Whistleblower: Router Manufacturer Ubiquiti Downplayed ‘Catastrophic’ Data Breach

Hackers stole Ubiquiti’s source code and pledged to disclose the location of a backdoor if their ransom demand was not met.
Published: April 9, 2021

New York City — A data breach that network router manufacturer Ubiquiti Networks reported to its customers earlier this year is far worse than the company initially declared, a whistleblower asserts.

On January 11, Ubiquiti alerted customers via an email of a breach to certain “information technology systems hosted by a third-party Cloud provider.” The company stated it was “not currently aware of evidence of access to any databases that host user data, but we cannot be certain that user data has not been exposed.”

Now a cybersecurity professional at Ubiquiti, who helped the company respond to the breach beginning in December, has anonymously claimed the public notice was intentionally misleading and fails to fully capture the severity of the attack.

The anonymous employee spoke to Krebs on Security after first reporting his concerns with both Ubiquiti’s whistleblower hotline and with European data protection authorities. The source spoke on condition of anonymity for fear of retribution by Ubiquiti, according to Krebs on Security.

——Article Continues Below——

Get the latest industry news and research delivered directly to your inbox.

The source alleges that hackers obtained full read/write access to Ubiquiti’s databases at Amazon Web Services (AWS). After the company’s security team identified one backdoor the intruders were using, the hackers responded by demanding a ransom of 50 bitcoin ($2.8 million) or they would publicly disclose the breach. Ubiquiti, which also markets enterprise access control solutions and video surveillance hardware, did not respond.

The hackers also provided proof they had pilfered Ubiquiti’s source code, and threatened to disclose the location of a second backdoor if their ransom demand was not met. The company elected not to engage the attackers, according to the source. The second backdoor was eventually detected and Ubiquiti began the process of securing employee credentials.

The company asked customers to change their passwords in the January 11 email. However, the whistleblower said Ubiquiti “should have immediately invalidated all of its customer’s credentials and forced a reset on all accounts, mainly because the intruders already had credentials needed to remotely access customer IoT systems.”

The whistleblower says the company’s claim that it had no proof of customer data exposure was highly misleading. Ubiquiti doesn’t keep data logs, so it could not know one way or the other what hackers had accessed.

Following the Krebs on Security report, Ubiquiti has released a second statement that didn’t deny the whistleblowers claims and appeared to backtrack on its initial blaming of a third party.

“At this point, we have well-developed evidence that the perpetrator is an individual with intricate knowledge of our cloud infrastructure,” the statement says. “As we are cooperating with law enforcement in an ongoing investigation, we cannot comment further.”


This article was originally featured in CS sister publication Security Sales & Integration. Rodney Bosch is SSI’s senior editor.

ADVERTISEMENT
ADVERTISEMENT
Strategy & Planning Series
Strategy & Planning Series
Strategy & Planning Series
Strategy & Planning Series
Strategy & Planning Series