Wi-Fi kit-slinger Ubiquiti has suggested the attacker that accessed some of its cloud-hosted systems in January 2021 may have made off with source code and employee logins, not the customer data it initially warned could be in peril.
News that Ubiquiti’s cloud servers had been breached emerged on January 11, 2021, when the company emailed customers the text found in this support forum post. That missive stated: “We recently became aware of unauthorized access to certain of our information technology systems hosted by a third-party cloud provider.”
That announcement continued, “We have no indication that there has been unauthorized activity with respect to any user’s account,” but also recommended customers change their passwords because if their records had been accessed, hashed and salted passwords, email addresses, and even physical addresses and phone numbers could be at risk.
An update on Wednesday this week stated an investigation by outside experts “identified no evidence that customer information was accessed, or even targeted,” however.
Crucially, the update also revealed that someone “unsuccessfully attempted to extort the company by threatening to release stolen source code and specific IT credentials.” The update does not suggest the extortion attempt was fanciful.
Ubiquiti has not said when the external experts decided customer data was untouched. Which leaves the company in the interesting position of perhaps knowing its core IP has leaked, and not disclosing that, while also knowing that customer data is safe and not disclosing that, either.
The update contains another scary nugget in this sentence: “Please note that nothing has changed with respect to our analysis of customer data and the security of our products since our notification on January 11.”
But the January 11 notification makes no mention of “the security of our products.”
Sure, we made your Wi-Fi routers phone home with telemetry, says Ubiquiti. What of it?READ MORE
The update on Wednesday was published two days after Krebs On Security reported that it has seen a letter from a whistleblower to the European Data Protection Supervisor that alleges Ubiquiti has not told the whole truth about the incident.
Krebs said the letter described the attack on Ubiquiti as “catastrophically worse than reported.”
“The breach was massive, customer data was at risk, access to customers’ devices deployed in corporations and homes around the world was at risk,” the letter reportedly claimed, adding that Ubiquiti’s legal team “silenced and overruled efforts to decisively protect customers.”
The whistleblower separately claimed that whoever was able to break into Ubiquiti's Amazon-hosted servers, they could have swiped cryptographic secrets for customers' single sign-on cookies and remote device access, internal source code, and signing keys – far more than the Wi-Fi box maker disclosed in January. The intruder, it is said, obtained a Ubiquiti IT worker's privileged credentials, got root access to the business's AWS systems, and thus had a potential free run of its cloud-hosted storage and databases.
Backdoors were apparently stashed in the servers, too, and, as Ubiquiti acknowledged this week, a ransom was demanded to keep quiet about the break-in.
If Ubiquiti staff credentials were obtained, as even Ubiquiti itself now suggests, the attackers could have comfortably gained “access to customers’ devices deployed in corporations and homes around the world,” as the whistleblower's letter put it.
The right creds would also put customer data at risk of theft. Ubiquiti insisted this week the attackers had not “accessed, or even targeted” such data, though the whistleblower claimed the wireless kit maker kept insufficient logs to be sure of this.
Ubiquiti's post on Wednesday went on: “At this point, we have well-developed evidence that the perpetrator is an individual with intricate knowledge of our cloud infrastructure,” but said it can’t say more due to ongoing investigations.
To summarize: source code for Ubiquiti products and other internal info may have been exfiltrated, servers may have been rooted, and whoever's responsible may be a current or former employee of the company... yet other than with a few stray words, Ubiquiti has chosen to focus on a personal privacy issue it says is not actually a problem.
And that all happened at a time we know that bad actors were able to hide their presence within SolarWinds' infrastructure for years, and poison its products.
The update ends with another call for customers to refresh their passwords and enable two-factor authentication. The Register fancies some readers may also consider refreshing their Wi-Fi supplier. ®
PS: It's not been a great week for Ubiquiti: it just promised to remove house ads it added to the web-based user interface of its UniFi gear.