Vendor Ubiquiti hacked, users should change passwords

[German]A note to users, the products of the US manufacturer Ubiquiti Networks. The latter has fallen victim to a cyberattack, although the scope is still unclear. Over the weekend, their cloud offering was briefly disrupted and Ubiquiti enforces a cloud account to manage local device accounts. Customers are advised to change their product passwords as a precaution.


Who is Ubiquiti?

Ubiquiti Networks is an American manufacturer that has been selling active networking components such as WLAN adapters for PCs since its founding in 2005. In the meantime, the product range has been expanded to include WLAN routers, access points, WLAN antennas and directional antennas, especially for outdoor use. Since 2014, the manufacturer has also offered VoIP phones as well as switches and network cameras for professional and semi-professional use. Ubiquiti's WLAN routers are based on WLAN chips from Atheros and use a Linux-based operating system ("airOS"). The nanoStation routers are very popular, because they allow the use of custom firmware. Ubiquiti products can be found on sale at Amazon and many other electronics retailers.

Vendor informs customers about hack

Now Ubiquiti has been the victim of a cyberattack that may have also stolen customer data. Customers of the company have received an email informing them of the incident. I became aware of the matter via a tweet from Bleeping Computer.

 Ubiquity victim of hacker attack

After a bit of research, I came across this announcement from the manufacturer on the Ubiquiti forum, where they post some details.

Account Notification

We recently became aware of unauthorized access to certain of our information technology systems hosted by a third party cloud provider. We have no indication that there has been unauthorized activity with respect to any user's account.

We are not currently aware of evidence of access to any databases that host user data, but we cannot be certain that user data has not been exposed. This data may include your name, email address, and the one-way encrypted password to your account (in technical terms, the passwords are hashed and salted). The data may also include your address and phone number if you have provided that to us.

As a precaution, we encourage you to change your password. We recommend that you also change your password on any website where you use the same user ID or password. Finally, we recommend that you enable two-factor authentication on your Ubiquiti accounts if you have not already done so.

We apologize for, and deeply regret, any inconvenience this may cause you. We take the security of your information very seriously and appreciate your continued trust.

Thank you,

Ubiquiti Team

Users are getting informed about an unauthorized access to the internal IT system via a cloud provider. Ubiquity says, there is no evidence of user accounts being accessed by users who use Ubiquiti products. However, the message advises users to change their password as a precaution and, if possible, to activate two-factor authentication. This probably refers first to the cloud account set up at this provider, but could also be interpreted to mean changing passwords for local accounts on devices. Due to the fact that the mail contains direct links to pages for changing the password, some users thought the message was a phishing attempt, as you can read here.


Cloud account to manage local access

Bleeping Computer writes in a tweet that there was an outage of cloud services at Ubiquiti over the weekend (January 10, 2021). The whole thing is up and running again, but is likely the reason for the current email warning.

Coud outage at Ubiquiti

I don't own such products, but I am puzzled about the facts, that a cloud outage has influences to my local user account for a device. Then at Bleeping Computer, I read this article. In the spirit of 'everything in the cloud', Ubiquiti is tricking users within its setup wizzard to create a cloud account with this vendor in order to manage their local passwords (German readers told me, it's still possible to omit a cloud account and setup a device locally). In a forum entry, frustrated users rants about this.

So if anyone has routers, cameras, doorbells, switches or similar products from this vendor in use, they should change the passwords (of the cloud account and local devices, if applicable) as a precaution. Furthermore, I recommend thinking about whether a US manufacturer that (virtually) imposes password management for local access via its own cloud offering can be the right partner. The only reason for using certain products (wireless antennas) from this provider can at most be the possibility mentioned at the beginning to flash your own (nanoStation router) operating system onto the hardware there.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged . Bookmark the permalink.

One Response to Vendor Ubiquiti hacked, users should change passwords

  1. Andy says:

    I think if you read all of the forum entries you will see a lot of confusion by users. In fact, during the outage, I had no problem accessing the controller locally. I think the cloud has made it so convenient to access devices that a lot of people have not practiced doing local access and made sure their cloud and local credentials are known. Also, unfortunately, instead of Ubiquiti putting up some indication of what was going on, the cloud access simply said 'no controllers found' which was a bit upsetting!

Leave a Reply

Your email address will not be published. Required fields are marked *