April 4, 2021

For four days this past week, Internet-of-Things giant Ubiquiti did not respond to requests for comment on a whistleblower’s allegations the company had massively downplayed a “catastrophic” two-month breach ending in January to save its stock price, and that Ubiquiti’s insinuation that a third-party was to blame was a fabrication. I was happy to add their eventual public response to the top of Tuesday’s story on the whistleblower’s claims, but their statement deserves a post of its own because it actually confirms and reinforces those claims.

Ubiquiti’s IoT gear includes things like WiFi routers, security cameras, and network video recorders. Their products have long been popular with security nerds and DIY types because they make it easy for users to build their own internal IoT networks without spending many thousands of dollars.

But some of that shine started to come off recently for Ubiquiti’s more security-conscious customers after the company began pushing everyone to use a unified authentication and access solution that makes it difficult to administer these devices without first authenticating to Ubiquiti’s cloud infrastructure.

All of a sudden, local-only networks were being connected to Ubiquiti’s cloud, giving rise to countless discussion threads on Ubiquiti’s user forums from customers upset over the potential for introducing new security risks.

And on Jan. 11, Ubiquiti gave weight to that angst: It told customers to reset their passwords and enable multifactor authentication, saying a breach involving a third-party cloud provider might have exposed user account data. Ubiquiti told customers they were “not currently aware of evidence of access to any databases that host user data, but we cannot be certain that user data has not been exposed.”

Ubiquiti’s notice on Jan. 12, 2021.

On Tuesday, KrebsOnSecurity reported that a source who participated in the response to the breach said Ubiquiti should have immediately invalidated all credentials because all of the company’s key administrator passwords had been compromised as well. The whistleblower also said Ubiquiti never kept any logs of who was accessing its databases.

The whistleblower, “Adam,” spoke on condition of anonymity for fear of reprisals from Ubiquiti. Adam said the place where those key administrator credentials were compromised — Ubiquiti’s presence on Amazon’s Web Services (AWS) cloud services — was in fact the “third party” blamed for the hack.

From Tuesday’s piece:

“In reality, Adam said, the attackers had gained administrative access to Ubiquiti’s servers at Amazon’s cloud service, which secures the underlying server hardware and software but requires the cloud tenant (client) to secure access to any data stored there.

“They were able to get cryptographic secrets for single sign-on cookies and remote access, full source code control contents, and signing keys exfiltration,” Adam said.

Adam says the attacker(s) had access to privileged credentials that were previously stored in the LastPass account of a Ubiquiti IT employee, and gained root administrator access to all Ubiquiti AWS accounts, including all S3 data buckets, all application logs, all databases, all user database credentials, and secrets required to forge single sign-on (SSO) cookies.

Such access could have allowed the intruders to remotely authenticate to countless Ubiquiti cloud-based devices around the world. According to its website, Ubiquiti has shipped more than 85 million devices that play a key role in networking infrastructure in over 200 countries and territories worldwide.

Ubiquiti finally responded on Mar. 31, in a post signed “Team UI” on the company’s community forum online.

“Nothing has changed with respect to our analysis of customer data and the security of our products since our notification on January 11. In response to this incident, we leveraged external incident response experts to conduct a thorough investigation to ensure the attacker was locked out of our systems.”

“These experts identified no evidence that customer information was accessed, or even targeted. The attacker, who unsuccessfully attempted to extort the company by threatening to release stolen source code and specific IT credentials, never claimed to have accessed any customer information. This, along with other evidence, is why we believe that customer data was not the target of, or otherwise accessed in connection with, the incident.”

Ubiquiti’s response this week on its user forum.

Ubiquiti also hinted it had an idea of who was behind the attack, saying it has “well-developed evidence that the perpetrator is an individual with intricate knowledge of our cloud infrastructure. As we are cooperating with law enforcement in an ongoing investigation, we cannot comment further.”

Ubiquiti’s statement largely confirmed the reporting here by not disputing any of the facts raised in the piece. And while it may seem that Ubiquiti is quibbling over whether data was in fact stolen, Adam said Ubiquiti can say there is no evidence that customer information was accessed because Ubiquiti failed to keep logs of who was accessing its databases.

“Ubiquiti had negligent logging (no access logging on databases) so it was unable to prove or disprove what they accessed, but the attacker targeted the credentials to the databases, and created Linux instances with networking connectivity to said databases,” Adam wrote in a whistleblower letter to European privacy regulators last month. “Legal overrode the repeated requests to force rotation of all customer credentials, and to revert any device access permission changes within the relevant period.”

It appears investors noticed the incongruity as well. Ubiquiti’s share price hardly blinked at the January breach disclosure. On the contrary, from Jan. 13 to Tuesday’s story its stock had soared from $243 to $370. By the end of trading day Mar. 30, UI had slipped to $349. By close of trading on Thursday (markets were closed Friday) the stock had fallen to $289.


55 thoughts on “Ubiquiti All But Confirms Breach Response Iniquity

  1. G.Scott H.

    The burden of proof lies with Ubiquiti in regards to proving customer data was not accessed. Without such proof, the safest assumption for security of customer data is that it was accessed.

    Reply
    1. JamminJ

      Unfortunately, proving a negative looked this is not really possible.

      It’s also one of the main reasons auditors are always adamant about logging everything. Auditors understand that you can’t prove a negative, but you can of confidence in the negative if you had robust logging.

      Reply
      1. Ray

        Proving this negative is absolutely possible, if you do access logging. AWS provides this option, and it’s reeeeallly easy to set up. UI was apparently not doing access logging. This is a best practice that is warranted because of the distribution and adoption numbers. Not to mention their own desire to funnel users through the cloud based auth service.

        Reply
        1. JamminJ

          Like I said… Proving a negative is NOT possible.
          Having reasonable confidence in the negative would be possible, yes, if logging was enabled. Which it wasn’t.

          According to the whistleblower, it was specific logging for on premises database access, not on general AWS access. So although easy for AWS, perhaps there were reasons Database Access Monitoring wasn’t set up.

          Reply
          1. Me

            “Like you said it” twice already but you’re missing the nuance here. Proving “a” negative is very possible despite you saying otherwise. The problem isn’t that “it’s a negative”, although this platitude gets parroted a lot. Plenty of negatives (evidence of absence, negative proof) can in fact be proven.

            Proving “this” particular negative is not possible because Ubiquiti intentionally set it up in such a way. Disabling access logging is exactly the situation you want to be in in case of a breach because you want to be able to legitimately say “we have no evidence customer data was accessed”. Being able to say this has far more value than the access log.

            Reply
          2. Jim

            Proving a negative is certainly possible. I can prove that there is no coffee in my mug right now, I can prove that 2+2 does not equal 5, I can prove that I didn’t get drunk at lunch. While it’s true that absence of evidence is not evidence of absence. The opposite is also true that evidence of absence is not an absence of evidence.

            Reply
            1. Logic tests

              You might want to rethink your examples.

              Your examples are not examples of “proving a negative”. This concept is often misunderstood. Proving a cup empty, is not the same as proving there was never any coffee in the cup’s history. After all, can the present condition (which is provable) prove the cup never had coffee? No, because you lack information regarding the entire history.
              How can you know if the cup was ever washed?

              The example of getting drunk at lunch, has it’s “proof” relying on the biological understanding that blood alcohol content can only decrease so quickly. But again, as the event in question moves from the present state, into the past, “proof” diminishes. You can prove the current state, but proving the negative never happened becomes impossible without retaining perfect knowledge.

              The math example is often misapplied to this concept as well. “You can’t prove a negative” usually does not refer to mathematics or any abstract in which all information is known. So in math, yes proving a negative is possible. But in concrete reality, in which omniscience is not possible or practical, not proving a negative is a reasonably true statement.

              A good rule of thumb when creating examples of this concept, is to ask yourself, does it require that you know everything? Every variable?

              Now, as the concept of “Cannot prove a Negative” relates to infosec data breaches…
              It is technically true, there is no absolute proof that something did not happen. So JamminJ is correct when stating “reasonable confidence in the negative” is possible with lots of logs being available.

              Even with perfect and comprehensive logs, you can only have high confidence, but cannot absolutely prove it. It may be good enough for auditors, but someone could always say, “maybe the logs were wiped”. Just like someone can say, “maybe someone cleaned your coffee cup”. The path to high confidence is to gather more and more logs, to make it less and less likely the positive exists. But that’s not the same as “proving the negative”.

              Reply
              1. Omega

                *General* negative claims can be impossible to prove. The claim ‘no black swans exist’ can never be proven conclusively.
                However, *specific* negative claims can be proven. ‘no black swans are in my house right now’
                If proper evidence and assurance had been collected, Ubiquiti could provide proof of what happened during the breach. Whether we trust their evidence or whether they meet the VERY high burden of proof is another question, but to say it’s impossible would be letting them off too easy.

                Reply
                1. JamminJ

                  ‘no black swans are in my house right now’
                  In your example, did you intend to prove the point made by logic test?

                  The key phrase is “right now”. When Logic talks about omniscience and perfect knowledge being necessary to prove negative… Stating “right now” it’s this criteria. You are in the present and can reasonably have perfect knowledge about the state of things in that moment.

                  Maybe you inadvertently showed the clear distinction with your two examples.
                  The two differences between your two examples is the addition of ‘right now’ and ‘in my house’. That limits the scope both in space and time. Making it possible to have perfect knowledge.

                  Now, can you say that there has NEVER been a Black swan in your house? What about a purple ant (something less obvious)?

                  My point is that in the case of ubiquiti’s breach… They are not being asked whether there is an intruder currently beaconing out or some other state of CURRENT events of which they could reasonably expect to have perfect knowledge.

                  Instead, proving the negative would have to involve having perfect knowledge of the entire scope which includes the past year. Adjust the current state.

                  But I agree with you. none of this is an excuse for not having done due diligence such as log collection. Even if proving the negative is impossible…. Auditors and regulators don’t need it. They just need high confidence of the negative that robust and comprehensive logging would provide.

                  Reply
    2. Alex Curtis

      Since apparently, Ubiquiti didn’t keep access logs for its systems, I don’t think there is any way for Ubiquiti to “prove the negative” which is to prove that customer data had never been accessed. The truth is that they have no way of knowing.

      On a related note: I don’t understand why more companies don’t log everything. Logging costs are trivial. Stored in cloud providers like AWS/Azure/GCP at ~1 cent per gig or less (since they can be stored on low-availability or archive storage). Even if you don’t know how to search logs or use them, I recommend that every company at least be creating them and throwing them off to archive storage somewhere. If anything ever happens you can hire a consultant to come in and query or parse the logs for you.

      Reply
      1. Nick

        Logs become a liability. If you can’t search or query them, it’s also hard to prove secrets or other sensitive information haven’t leaked in. You don’t want to accidentally bring your log system/infrastructure into regulatory scope because an application accidentally logged a piece of PII

        Even with a reasonable system there’s issues like someone accidentally typing a password into an unprotected username field. It’s user error but now the password has been logged

        Reply
        1. JamminJ

          Logging is one of those things where it’s easy to do poorly and make mistakes. You don’t want to half-ass it.

          In this instance, the database is what needs to be logged. This is not generally raw user generated data that would be captured. Mostly service accounts accessing the database. Suppose someone could go wild and try to log raw database queries that might include user-generated data. But it does not take much effort to think about what you’re doing and only turn on the logging that normally would not have unsanitized sensitive information.

          Reply
  2. Watching and Waiting

    Thx for update, Brian.

    My regret is that I didn’t short UI! LOL.

    As a mere low tech user of systems this is more curiosity to me than anything else but it is interesting nevertheless.

    Reply
  3. Gannon (J) Dick

    At least Ubiquiti had a strategy to protect their stock price.

    Someone in Law Enforcement should have simply mentioned to Spring-Break crowds that mask-less faces are much faster to check against picture ID’s and therefore would be done first. This would have raised the bar on bogus credential quality for under-age drinking etc..

    Better living through Social Engineering !

    Reply
  4. Jon Marcus

    “We see no evidence of compromise”, they say with their eyes tightly closed.

    Reply
    1. Markis

      Spot on. Two scenarios come to mind:

      a) we had logs and we deleted them as soon as we realised we got hacked.
      b) we didn’t have logging and have no idea what was accessed.

      either way “we have no evidence of compromise”

      Its bullocks.

      Reply
      1. JamminJ

        Hanlons Razor makes (a) quite unlikely.

        And (b) is unfortunately very common among enterprise environment.
        Remember, this is not general user access, or even routine administrator access such as logging into a portal or console.
        Database access monitoring often requires special configuration and setup. With mostly service accounts accessing the database for millions of transactions a minute, it can become a daunting task to manage.

        Reply
  5. John Pavon

    Please check out CL, they are having trouble with their contact codes, I think they have a big cannot contact posters the have a code generator where they give you a temp email address for a limited time, but now no body can reach posters? They claim they have this solved, but it still is infected?

    Reply
  6. vb

    Follow the chain of events backwards…the “accident” happened when local-only networks were being connected to Ubiquiti’s cloud. The gun was loaded, safety off, and aimed at their foot. The breach only pulled the trigger.

    Reply
    1. Catwhisperer

      True, however that has become de rigueur in the industry. Take Extreme Cloud, Mist, et al, all have management interfaces that are cloud hosted. Ubiquity is just another one that jumped on the wagon. However, the idea that you left the keys to the kingdom available in an ex-employee’s account active deserves the responsible individual to, well, that can’t be posted online… 😉

      Reply
    2. Nick

      Anything that auto updates is susceptible to the same problem–even manual updates of opaque binaries are susceptible. If any update/build infrastructure were compromised rogue firmware could be pushed that gives complete access over a device
      See the SolarWinds incident. Networks still compromised left and right and SolarWinds is on-prem software

      Reply
  7. Stratocaster

    As usual, anyone who states, “We take the security of your information very seriously” probably hasn’t and doesn’t, and has created a proof of concept why.

    Reply
  8. Paul Yeager

    I wonder how this might affect our internally hosted UISP and Unifi instances.

    Reply
  9. Michael Swenor

    Here is the deal, as an MSP spin up your own cloud controller and don’t connect it to your account.UI.com cloud account that way non of this matters. MSP and hobbyists that are serious about security figure out ways to make it more secure. 2nd why did you not have 2FA already turned on your ubiquiti account if it does business?? This would have made this whole breach a non issue for your business as the 2FA of UI was not compromised.
    Don’t blame ubiquiti for users amateur hour skills, krebs, give these lazy people a free week of lessons to show them.

    Appreciate the heads up on the breach but we knew about this a while ago and already updated firmware and didn’t connect to their cloud in the first place. Good read anyway

    Mike

    Reply
      1. alambrito

        No, source code does not matter. Security through obscurity is no security at all.

        Reply
        1. MikeP

          If they have source code and code signing keys (as it appears they do), it absolutely does matter.
          Compromised code could have been installed on customer devices, including APTs that would be impossible to remove. Think compromised boot loader.

          Reply
  10. Mike Lowe

    Negligence. Ubiquiti was in such a great position, record profits, all time high stock price and none of that goes to security.
    You’d think they had of learned their lesson in the past. Brian it might be a good idea to bring up their past behavior including falling for phishing attacks and the whole ubnt / ubnt user password fiasco.

    Reply
  11. Hugh Brown

    WSJ puzzle clue, 2021-04-03: ‘Wishy-washy response to “Did they really say that?” (5 wds.)’
    Answer: “Not in so many words”

    Reply
  12. UnBlinking

    Note to Ubiquiti Board: It’s not the crime, it’s the coverup. Find out who pressed for the coverup, and replace them.

    Note to Ubiquiti C-Suite: Someone in your early coverup planning sessions uttered phrases like “We can’t lie about this,” or “Let’s be more honest,” or even just “I don’t agree with this approach.” That person was disinvited from later coverup planning sessions. Find that person, and put them in charge of all future communications about the breach. You’re running out of chances to get this right.

    Reply
  13. Mark Pyle

    Hikvision and Ubiquiti are in a stiff competition for the prosumer camera market. A competition with national security implications – Hikvision products banned from US Government contacts.

    So are we going to get whistle blower info from Hikvision? Mr Krebs which side are on.

    For for a moment of editorial fame you undermined the a substantial US corporation.

    Reply
    1. That is R

      Are you a closeted racist?

      Sounds like you want to give an American company a pass, just because they aren’t Asian.

      Reply
      1. Read Better

        There’s nothing racist in pointing out the China’s totalitarian government has a military stake in Hikvision and that said company’s vulns worldwide without question imperil national security of non-totalitarian-aligned orgs.

        Krebs isn’t undermining a US corporation, he’s reporting on a breech that said corporation was responsible for.

        Pyle’s rhetorical about whistleblowers in China’s state-operated security companies is entirely apt however.
        Because they don’t have those, they disappear for years into secret prisons without trials. The difference.

        Reply
        1. JamminJ

          It’s probably not racism… but nationalism, which often overlaps with xenophobia and racism. There is a LOT of this going around. Whether it’s overt racism that leads to violent hate crimes against Asian Americans, or just “whataboutism” (what about this Chinese company that had significant vulnerabilities 5 years ago??).

          Now that an American company has to be held to account… another round of “whataboutism”.
          Hikvision is NOT in competition, in ANY way, with Ubiquiti. They make cheap consumer cameras. Ubiquiti is a much broader network hardware company, closer to Cisco, Huawei and TP-Link. All of which have had serious breaches of security and trust.

          Much of this has been fueled by rhetoric against China over the past few years. People believing in conspiracy theories about a Sars-CoV2 being engineered in a lab in China.
          In cybersecurity, there was even a fake news story about SuperMicro, motherboards having secret chips that allowed spying from China. All alleged victims denied this, and even years later, no evidence.

          Pyle may or not be motivated by racism, but it does sure sound like ultra-nationalism and an axe to grind against China (which has nothing to do with this).

          Pyle seems to advocate against speaking out (whistleblowing) against American companies doing the same thing. As if it is somehow patriotic to shield companies from accountability if they are American.
          The ironic thing is… this is how China deals with their own companies. They turn a blind eye. They don’t allow journalists to do their job, if they perceive any negative coverage to be “undermining” their own national interests.

          Reply
          1. Read

            “Hikvision is NOT in competition, in ANY way, with Ubiquiti” – Was not claimed otherwise.
            The distinction is they’re both companies with security concerns and physical products.
            One is owned/operated on behalf of a totalitarian kleptocratic cabalism directly, whereas comparably the other operates in much a more nuanced system re: nationalism.

            Your last paragraph is the relevant one regarding blind nationalism, but nigh-equating the US and China governmentally speaking is perhaps a different type of intentional blindness also.
            Hikvision, Huawei, multiple such individual companies are on specific lists for specific reasons with regard to both national and non-US international security regimes – for good reason.
            Not a racist reason either, it ought be said and underscored. Intl’y known APT reasons.

            Reply
            1. JamminJ

              “Was not claimed otherwise”
              Read again…
              “Hikvision and Ubiquiti are in a stiff competition…”
              No, no they are not.

              “they’re both companies with security concerns and physical products”
              Okay? So what? That is extremely broad and includes many many manufacturers from around the world. Nationality isn’t a factor here.
              There is no reasonable justification for bringing up Hikvision in this discussion, other than “whataboutism”.

              I do agree that the US government should not use foreign hardware or software for government use. Doubly true for military. Just like I think it would be reasonable for China not to use American products for their government use.
              That really has nothing to do with the type of government (democratic/capitalist or authoritarian/communist). The NSA would be smart to put in backdoors for any US imported network equipment being used in China. Do you think we don’t already?

              I don’t believe the original comment was racist. But it does speak to a deeper irrational fear. Some people are trying to make China into an all encompassing boogeyman. Yeah, they are a significant geopolitical adversary for many reasons. But no, they didn’t create the virus in a lab. No, they did not plant hidden chips onto motherboards sent to the US. And no, they don’t need to be mentioned on every major cybersecurity breach.

              By the way, why do you call China “cabalism”? Is that supposed to be a new term for fearmongering against China? I know Qanon likes to throw around anti-Semitic terms like that, and many people don’t know what the words mean, so it gets mixed in with other conspiracy theories.

              Although the original comment itself may not be racist… it may indeed be used to fuel racism. Creating irrational fear of the other, blaming them for everything, is how you create a culture of hate. Hate crimes against Asian Americans is on the rise. And this tangent may be a symptom of that trend.

              Reply
              1. READ

                “Was not claimed otherwise” – by me, the person you replied to.

                Reply
                1. JamminJ

                  You didn’t say, “by me” in your comment. It seemed like “was not claimed”… referred to the entire comment thread. This entire conversation was started because the original claim in the top of the thread.

                  Reply
                  1. READ

                    I can only “claim” what I say or don’t, I don’t speak for the masses any more than you do.

                    The original conversation was not limited to that misphrased “claim” in any case, a nit I didn’t reference and which doesn’t really matter.
                    Hikvision is in competition in the camera market sector, UI is in the networking market sector, but both have security implications and as to whether they’re directly competing this was addressed:
                    “The distinction is they’re both companies with security concerns and physical products.”

                    One is owned/operated by a totalitarianist military, the other isn’t.
                    Enjoy your semantic exercises I guess.

                    Reply
                    1. JamminJ

                      You can continue to nitpick, but I can admit that my reply to your comment was also reply to the original thread.

                      But since you are restating your false comparison with a vague and broad comparison….
                      “they’re both companies with security concerns and physical products”
                      Okay? So what? That is extremely broad and includes many many manufacturers from around the world. Nationality isn’t a factor here.
                      There is no reasonable justification for bringing up Hikvision in this discussion, other than “whataboutism”.

            1. JamminJ

              It was a made up story, by Bloomberg. They are the source of this false accusation.

              Why? Because of a little thing called the US-China Trade War. Think about it critically.
              Bloomberg has absolutely no real expertise in cyber security. They are a pro-US “Business” publication. Why are they the ones breaking this story, instead of the hundreds of technology or security news outlets?
              Why? Because in 2018, at the height of the Trade War, it was most advantageous to accuse China of attacking American businesses. From the White House, to American business interest groups…. all followed a strategy to gain leverage in the Trade War.
              It was important to make sure American businesses stayed away from China… and nothing does that better than fear.
              It is a propaganda tactic that is often successful when the lying has no consequence, and just having the “feeling” that it might be true, achieves the desired objective.

              It should speak volumes that supposed victims, ranging from Supermicro to Apple, all flatly deny being a victim at all. It would be one thing to downplay, but if these secret microchips did really exist, there would be NO WAY to deny it.

              Now go ahead, post those “many more reputed resources” that don’t just cite the original Bloomberg claim, but instead independently verify. You can’t. Because it was all just war-time propaganda.

              Reply
    2. Mark Bennett

      Proof-read your posts please. This is barely coherent. Shooting the messenger is also not a productive line to pursue on this website, which is specifically dedicated to providing information on events such as this. Why are you here?

      Reply
      1. Greg

        I agree. If these ‘in-the-know’ IT pros can’t write a coherent sentence perhaps they write code in the same haphazard manner. Maybe this is why there are so many security holes in their products. Just sayin’.

        Reply
  14. Chris

    So I’m just about to buy a bunch of Ubiquiti kit for our new house… Wasn’t too fussed about cloud key and definitely want the nerd toys, and planning on sharing some connectivity to my outbuildings & neighbours.

    I didn’t catch the mentioned push to connect networks to Ubiquiti cloud management, is that really a Bad Thing(TM) even if I religiously keep my stuff updated and MFA everything?

    Should I be looking at say, Meraki instead for Wi-Fi, “WISP” PTP links for crossing our property, segmented and controlled networking, home automation and security cameras? Or will MFA and minimal remotely initiated access still keep things safe?

    Not that Cisco or anyone is immune to compromise (but hopefully less likely to deceive customers affected by a breach, when it does happen), I’m just thinking of the practical or actual security of the management APIs I’ll have with such offerings. Are we going to have to ride out a year of compromises and code changes to progressively harden the source that’s been lost?

    Reply
    1. EricE

      Ubiquity doesn’t require cloud connective – Meraki and others do. As well as monthly subscriptions or your stuff stops working.

      Yes, with the newer versions of the controller software they make it harder to avoid connecting to their cloud, but you still can. And their camera system – Protect – finally supports local only connections via their mobile apps. You could always log in local only via the web UI.

      So yes, while this breach and their tepid response are unacceptable, if you wish to run your kit completely disconnected from them you still can.

      Reply
  15. David Ward

    “attack on a third party cloud provider” – actually it’s our area on AWS that we are responsible for
    “no evidence customer data was accessed or even targeted” – we don’t log anything so have no way of knowing

    The legal and comms teams certainly earned their bonus this year

    Reply
  16. August Spier

    “Adam says the attacker(s) had access to privileged credentials that were previously stored in the LastPass account of a Ubiquiti IT employee, and gained root administrator access to all Ubiquiti AWS accounts, including all S3 data buckets …”

    We need more detail here. Is there supposed to be allegation that a LastPass account was hacked?

    Reply
    1. JAFO

      My question exactly.
      The implications for LastPass are pretty dire. I’m surprised LastPass hasn’t jumped on a response to that supposition by Ubquiti. In many ways – if true – it’s the buried lead with much larger ramifications than the Ubiquiti breach.

      Reply
  17. Shane Hartman

    I had two factor on and not connected to the cloud so other than the possibility of bogus firmware updates which I do manually the breach is a non-issue. The coverup is. They should have forced rotation in January. The real question is why would any it employee have credentials in a lastpass that gave hackers access to ALL aws credentials. UI needs to learn how to use IAM with scoped partitioned credentials and severely restrict access to root level aws accounts.

    Reply
  18. Phil Lembo

    Dropping in late after seeing this over on news.ycombinator.com, where the commentariat are even less charitable towards UBNT than here. When I recently updated my home network to accommodate faster broadband speeds than my existing equipment could handle, I looked long and hard at Ubiquity’s offerings. Eventually I did decide to go with a (non-wireless) EdgeRouter but settled on a different vendor for my new access points because, frankly, I didn’t want the hassle of hosting my own controller or the risk of surrendering my environment to the cloud. To be honest, I had the same hesitation over using a router/firewall that could be controlled from the cloud. My broadband provider actually offered that as a default, but I went with the ER because at least with it I could turn off cloud access. In retrospect, I’m sort of sorry I didn’t shell out the few extra bucks for the equivalent RouterBoard.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *