Security Experts:

Connect with us

Hi, what are you looking for?



Flaw Allows Hackers to Find Ubiquiti Devices Exposed to Web

Ubiquiti Networks products have the remote administration feature enabled by default and a new flaw found by researchers at SEC Consult allows malicious hackers to quickly identify potentially vulnerable devices.

Ubiquiti Networks products have the remote administration feature enabled by default and a new flaw found by researchers at SEC Consult allows malicious hackers to quickly identify potentially vulnerable devices.

There have been several reports over the past months about devices from wireless networking solutions provider Ubiquiti Networks being abused by malicious actors for DDoS attacks and malware distribution. Such attacks are in many cases possible due to unchanged default credentials and a remote management feature that is enabled by default.

Researchers at IT security consultancy SEC Consult recently discovered that in addition to the remote management feature that is available via SSH, HTTP and HTTPS, there is another security weakness that can be abused by cybercriminals. According to experts, many Ubiquiti devices have the same hardcoded cryptographic keys.

“A certificate, including its private key, is embedded in the firmware of several Ubiquiti Networks products. This certificate is used for the HTTPS service (default server certificate for web based management) and is the same on all devices,” SEC Consult explained.

The vulnerability allows a man-in-the-middle (MitM) attacker to intercept communications and access sensitive information, such as administrator credentials.

While this flaw is not easy to exploit because the attacker needs to obtain privileged access to the victim’s network, the security bug can also be leveraged to identify Ubiquiti devices exposed to the Web. This can be achieved by conducting an Internet-wide scan for the fingerprint of the shared certificate.

Using the service maintained by Rapid7 and University of Michigan, SEC Consult identified 600,000 devices. A new service from University of Michigan, the Censys Project, revealed the existence of 1.1 million Ubiquiti devices using the same certificate. A majority of the affected networking devices are located in Brazil (480,000), Thailand (170,000) and the United States (77,000).

Exposed Ubiquiti routers

The certificate and private key have been identified in the firmware of many products, including AF, AG, AR, AirGrid, BM, Bullet, LiteStation, PicoStation, NanoStation, MiniStation, PowerStation, airGateway, Loco, Power AP, PBE, PBM, NBE, NSM, NB, and RM series devices.

“We have analyzed the distribution of other static cryptographic secrets in use in embedded devices and have yet to find a certificate that is more frequently used than one by Ubiquiti Networks devices,” SEC Consult said.

The application security company reported its findings to Ubiquiti Networks in mid-August via the HackerOne platform. The vendor promised to start generating unique certificates for each product during SSH key generation, but it’s unclear if it plans to do the same for SSL certificates. SEC Consult told SecurityWeek that it hasn’t been able to determine if current firmware versions address these issues.

Ubiquiti Networks has not responded to SecurityWeek’s request for comment.

In response to recent reports about malware infections and DDoS abuse, Ubiquiti Networks noted on its community forum that it had initially disabled the remote management feature by default, but reverted the setting after receiving numerous complaints from customers that needed the feature.

“We are currently not aware of any other vendor that leaves remote administration open on WAN side per default, which poses a very high risk to end users/customers of Ubiquiti Networks devices,” Johannes Greil, head of the SEC Consult Vulnerability Lab, said in an email. “This policy should be changed in order to protect their customers and make the products more secure out-of-the-box.”

When asked about the risk associated with publicly disclosing the certificate reuse issue, Greil noted that it’s very likely that malicious actors already know about this weakness since “it’s not rocket science and there are over a million publicly accessible devices out there to analyze.”

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.