Sonrai Security website logo for identity and data governance and cloud security

Major Provider of Cloud IoT Devices Breached

Author: Kelly Speiser | Date: April 1, 2021
Read Time: 3 minutes
Skill Level: Executive
Skill Level: Executive
Ubiquiti data breach that compromised PII of its customers when attackers gained access to the root account, where they could do anything.

Ubiquiti (NYSE: UI), a global IoT device provider, announced on January 11 that it suffered from a data breach that compromised the PII of its customers. The vendor of routers, switches, security cameras, and network video recorders revealed that the breach started in December 2020 and lasted two months. The breach is in the news again after KrebsonSecurity reported on it yesterday for its sizable risk implications.

In a disclosure post on Ubiquiti's community portal, the company stated that compromised data may include names, email addresses, one-way encrypted passwords to customer accounts, addresses, and phone numbers.

How the Ubiquiti Data Breach Happened

The hacker gained access to a Ubiquiti IT employee's LastPass account containing privileged credentials and was able to gain root administrator access to all AWS accounts. Once you have root administrator account access, you can do anything – no privilege escalation is necessary. The compromised resources include S3 data buckets, every application log and database, and every user database credential.

According to an anonymous Ubiquiti security employee, the attackers obtained administrative read/write access to Ubiquiti servers on the AWS cloud. They usurped cryptographic secrets for single sign-on cookies, remote access, and total source code control, and exfiltrated signing keys.

There was no indication that the attackers used any sophisticated tactics. Evidence points to rather basic misconfiguration errors, an all-too-pervasive problem that has led to countless data breaches.

What Could Happen Once the Attacker Gained Root Access?

The malicious actor can find the identities that they need to access code, add a backdoor to bypass security measures, and gain access to resources (including encrypted data), where they can wreak more havoc. For example, the bad actor can make changes to the firmware, then push it down to everybody's devices. Worst still, any device that's running the malicious firmware now has a backdoor installed. 

What Could Have Prevented the Ubiquiti Data Breach?

Teams can follow a fundamental checklist for security best practices to prevent an even such as the Ubiquiti data breach from happening. For one thing, no identity should use the root administrator account after activation as part of the initial account setup. You must make sure there is no access key tied to it. Always enable MFA everywhere. Enforce Separation of Duties ensuring it takes two people to actually use the root account. It is crucial to set alerts and continuously monitor for whenever someone accesses the root account. The alert is one of the most basic yet essential settings.

Another question arises, was MFA activated in the LastPass account? It should have been.

The anonymous tipster revealed that Ubiquiti didn't have any database access logging. Therefore, it is impossible to tell if who or what might have accessed it, let alone what the attackers accessed.

As a result, Ubiquiti was not aware of any access to user data databases, nor could they deny with certainty that user data was left unexposed. The anonymous whistleblower, however, made it clear that "[the] breach was massive, customer data was at risk, access to customers' devices deployed in corporations and homes around the world was at risk." Security best practice says to turn on the proper access logging, and include secondary logging.

Sonrai Dig Enables Next Generation Continuous Inventorying, Monitoring and Alerting of Changes

Sonrai Dig enforces critical resource monitoring by enabling teams to establish their security baseline then continuously monitor and instantly detect changes that deviate from the baseline, including:

  • Data access behavior
  • Access from new identities
  • Access from undesirable locations using geotags
  • Unusual changes in how identities access data

For example, an identity may have accessed data that it had not accessed in the past. Sonrai Security will fire off alerts of the suspicious behavior as soon as it happened. 

Sonrai Security keeps continuous inventory and tips teams off when something – since identities can be nonpeople – creates a suspicious role. A benefit of knowing immediately when an identity gains questionable effective permission to access data is that you can implement preventive remediation before anything wrong can happen.

Schedule a live demo with one of Sonrai Security's identity and data security experts.

You Might Also Like

An Overview of the Best Cloud Security Platform: Sonrai Dig

What is Sonrai Dig? The rapid adoption of cloud technologies has introduced numerous new challenges for Security, Co[...]

Read More

Misconfiguration Leaks 138GB of Information to the Public

Hobby Lobby, a retailer of arts and crafts with $5.3 billion in revenue, left 138GB of customer information public [...]

Read More

AWS Checklist: Expert Advice on Security & Risk Priorities

Key takeaways from our recent webinar on AWS security  As we discussed in a recent webinar on AWS security [...]

Read More
magnifier