Networking and internet of things vendor Ubiquiti deliberately downplayed the seriousness of a data breach it reported in January, it has been alleged.
Respected security expert Brian Krebs reported the allegations on Tuesday, based on conversations with an anonymous security pro who was involved in Ubiquiti’s response to the breach. Krebs’ source said he had raised the matter both with Ubiquiti’s own internal whistleblower hotline and with the European Data Protection Supervisor.
The source wrote in his letter to the EU data regulator regarding the breach:
“It was catastrophically worse than reported, and legal silenced and overruled efforts to decisively protect customers. The breach was massive, customer data was at risk, access to customers’ devices deployed in corporations and homes around the world was at risk.”
According to the source, hackers obtained complete read/write access to Ubiquiti databases kept on Amazon Web Services (AWS), the world number one cloud platform. This did not involve any error on the part of AWS, but was a consequence of the attackers having stolen credentials which had been stored on an employee’s LastPass account.
In its 11 January public announcement, Ubiquiti said it had “become aware of unauthorised access to certain of our information technology systems hosted by a third party cloud provider”. It suggested that customer personal data may have been revealed but that this was limited to names, email addresses, phone numbers and postal addresses. Any passwords compromised by the breach, Ubiquiti said, were “hashed and salted”, which would normally be taken to mean that the attackers could not read the passwords or make use of them.
The reality, according to Krebs’ source, was that the attackers had root administrator access to all Ubiquiti AWS accounts, presenting the risk that they could remotely access pretty much any Ubiquiti cloud-linked device around the world.
Ubiquiti makes network equipment such as firewalls, gateways, Wi-Fi access points and switches. It also supplies networked security cameras and associated equipment, Voice-over-IP phone systems and networked digital door locks. The company says it has shipped 85 million devices worldwide.
According to GlobalData’s Technology Intelligence Centre, Ubiquiti reported revenues of $1.28bn for FY2020, an increase of 10.6% year-on-year. FY2020 operating margin was 37.2%, up from 33.9% the previous year. It is traded on the NYSE and the stock performed well following the January announcement, rising from a mid-January low of $243.13 to a peak of $389.88 on Friday 26 March. Since Krebs published his new report it has fallen to $349.
Krebs advises IT staff or consumer users who have Ubiquiti equipment operational to change every password they have in use and if possible delete all profiles set up on the devices, update firmware, and then recreate profiles with completely new and unique credentials. He adds that remote access to Ubiquiti equipment should be completely disabled where this is practical.
Verdict has approached Ubiquiti for comment but has not heard back as of publication.