It’s always intriguing when someone gets caught with their pants down and then tries their hardest to convince you that the pants are just drooping a tiny bit and they’re still well-covered. It insults everyone’s intelligence and ensures that, whatever you thought of them before, now you’ve got SERIOUS doubts about them.
Well, Ubiquiti’s pants are down, exposing not only their own rear-ends, but also those of their many customers.
At first Ubiquiti tried the droopy jeans act, then reverted to lawyer-speak after being called on their intentional misrepresentations by a whistleblower. The whistleblower appears to be someone on the incident response team who wasn’t at all impressed with the way Ubiquiti tried to downplay both the severity of the breach and the matter of who was responsible.
There’s a lot to question about statements like “we have no evidence that customer information was accessed , or even targeted”. If you don’t rigorously log what accounts access what data, you can honestly state that you have no evidence of it being accessed, even if it was. That, according to the whistleblower, is the situation with Ubiquiti with regards to this data breach. They can claim ignorance of data access because they are in fact completely ignorant about what was actually accessed.
Furthermore, Ubiquiti also understated the damaging nature of this data breach. The data accessible to the Ubiquiti hackers apparently would allow them to log into and access Ubiquiti devices owned and operated by customers of Ubiquiti – in other words, customer networks. This isn’t just about some usernames and passwords that only affect a Ubiquiti website. This is a vulnerability that exposed networks belonging to a variety of organizations all around the globe.
I couldn’t help but notice Ubiquiti’s claim that the hacker was apparently someone very familiar with their cloud infrastructure. But their cloud infrastructure is AWS. That means that description probably easily fits tens of thousands of people, if not hundreds of thousands. The statement is designed to make it sound like their data wasn’t really as easily exploitable as it was, but AWS isn’t exactly an unknown entity in the world of computers.
Unless you can catch a hacker or group of hackers in the act, poking around on your network and visibly changing things, reconstructing what happened is usually a matter of digging through lots and lots of log files. This means that first you have to log things like network access, file access, modifications to files, file transfers, etc, etc, and then you have to make sure your logs can’t be deleted or edited easily by the hackers. That’s more easily said than done when they’re already tromping around your filesystem.
In the case of Ubiquiti, the hackers got credentials to their database servers hosted on AWS, and then set up some Linux boxes that connected to the databases. That could have been easily detectable if Ubiquiti was logging adequately and had automated log checking for unusual activity (like new IP addresses suddenly accessing the database).
It’s really bad when anyone makes rookie mistakes like not logging anything so that they can’t even assess the damage accurately once they are hacked, but a company like Ubiquiti who is in the business of selling networking solutions that they hold remote access credentials to needs to take security very seriously. Both their lack of network security measures and their inadequate response with regards to their customers shows that Ubiquiti did not do so at all.
I am on Twitter if you want to talk about anything I’ve posted here or to block me when I tell you I like the rain in Portland.