Skip to main content

Ubiquiti breach, and other IoT security problems

Networking equipment manufacturer Ubiquiti sent out an email to warn users about a possible data breach. The email stated there had been unauthorized access to its IT systems that are hosted with a third-party cloud provider.

Ubiquiti Networks sells networking devices and IoT devices. It did not specify which products were affected but pointed at UI.com, which is its customer web portal. The servers in this domain store user profile information for account.ui.com, the web portal that Ubiquiti makes available to customers who bought one of its products. From there, users can manage devices from a remote location and access a help and support portal.

According to Ubiquiti, the intruder accessed servers that stored data on UI.com users, such as names, email addresses, and salted and hashed passwords, although the company says there's no evidence of the attacker accessing the specific databases that contained user information.

Ubiquiti advised users to change their password and enable 2FA for their Ubiquiti account. The manufacturer also warned customers who stored their physical address and phone number in their account that these may also have been accessed.

What happened exactly?

Unfortunately, there is very little other information about this breach. How many Ubiquiti users are impacted and how the data breach occurred is unknown at this time.

Ubiquiti mail
Image courtesy of a Ubiquiti customer

Ubiquiti's advice

The advice provided by Ubiquiti as shown in a copy of the email is sensible:

  • Change the password.
  • Enable 2FA.
  • Don't forget to change passwords on sites where you have used the same credentials.

Other IoT shenanigans

In other IoT news this week, a security flaw in a chastity belt for men made it possible for hackers to remotely lock all the devices in use simultaneously. The internet-linked sheath has no manual override, so owners might have been faced with the fear of having to use a grinder or bolt cutter to free themselves from its metal clamp. Luckily a workaround was provided by the Chinese developer.

Also, a group of Dutch safety experts have demonstrated that a traffic light system for bikes connected to a smartphone app can be hacked, potentially causing an accident. The smart system, part of which is still in the testing phase, has currently only been installed by ten local councils, but future plans included all the traffic at some 1,200 crossroads to be regulated via the internet to improve the flow of the traffic.

IoT insecurity

These are all examples of IoT insecurity that reached us this week alone, and clearly there is still a lot of work to be done to improve IoT security in general.

The examples show that there are a lot of angles that attackers can look at when they want to breach devices or interfere with their operations. The Ubiquiti attack was carried out through the online customer portal. The chastity belts were operated by compromising the server that provided remote control. The Dutch white hats were able to send false information to the traffic lights by reverse engineering and altering the signal sent by the app.

Advice for IoT users

Firstly, users should ask themselves if they need the device they are buying to be an IoT device. Is the remote functionality a mere "gadget" or is it something you expect to use regularly?

Secondly, look at the manufacturers track record when it comes to data privacy and the nature of the data you are providing them with. If it looks dodgy, it may well be.

Stay safe, everyone!

The post Ubiquiti breach, and other IoT security problems appeared first on Malwarebytes Labs.



from Malwarebytes Labs full article here

Popular posts from this blog

Mobile Security Framework (MobSF) - An All-In-One Mobile Application Security Assessment Framework

Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. MobSF support mobile app binaries (APK, IPA & APPX) along with zipped source code and provides REST APIs for seamless integration with your CI/CD or DevSecOps pipeline.The Dynamic Analyzer helps you to perform runtime security assessment and interactive instrumented testing. Screenshots: Static Analysis - Android Static Analysis - iOS Dynamic Analysis - Android APK Web API Viewer Requirements: Mac: Install Git Install Python 3.6 - 3.7 (3.8 is not supported) macOS Catalina users must uninstall existing python3 and install the one from Python.org . After installation, go to /Applications/Python 3.7/ and run Install Certificates.command and Update Shell Profile.command Install JDK 8+ ...
Read more

BlackArch Linux - Penetration Testing Distribution

BlackArch Linux is an Arch Linux-based penetration testing distribution for penetration testers and security researchers. It contains over 1800 security and hacking tools. Here is the complete list of tools in the BlackArch Linux: 0d1n : Web security tool to make fuzzing at HTTP inputs, made in C with libCurl. 0trace :  A hop enumeration tool. 3proxy : Tiny free proxy server. 3proxy-win32 : Tiny free proxy server. 42zip : Recursive Zip archive bomb. a2sv : Auto Scanning to SSL Vulnerability. abcd : ActionScript ByteCode Disassembler. acccheck : A password dictionary attack tool that targets windows authentication via the SMB protocol. ace : Automated Corporate Enumerator. A simple yet powerful VoIP Corporate Directory enumeration tool that mimics the behavior of an IP Phone in order to download the name and extension entries that a given phone can display on its screen interface ad-ldap-enum : A LDAP based Active Directory user and grou...
Read more

How a VPN can protect your online privacy

Have you ever experienced the feeling of relief that comes when you do something silly, but you're glad you did it where people don't know you? Or maybe you wished you were somewhere like that, but alas… That is what a Virtual Private Network ( VPN ) can do for you: it can put you in a place where you are unknown. To determine if and when you need a VPN, you must define what your goal is. If your main goal is to improve your privacy online, then a VPN is one of the possible solutions. Privacy is a right that is yours to value and defend. If you don't fall into the categories of people who say "I have nothing to hide" or "they already know everything about me" then you may care enough about your privacy to use a VPN. For the latest Malwarebytes Labs reader survey we asked "Do you use a VPN?" 2,330 responded and an impressive 36 percent said they now used a VPN. For perspective, ten years ago, only 1.5 percent of Americans used VPNs. So...
Read more