Upcoming Maintenance Alert:

The UBNT Community will be upgraded at 5pm MDT on April 25th. During this time the community forums will be set to read-only status.

Learn more

×

Ubiquiti Update on Security

by Ubiquiti Employee ‎07-15-2015 09:52 AM - edited ‎07-15-2015 10:58 AM

Over the last couple of years, Ubiquiti has made an effort to greatly increase the security of our products; this includes both patching any vulnerabilities responsibly before customers may be affected, as well as encouraging (and even forcing) best practices of the use of the products out of the box. In order to provide some transparency in the progress, I wanted to share some of the things we've been working on. 

 

Hacker Vulnerability Bug Bounty Program

A few years ago a nasty vulnerability was found in Ubiquiti products; if you have been using our products for a while, you more than likely remember it -- SkyNet. We learned about it at the same time as our customers, after a worm had been developed specifically for Ubiquiti products to exploit this vulnerability and spread to other Ubiquiti products around the world. 

 

While we were on top of it quickly and released a firmware patch the same day, we could have prevented this if we had appropriate measures and processes in place. It was a lesson learned, and led to the launch of our Hacker Vulnerability Bug Bounty Program.

 

With the new program, we've strongly embraced the security research community, and have worked with researchers and customers around the world anxious to help test the products. This year alone we've already addressed > 60 vulnerability submissions thanks to the help from our community. 

 

For more details on the program, you can see our Bounty Program Portal:

https://hackerone.com/ubnt

 

Encouraging Product Best Practices

Recently, a few mainstream tech blogs have released articles highlighting cases where publicly installed routers (specifically Ubiquiti ISP products) were taken control of by malicious users and used in a distributed attack against various victims. While this isn't inaccurate, the sentiment of the articles and comments was that "Ubiquiti products are insecure". However, all products in these reports were found to be on public IP addresses and using default credentials, things that could/should have been prevented by the user. We have made some improvements; but first some background...

 

Ubiquiti products (especially airMAX, EdgeMAX, airFiber) are sold and marketed to professional ISPs. These ISPs use our equipment to provide internet service to customers in over 180 countries around the world. The products can be used in many different ways and applications (Point-to-Point link, CPE device on customer's home, etc). 

 

Early on, we started building the products with the greatest flexibility of configuration out of the box as possible, and gave little emphasis on security -- Since we were shipping to ISP providers and professionals, the undiscussed assumption was the user should be responsible for securing their own equipment. 

 

However, we quickly learned that due to Ubiquiti's disruptive price points, extremely intuitive user experience, and high product quality, we were empowering almost anyone around the world (including users with little or no experience) to use our products to start businesses and spread internet connectivity in their areas. 

 

Since then, we've prioritized security, and have begun adding additional safety measures in place to protect the products (and our customers) as much as possible out of the box, while still allowing the flexibility our advanced users require to use and configure the products. In mid-2012, we enabled https by default, and added extremely persistent (and as some customers say "annoying") popup reminders if the user is still using default credentials. 

 

Recently we've decided to take this a bit further, and allow a user to log in with default credentials, but not allow any configuration changes if default credentials are being used. We feel this is a good mix of security & flexibility. Some products already have this implemented, others are in progress. 

 

As a reminder, always make sure you're running up to date firmware, and have properly secured your network equipment (enabling firewalls, limiting management access, and changing default credentials).

 

---

 

Sometimes it's hard to share exactly what's going on behind the scenes at the company, but as we've grown the last few years, product security is one thing we've added to our priority list. I wanted to share some of the progress we've made. There's always room for improvement, so if you have suggestions or questions, feel free to shoot us an email: security@ubnt.com

 

Thanks,

Matt 

Comments
by
on ‎07-15-2015 10:33 AM
Nice write up! Thanks!
by
‎07-15-2015 12:34 PM - edited ‎07-15-2015 12:36 PM

Hi Matt, Good strategy!  Security is a thought that often comes into my mind on several fronts in this business.

 

Funny coincidence how here in the Announcements Blog on the right side is a mention of "Announcing airCRM -- The Ultimate ISP Management Platform"... Seems to me that back in January, I posted a comment in reference to customer list security:

 

http://community.ubnt.com/t5/The-Lounge/airCRM/m-p/1150347#M36427

 

Since back then, I got the Ubiquiti cold shoulder, how is the effort going in airCRM to encrypt our customer list data so that there is no possibility of data-mining it and backing that up with a legal statement to guarantee it?  Seems like a very big security issue to me.

by
‎07-16-2015 05:22 AM - edited ‎07-16-2015 05:24 AM

Hi Matt.

 

I have one suggestion regarding routers that has the default user/pass set on them.

 

Please have one extra setting on the initial setup page that is: "enable remote access" and have the feature shut OFF by default instead of the opposite. "Ordinary users" ( 90%+ ) don't have any idea of how to login to a router or if they do so just to setup SSID/key I don't think that they have any idea that they have to secure their firewall by disabling a feature that should be shut off by default.

 

Please add this setting in the future, at least on the air routers and there will be a lot fewer units that will become rooted or something else due to the default settings and users knowledge.

by
‎07-17-2015 09:11 PM - edited ‎07-17-2015 09:12 PM

I second @rdahlin. Until recently we were selling AirRouters to customers that didn't have their own router. We flash them all with a secure config, but users like to factory reset them, and then the MANAGEMENT INTERFACE IS OPEN ON THE WAN by default.

 

This doesn't make sense on AirRouters. Please change it. It's one of the reasons we've moved to another router model for this function.

 

I have a nice little collection of OpenWRT/AirOS malware that I've saved for analysis (and even dug into some) thanks to this.

by
on ‎07-20-2015 06:09 PM

@BrockTice and @rdahlin

 

Why would you not want remote access if you're providing the router?  Write a firewall rule to restrict access and disable the reset button, or charge a service call fee to come fix it if the customer resets it.  Or better yet, with default remote access on, you can log into the thing from remote and restore the config.  Put a sticker over the reset button if you're that worried about it.

 

Real providers want remote access and control of their devices.

 

There are a number of ways to solve this problem without making it as lame as a Linksys router.

 

by
‎07-20-2015 06:15 PM - edited ‎07-20-2015 06:16 PM

@tk421 wow, ok. The routers aren't ours we sell them to the customers. We retain ownership of the radios, we retain control of the radios, they own the routers. I like to draw a clear line at the PoE injector as far as responsibility. I'm not going to lock down a device the customer has purchased. I'm not a jerk like that. If they reset the radio they're locked out of the network, never had that happen.

 

We found a better device (Mikrotik hAP Lite) with better wifi and more secure defaults, that's cheaper, and we now offer that instead. We have remote management enabled on both the AirRouters and the hAP lites by default, but I'm not going to forcibly lock the customer out if they want control.

 

Open management on WAN with ubnt/ubnt as the login/pw is a dumb default, it needs to be fixed. "Real providers". Sheesh.

by
on ‎07-20-2015 07:09 PM

If you offer the MT hAP Lite, why do you care about the AirRouter?

 

If they reset the router and are locked out of the network, why do you care?  Do you hot glue the cat 5 cable and power cable into the device as well to protect idiot customers from themselves?

 

NAT in the radio and you don't care if their router is defaulted, plugged in backwards, etc.

 

Are you using MT network routers?  Here's how you solve your problem:

 

/ip firewall filter

add action=accept chain=forward dst-address=youripspace src-address=yourofficeIP port=22 protocol=22

add action=drop chain=forward dst-address=youripspace src-address=0.0.0.0/0 port=22 protocol=22

add action=accept chain=forward dst-address=youripspace src-address=youripspace port=443 protocol=22

add action=drop chain=forward dst-address=youripspace src-address=0.0.0.0/0 port=443 protocol=22

add action=accept chain=forward dst-address=youripspace src-address=youripspace port=80 protocol=22

add action=drop chain=forward dst-address=youripspace src-address=0.0.0.0/0 port=80 protocol=22

 

 

Allowing the world to bang on thousands of devices for no reason is equally dumb.

 

If you have a customer that wants those ports open and you trust them, just add an accept rule for them above these.

 

 

Best of luck.

by
on ‎07-20-2015 07:15 PM

I know how to write firewall rules, thanks. I care because it's irresponsible to release router firmware for devices intended for a SOHO application that default open to the world. They get infected, they send spam and DDoS traffic. I also block outgoing traffic on port 25 by default because it's the responsible thing to do.

 

The radios are already NATted and DMZed.

 

I'm not in the business of arbitrarily blocking traffic to my customers.

by
on ‎07-23-2015 12:29 PM

@tk421 but good for generating entires for Fail2Ban or an IPS\IDS system.

by
on ‎07-23-2015 04:47 PM

I do hope they've given us the ability to apply a saved config without first having to set the username and password.  The new requirement will be quite annoying otherwise.

by
on ‎08-04-2015 07:30 AM

Hello, I have signed up for BETA access about a month ago but received nothing back outside the automated message.  Is there something more that needs to be done on my end?  Thanks!