Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security Privacy Technology

Ubiquiti Tells Customers To Change Passwords After Security Breach (zdnet.com) 25

An anonymous reader quotes a report from ZDNet: Networking equipment and IoT device vendor Ubiquiti Networks has sent out today notification emails to its customers informing them of a recent security breach. "We recently became aware of unauthorized access to certain of our information technology systems hosted by a third party cloud provider," Ubiquiti said in emails today. The servers stored information pertaining to user profiles for account.ui.com, a web portal that Ubiquiti makes available to customers who bought one of its products. The site is used to manage devices from a remote location and as a help and support portal.

According to Ubiquiti, the intruder accessed servers that stored data on UI.com users, such as names, email addresses, and salted and hashed passwords. Home addresses and phone numbers may have also been exposed, but only if users decided to configure this information into the portal. How many Ubiquiti users are impacted and how the data breach occurred remains a mystery. It is currently unclear if the "unauthorized access" took place when a security researcher found the exposed data or was due to a malicious threat actor. Despite the bad news to its customers, Ubiquiti said that it had not seen any unauthorized access to customer accounts as a result of this incident. The company is now asking all users who receive the email to change their account passwords and turn on two-factor authentication.

This discussion has been archived. No new comments can be posted.

Ubiquiti Tells Customers To Change Passwords After Security Breach

Comments Filter:
  • by awwshit ( 6214476 ) on Monday January 11, 2021 @07:09PM (#60929750)

    Use unique passwords and skip the cloud integration. You'll be glad you did.

    • I have my mom's network setup on a cloud configuration. Makes remote access much easier. Not too worried if it were to get compromised. What would they do, change her Wifi password? Meh.

      • Just makes sure it uses a unique password and not the one that Mom uses for everything. Get Mom a proper router and setup a private VPN to access her cameras.

        • Cameras? It's WiFi. If someone is going to wardrive her wifi from the street using Ubiquiti credentials that they managed to crack good for them. Or they could just look in through a window and see the password written on the wall. But even then they would have to break though the firewalls to get onto any other device on the network.

      • I have my mom's network setup on a cloud configuration. Makes remote access much easier. Not too worried if it were to get compromised. What would they do, change her Wifi password? Meh.

        You can do that without a cloud account. But as you say, the stakes are low so it shouldn't keep you up at night.

    • Yeah... I’m a Ubiquiti customer. Unfortunately they force you to use some cloud features these days, partially to simplify things and expand their potential user base. Really stupid things, like their network video recorder requires cloud access to enable remote access. You can’t just put in the IP address of the system and manage your own VPN...

      They have managed to screw up a bunch of things that could improve security and instead now appear to have become a target.

      • I looked at their equipment once and concluded that it was dumb.

        In order to provide many of the features you have to have a server running at all times. They have a shitty little overpriced server which they will sell you, oh goodie. Why can't the devices handle this stuff themselves?

        • unifi-video? I have it running on my own hardware. No need for their NVR hardware. The cameras expose the RTSP stream directly if you don't hook them up to an NVR (ie, unmanaged).
        • by laffer1 ( 701823 )

          Unifi gear does need a controller, but they have an ISP line (edgerouter, etc) that does not require a controller. It's the same hardware platform, but different software. Being able to login to one app and control all of your hardware is convenient and the unifi controller can run on linux, freebsd, windows or macOS in addition to a physical one. You can just spin up a VM for it if you want. The hardware device they sell can be powered over POE from the switch.

      • by AmiMoJo ( 196126 )

        It's such a shame because their hardware is decent. If only it ran open source firmware.

        It actually hurts their business. Yi makes decent hardware and you can run open source firmware on them. I just wish there were more options for Hikvision because their hardware is top notch.

      • > You can’t just put in the IP address of the system and manage your own VPN...

        Hmm, I do exactly that. My Ubiquiti systems are not cloud connected. Though I do have a Ubiquiti account for support, I can't access any of my systems with it.

        • I’m specifically referring to the Unifi Protect line, their update to Unifi Video. More specifically, I have an issue with using an iPad or iPhone to connect remotely, although in theory you should be able to connect to one of the network video recorder’s streams with an RSTP app. The benefit of their app in this case is that I have better access to the recorded data which matters when the cameras do not have full coverage everywhere but do cover all entries and exits.

          The SSO password recover

          • Use Safari and connect to the Protect IP, just like you would on a PC.

            • Safari isn’t compatible for some reason with Protect (typical of Ubiquiti). I think I have a proper LetsEncrypt cert on it, but it is a known issue of Safari and RSTP or something.

  • by backslashdot ( 95548 ) on Monday January 11, 2021 @07:20PM (#60929808)

    The hack was ubiquitous throughout ubiquiti.

  • by fahrbot-bot ( 874524 ) on Monday January 11, 2021 @07:33PM (#60929880)

    The site is used to manage devices from a remote location and as a help and support portal.

    Ya, don't enable this kind of thing.

    • The site is used to manage devices from a remote location and as a help and support portal.

      Ya, don't enable this kind of thing.

      It's so you can provide support to a lot of small independent sites. Maybe you provide support to retail locations with guest wifi, or to small accounting firms with less than ten employees or something. It lets you manage things like QoS and the firewall and other items remotely. Statistically, they're probably much more secure than if they had to wait for someone to come on site or the person had to set up their own remote support/tunneling.

  • I have a random password on the account, but that does not mean I am comfortable.

    Ubiquiti has one of the best Linux based stuff out there. You can SSH to pretty much most of their devices, and they use a simple (xml?) based configuration system that is pushed from a central "cloud key" location.

    Previously I had pfSense based router, and individually configured switches and WiFi access points. Yes, Unifi made keeping all of them in sync and up to date very easy. There is a single UI for all of the network.

    Th

    • by thogard ( 43403 )

      One of the best? You have to be joking.
      The unifi controller has stuff like "do a backup before you update" yet after years of requests, they still haven't added a "backup now" button to their gui. Their new gui is all black but the old one has a light or dark mode in places so it alternates between white backgrounds and black depending on the pages and parts often only works on a specific versions of chrome. Their app wasn't complete enough to tell the controller or USG to do basic network diagnostics.

    • Re:Random password (Score:4, Interesting)

      by MeNeXT ( 200840 ) on Monday January 11, 2021 @09:26PM (#60930276)

      You could have installed the Unifi controller on your hardware and avoided handing control of your equipment to a third party.

      Yesterday I had to block outgoing ICMP requests on a friends network. It saddens me to think that you repeat things time and time again and to find that nobody listens. If it's not your cloud then you have no idea what security is implemented. The fine print on the contract determines how serious they take their security. The less responsibility they assume the less they value security and your data.

      There was a targeted DoS attack yesterday. I know of at least 2 installations that were sending out ICMP floods and both were on the Ubiquity cloud service.

Programmers do it bit by bit.

Working...