Ubiquiti blunder let some folks view others' security cameras, accounts
Cloud misconfig blamed and now fixed
Ubiquiti says it fixed a bug that allowed some of its customers to glimpse strangers' security camera footage and access accounts and devices that didn't belong to them.
The surveillance and networking gear maker blamed a cloud system misconfiguration for the privacy breach, and said as of late Thursday "the problem is solved and all Ubiquiti accounts are now properly associated across our infrastructure."
Folks raised the alarm on Wednesday. According to one customer, who detailed the odd behavior on Reddit, "my wife received a notification from UniFi Protect, which included an image from a security camera. However, here's the twist — this camera doesn't belong to us."
UniFi Protect is the management app for Ubiquiti security cameras from which users can watch live feeds and recordings, download footage, and configure their equipment. While customers can manage and configure multiple cameras via the app, it's supposed to limit access to devices belonging to that particular user — not allow viewing of other customers' camera feeds.
"This notification was completely out of the blue and showed footage from an unfamiliar camera," the "baffled" customer continued. "What's even more strange is that when my wife opened the Protect app immediately after receiving the notification, only our two cameras were listed, as usual."
Plus, it raised concerns about a potential security breach — or perhaps a disgruntled developer causing issues with the network.
Ubiquiti did not immediately respond to The Register's request for comment.
Other concerned customers soon chimed in with stories of their own:
It's VERY interesting you posted this, I was just about to post that when I navigated to unifi.ui.com this morning, I was logged into someone else's account completely! It had my email on the top right, but someone else's UDM Pro! I could navigate the device, view, and change settings! Terrifying!!
And then there is our personal favorite response, even if they are just yelling into the wind: "Well, if you connect your local stuff to the internet, there's always chances for stuff like this happening :)"
According to Ubiquiti, the security snafu started the morning of December 13.
"Thanks to your feedback and support, we were made aware of a small number of instances where users received push notifications on their mobile devices that appeared to come from unknown consoles, or where such users were able to access consoles that didn't appear to be their own," the home electronics firm said in its support forum.
An upgrade to the UniFi Cloud Infrastructure borked the system, but it has now been fixed, we're told.
The manufacturer was not particularly specific about how many customers were affected by the misconfiguration, and noted: "We are still investigating."
- Ex-Ubiquiti dev jailed for 6 years after stealing internal corp data, extorting bosses
- Fancy Bear goes phishing in US, European high-value networks
- Kraft Heinz suggests we simmer down about Snatch ransomware attack claims
- Surprise! Email from personal. firstname.lastname@example.org is not going to contain good news
But it does sound like everything the users described on Reddit was accurate. One group of customers received notifications on their phones from gear belonging to another group of customers. Both of these groups were a "small number of users," Ubiquiti claimed.
Plus, some of these users who received push notifications for other people's devices "may have been granted temporary remote access" to accounts that didn't belong to them, according to Ubiquiti.
The company "believes" that "less than a dozen" folks had strangers remotely accessing their accounts, and promises to contact these people via email to let them know.
We'd assume that will happen just as soon as the biz finishes notifying another set of customers that Russian cyber spies compromised their Ubiquiti routers. ®