Security Experts:

Flaw Allows Hackers to Find Ubiquiti Devices Exposed to Web

Ubiquiti Networks products have the remote administration feature enabled by default and a new flaw found by researchers at SEC Consult allows malicious hackers to quickly identify potentially vulnerable devices.

There have been several reports over the past months about devices from wireless networking solutions provider Ubiquiti Networks being abused by malicious actors for DDoS attacks and malware distribution. Such attacks are in many cases possible due to unchanged default credentials and a remote management feature that is enabled by default.

Researchers at IT security consultancy SEC Consult recently discovered that in addition to the remote management feature that is available via SSH, HTTP and HTTPS, there is another security weakness that can be abused by cybercriminals. According to experts, many Ubiquiti devices have the same hardcoded cryptographic keys.

“A certificate, including its private key, is embedded in the firmware of several Ubiquiti Networks products. This certificate is used for the HTTPS service (default server certificate for web based management) and is the same on all devices,” SEC Consult explained.

The vulnerability allows a man-in-the-middle (MitM) attacker to intercept communications and access sensitive information, such as administrator credentials.

While this flaw is not easy to exploit because the attacker needs to obtain privileged access to the victim’s network, the security bug can also be leveraged to identify Ubiquiti devices exposed to the Web. This can be achieved by conducting an Internet-wide scan for the fingerprint of the shared certificate.

Using the Scans.io service maintained by Rapid7 and University of Michigan, SEC Consult identified 600,000 devices. A new service from University of Michigan, the Censys Project, revealed the existence of 1.1 million Ubiquiti devices using the same certificate. A majority of the affected networking devices are located in Brazil (480,000), Thailand (170,000) and the United States (77,000).

Exposed Ubiquiti routers

The certificate and private key have been identified in the firmware of many products, including AF, AG, AR, AirGrid, BM, Bullet, LiteStation, PicoStation, NanoStation, MiniStation, PowerStation, airGateway, Loco, Power AP, PBE, PBM, NBE, NSM, NB, and RM series devices.

“We have analyzed the distribution of other static cryptographic secrets in use in embedded devices and have yet to find a certificate that is more frequently used than one by Ubiquiti Networks devices,” SEC Consult said.

The application security company reported its findings to Ubiquiti Networks in mid-August via the HackerOne platform. The vendor promised to start generating unique certificates for each product during SSH key generation, but it’s unclear if it plans to do the same for SSL certificates. SEC Consult told SecurityWeek that it hasn’t been able to determine if current firmware versions address these issues.

Ubiquiti Networks has not responded to SecurityWeek’s request for comment.

In response to recent reports about malware infections and DDoS abuse, Ubiquiti Networks noted on its community forum that it had initially disabled the remote management feature by default, but reverted the setting after receiving numerous complaints from customers that needed the feature.

“We are currently not aware of any other vendor that leaves remote administration open on WAN side per default, which poses a very high risk to end users/customers of Ubiquiti Networks devices,” Johannes Greil, head of the SEC Consult Vulnerability Lab, said in an email. “This policy should be changed in order to protect their customers and make the products more secure out-of-the-box.”

When asked about the risk associated with publicly disclosing the certificate reuse issue, Greil noted that it’s very likely that malicious actors already know about this weakness since “it's not rocket science and there are over a million publicly accessible devices out there to analyze.”

view counter
Eduard Kovacs is an international correspondent for SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.