Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Flaw Allows Hackers to Find Ubiquiti Devices Exposed to Web

Ubiquiti Networks products have the remote administration feature enabled by default and a new flaw found by researchers at SEC Consult allows malicious hackers to quickly identify potentially vulnerable devices.

Ubiquiti Networks products have the remote administration feature enabled by default and a new flaw found by researchers at SEC Consult allows malicious hackers to quickly identify potentially vulnerable devices.

There have been several reports over the past months about devices from wireless networking solutions provider Ubiquiti Networks being abused by malicious actors for DDoS attacks and malware distribution. Such attacks are in many cases possible due to unchanged default credentials and a remote management feature that is enabled by default.

Researchers at IT security consultancy SEC Consult recently discovered that in addition to the remote management feature that is available via SSH, HTTP and HTTPS, there is another security weakness that can be abused by cybercriminals. According to experts, many Ubiquiti devices have the same hardcoded cryptographic keys.

“A certificate, including its private key, is embedded in the firmware of several Ubiquiti Networks products. This certificate is used for the HTTPS service (default server certificate for web based management) and is the same on all devices,” SEC Consult explained.

The vulnerability allows a man-in-the-middle (MitM) attacker to intercept communications and access sensitive information, such as administrator credentials.

While this flaw is not easy to exploit because the attacker needs to obtain privileged access to the victim’s network, the security bug can also be leveraged to identify Ubiquiti devices exposed to the Web. This can be achieved by conducting an Internet-wide scan for the fingerprint of the shared certificate.

Using the Scans.io service maintained by Rapid7 and University of Michigan, SEC Consult identified 600,000 devices. A new service from University of Michigan, the Censys Project, revealed the existence of 1.1 million Ubiquiti devices using the same certificate. A majority of the affected networking devices are located in Brazil (480,000), Thailand (170,000) and the United States (77,000).

Exposed Ubiquiti routers

The certificate and private key have been identified in the firmware of many products, including AF, AG, AR, AirGrid, BM, Bullet, LiteStation, PicoStation, NanoStation, MiniStation, PowerStation, airGateway, Loco, Power AP, PBE, PBM, NBE, NSM, NB, and RM series devices.

Advertisement. Scroll to continue reading.

“We have analyzed the distribution of other static cryptographic secrets in use in embedded devices and have yet to find a certificate that is more frequently used than one by Ubiquiti Networks devices,” SEC Consult said.

The application security company reported its findings to Ubiquiti Networks in mid-August via the HackerOne platform. The vendor promised to start generating unique certificates for each product during SSH key generation, but it’s unclear if it plans to do the same for SSL certificates. SEC Consult told SecurityWeek that it hasn’t been able to determine if current firmware versions address these issues.

Ubiquiti Networks has not responded to SecurityWeek’s request for comment.

In response to recent reports about malware infections and DDoS abuse, Ubiquiti Networks noted on its community forum that it had initially disabled the remote management feature by default, but reverted the setting after receiving numerous complaints from customers that needed the feature.

“We are currently not aware of any other vendor that leaves remote administration open on WAN side per default, which poses a very high risk to end users/customers of Ubiquiti Networks devices,” Johannes Greil, head of the SEC Consult Vulnerability Lab, said in an email. “This policy should be changed in order to protect their customers and make the products more secure out-of-the-box.”

When asked about the risk associated with publicly disclosing the certificate reuse issue, Greil noted that it’s very likely that malicious actors already know about this weakness since “it’s not rocket science and there are over a million publicly accessible devices out there to analyze.”

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.