Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Flaw Possibly Affecting 500,000 Ubiquiti Devices Exploited in the Wild

Nearly half a million Ubiquiti devices may be affected by a vulnerability that has already been exploited in the wild, security experts warned last week.

Nearly half a million Ubiquiti devices may be affected by a vulnerability that has already been exploited in the wild, security experts warned last week.

Jim Troutman, consultant and director of the Northern New England Neutral Internet Exchange (NNENIX), revealed last week on Twitter that hackers had been remotely targeting Ubiquiti networking devices exposed via a discovery service accessible on UDP port 10001.

Troutman said attackers had been launching denial-of-service (DoS) attacks that caused a device’s management features to become unavailable. He also warned that it’s possible to exploit the flaw for weak distributed DoS (DDoS) attacks.

The issue has been discussed on Ubiquiti forums since at least last summer and Rapid7 has reported seeing traffic destined for port 10001 for more than a year. However, Ubiquiti appears to have been aware of the weakness and it alerted users after Troutman’s warning on Twitter.

The vendor claims it has been working on a firmware update that should address the problem. In the meantime, it has advised users to block the problematic port at the network perimeter as a temporary workaround.

Interestingly, the company told customers that the flaw cannot be exploited to “create a DDoS attack.” It also told users that the vulnerability does not allow an attacker to gain control of devices.

However, Troutman, who says Ubiquiti’s suggested workaround could disrupt some services, claims to have seen DDoS amplification attacks, but with a fairly small amplification rate (“56 bytes in, 206 bytes out”). He is also not convinced that it’s not possible to exploit the vulnerability to remotely hack devices.

Rapid7 researchers have also monitored these attacks and warned that the problematic service could have other management capabilities either “baked in or nearby.” As for the possibility of DDoS attacks, Rapid7’s Jon Hart noted in a blog post that UDP amplification vulnerabilities can typically allow attacks with an amplification rate that reaches up to 30-35X.

Advertisement. Scroll to continue reading.

An Internet scan conducted using Rapid7’s Sonar project revealed roughly 490,000 unique devices accessible on UDP port 10001. More than half are located in Brazil, but significant numbers have also been identified in the United States, Spain and other countries.

Location of exposed Ubiquity devices

A majority of the exposed Ubiquiti devices are NanoStation (172,000), AirGrid (131,000), LiteBeam (43,000), PowerBeam (40,000), and NanoBeam (21,000) products.

The names of 17,000 of these devices – they contain the string “HACKED-ROUTER-HELP-SOS” – suggest that they have already been hacked via other vulnerabilities. This is not surprising as Rapid7 claims most of the discovered devices are running outdated versions of the firmware.

Related: Worm Infects Many Ubiquiti Devices via Old Vulnerability

Related: Critical Flaw Exposes Many Ubiquiti Devices to Attacks

Related: Flaw Allows Hackers to Find Ubiquiti Devices Exposed to Web

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

PAM provider Keeper Security has appointed Shane Barney as its Chief Information Security Officer.

SpecterOps has appointed Tim Bender as CFO, Pat Sheridan as CRO, and Bryce Hein as CMO.

CISA has officially announced the appointment of Madhu Gottumukkala as its new deputy director.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.