible for the breach.

Moreover, according to the company, a team of external incident response experts “ identified no evidence that customer information was accessed, or even targeted. The attacker, who unsuccessfully attempted to extort the company by threatening to release stolen source code and specific IT credentials, never claimed to have accessed any customer information.

At the same time, Adam alleges to KrebsonSecurity.com that the company can make this claim because it “failed to keep records of which accounts were accessing that data.”

“Ubiquiti had negligent logging (no access logging on databases) so it was unable to prove or disprove what they accessed, but the attacker targeted the credentials to the databases, and created Linux instances with networking connectivity to said databases. Legal overrode the repeated requests to force rotation of all customer credentials, and to revert any device access permission changes within the relevant period.”

You can read the full report by KrebsonSecurity.com here. Additional reporting by the Verge can be read here. 

Independent Commentary

We reached out to our field of commentators and cybersecurity experts for new perspectives on this alleged cover-up and downplayed breach severity. Robert Meyers, Channel Solutions Architect at One Identity, shares the following: 

“When a major IoT provider has a breach, it reaches across industries and brings up questions of privacy and security. Well, it happened. While Ubiquiti was breached in January, details that have come to light this week highlight the importance of what can happen when you do not manage three areas with the concept of both privacy and security: privileged access management, log management, and least privileged access.

Here are some observations and recommendations:

Today if you have privileged accounts, they simply need to be managed like privileged accounts. They need to have multiple layers of security. They need to have auditing, which happens in real-time for at least the basics. Access for privileged use has to be restricted to the minimum access required to do the job, yes that touches on least privilege which goes hand in hand. If you don’t manage your privileged accounts in business, then you are ignoring security.

Now if log management was a control point, it could have been caught quicker, and if the logs were managed, they would allow a live track down of who did the deed, instead of the waffling we have seen.

And least privilege. Companies need to stop making universal access accounts. You can only breach what you can access. So don’t give people access to what may be tens of millions of accounts…and whatever else those files included.

In the world of privacy laws and compliance requirements, you need a data lifecycle for all your data. It should cover creation, use, storage, and deletion.  And all this should include pseudonymization of the data when it cannot be anonymized, in addition to encryption and general security.

It’s time to get with the times and not be stuck announcing breaches, let alone for details needing to rely on a whistleblower that speaks on the condition of anonymity for fear of retribution. Secure your company, and be able to stand up tall and say what your company has done for its customers.”

Thanks to Robert for his time and expertise. Be sure to learn more in our Privileged Access Management Buyer’s Guide or through the Solutions Suggestion Engine

 

Ben Canner