Networking and Internet of Things provider Ubiquiti deliberately downplayed the severity of a data breach reported in January.
Respected security expert Brian Krebs reported Tuesday on the allegations based on conversations with an anonymous security professional who was involved in Ubiquiti’s response to the breach. The source of Krebs said he raised the matter with both Ubiquiti’s internal whistleblower hotline and the European Data Protection Supervisor.
« It was disastrously worse than reported, and legal efforts to critically protect customers have been silenced and suspended. The breach was massive, customer data was at risk, access to customer devices used in businesses and homes around the world was at risk. »
According to the source, hackers were given full read / write access to Ubiquiti databases stored on Amazon Web Services (AWS), the world’s leading cloud platform. This was not a bug on the part of AWS, but a result of an attacker stealing credentials stored on an employee’s LastPass account.
In its January 11 public announcement, Ubiquiti said it became « aware of unauthorized access to certain of our information technology systems hosted by a third-party cloud provider. » It was suspected that the customer’s personal information was disclosed but was limited to names, email addresses, telephone numbers and postal addresses. All passwords compromised by the violation are « hashed and salted », which would normally mean that the attackers would not be able to read or use the passwords.
According to Krebs’ source, in reality the attackers had root administrator access to all Ubiquiti AWS accounts, which puts them at risk of being able to remotely access virtually any device connected to the Ubiquiti cloud worldwide.
Ubiquiti makes network devices such as firewalls, gateways, Wi-Fi access points and switches. It also supplies networked surveillance cameras and associated devices, voice over IP phone systems, and networked digital door locks. The company has shipped 85 million devices worldwide.
According to GlobalData’s Technology Intelligence Center, Ubiquiti had sales of $ 1.28 billion in fiscal 2020, up 10.6% year over year. The operating margin for the 2020 financial year was 37.2% after 33.9% in the previous year. Trading on the NYSE, the stock performed well following the January announcement, rising from a mid-January low of $ 243.13 to a high of $ 389.88 on Friday March 26th. It has dropped to $ 349 since Krebs released its new report.
Krebs recommends that IT staff or consumers who have Ubiquiti devices change any password they use and, if possible, change any profiles set up on the devices delete, update the firmware and then re-create profiles with completely new and unique credentials. He adds that remote access to Ubiquiti devices should be completely disabled where it is convenient.
The verdict has asked Ubiquiti for comment but has not received a response at the time of publication.
Donnez votre avis et abonnez-vous pour plus d’infos
Vidéo du jour: