March 31, 2021 | 3 minute read
A security professional who assisted Ubiquiti in its response to a data breach accused the Internet-of-Things (IoT) device vendor of having downplayed the incident’s severity.
As reported by KrebsOnSecurity, the security professional told Ubiquiti’s whistleblower hotline and European data protection authorities that the American technology company had misrepresented the impact of a recent data breach to the public.
“It Was Catastrophically Worse Than Reported…”
Ubiquiti disclosed the security incident in mid-January 2021, revealing in a web statement that someone had gained unauthorized access to its IT systems hosted by a third-party cloud provider.
The US-based technology company explained in its statement that it had found no evidence of those responsible for the intrusion having misused a user account or having gained access to its databases that host user data. It went on to urge customers to change their passwords and to implement two-factor authentication on their accounts as a precaution.
According to the whistleblower security professional, this isn’t what happened.
“It was catastrophically worse than reported, and legal silenced and overruled efforts to decisively protect customers,” the individual told the European Data Protection Supervisor, as quoted by KrebsOnSecurity. “The breach was massive, customer data was at risk, access to customers’ devices deployed in corporations and homes around the world was at risk.”
The whistleblower accused Ubiquiti of having painted itself as a casualty of an attack against an unnamed third-party cloud provider. According to that individual’s account, the malicious actors responsible for the security incident actually targeted the company and succeeded in gaining read/write access to its databases hosted by Amazon Web Services (AWS)—the alleged “third party” in this story.
In doing so, the attackers came into possession of all S3 data buckets, application logs, user database credentials and secrets required to forge Single Sign-On (SSO) cookies, the whistleblower explained in their record. KrebsOnSecurity noted that the attackers could have used that information to remotely authenticate themselves across the millions of IoT devices produced by Ubiquiti.
Per the security professional, Ubiquiti launched an investigation into what happened and found a backdoor used by the attackers to gain access to its databases. After it removed the backdoor, the attackers demanded a ransom of 50 bitcoin (roughly $3 million USD) to remain quiet about the breach.
The company didn’t respond to that demand, the whistleblower pointed out. Instead, it continued its investigation, leading to its discovery and removal of a second backdoor. Ubiquiti had not responded to KrebsOnSecurity’s request for comment as of this writing.
I sat down with Sam Curry, CSO at Cybereason, to better understand the whistleblower’s account and how it factors into Ubiquiti’s breach response. Here’s what he had to say:
David Bisson: What do you feel the breach’s impact is on the industry?
Sam Curry: It's a reminder of a few things: first, transparency and clarity matter - no half-measures. It's also a reminder that eventually the truth comes out. The whistleblower here did the right thing. Without it, it might have taken much longer for people to make informed, risk-based decisions.
DB: Where does that leave Ubiquiti in terms of a response?
SC: You don't get to play the victim card. Ever. Companies can be heroes or villains, and if you don't proactively take the role of a hero, guess what the public will label you with?
DB: Okay, so if you were at Ubiquiti, what would your media strategy be?
SC: Be clear. Talk to your comms and marketing people. Immediately retain experts in crisis management and deal with this. Default to clarity and openness, or history will not look kindly on this matter.
DB: Maybe. But after disclosing the breach, the company witnessed its stock price grow over the next few months. Ubiquiti’s stock is currently valued at about $100 more than it was at the time of its breach disclosure in mid-January. What’s going on here?
SC: I don't know the source of confidence in the company. It could be based on integrity in the face of adversity rather than simple exposure to what is emerging as a big player in IoT. Current and future shareholders will be paying acute attention here in the days and weeks to come.
DB: You’re probably right. Now what about threat actors? Does this signal anything to them?
SC: Even perfect disclosure can add to the arsenal of attackers. The thing about partial disclosure is that it can attract attacker research and attention while giving a false sense of security and safety to defenders, and that's awful. Now it's time for calculations inside Ubiquiti and for the company to come clean. There won't be a third chance.
DB: Finally, what’s your main takeaway from all of this?
SC: The nature of the devices made by Ubiquiti matter. Here, we are at the uptick of IoT, and a major supplier is effectively highlighting the supply chain for, well, everything. This is proof positive that more serious public safety issues lie here waiting for the world. It's time to make sure that security persists in devices that might outlive their suppliers. We can do this by working with IoT manufacturers to ensure strong identity, vulnerability management, upgrade-ability, integrity checking, lifecycle management, strong crypto and more. If we don't do this now, we are effectively creating a more hackable world and the equivalent of web pollution for the future.
David Bisson is an information security writer and security junkie. He's a contributing editor to IBM's Security Intelligence and Tripwire's The State of Security Blog, and he's a contributing writer for Bora. He also regularly produces written content for Zix and a number of other companies in the digital security space.All Posts by David Bisson