byUBNT-Matt07-15-201509:52 AM - edited 07-15-201510:58 AM
Over the last couple of years, Ubiquiti has made an effort to greatly increase the security of our products; this includes both patching any vulnerabilities responsibly before customers may be affected, as well as encouraging (and even forcing) best practices of the use of the products out of the box. In order to provide some transparency in the progress, I wanted to share some of the things we've been working on.
Hacker Vulnerability Bug Bounty Program
A few years ago a nasty vulnerability was found in Ubiquiti products; if you have been using our products for a while, you more than likely remember it -- SkyNet. We learned about it at the same time as our customers, after a worm had been developed specifically for Ubiquiti products to exploit this vulnerability and spread to other Ubiquiti products around the world.
While we were on top of it quickly and released a firmware patch the same day, we could have prevented this if we had appropriate measures and processes in place. It was a lesson learned, and led to the launch of our Hacker Vulnerability Bug Bounty Program.
With the new program, we've strongly embraced the security research community, and have worked with researchers and customers around the world anxious to help test the products. This year alone we've already addressed > 60 vulnerability submissions thanks to the help from our community.
For more details on the program, you can see our Bounty Program Portal:
Recently, a few mainstream tech blogs have released articles highlighting cases where publicly installed routers (specifically Ubiquiti ISP products) were taken control of by malicious users and used in a distributed attack against various victims. While this isn't inaccurate, the sentiment of the articles and comments was that "Ubiquiti products are insecure". However, all products in these reports were found to be on public IP addresses and using default credentials, things that could/should have been prevented by the user. We have made some improvements; but first some background...
Ubiquiti products (especially airMAX, EdgeMAX, airFiber) are sold and marketed to professional ISPs. These ISPs use our equipment to provide internet service to customers in over 180 countries around the world. The products can be used in many different ways and applications (Point-to-Point link, CPE device on customer's home, etc).
Early on, we started building the products with the greatest flexibility of configuration out of the box as possible, and gave little emphasis on security -- Since we were shipping to ISP providers and professionals, the undiscussed assumption was the user should be responsible for securing their own equipment.
However, we quickly learned that due to Ubiquiti's disruptive price points, extremely intuitive user experience, and high product quality, we were empowering almost anyone around the world (including users with little or no experience) to use our products to start businesses and spread internet connectivity in their areas.
Since then, we've prioritized security, and have begun adding additional safety measures in place to protect the products (and our customers) as much as possible out of the box, while still allowing the flexibility our advanced users require to use and configure the products. In mid-2012, we enabled https by default, and added extremely persistent (and as some customers say "annoying") popup reminders if the user is still using default credentials.
Recently we've decided to take this a bit further, and allow a user to log in with default credentials, but not allow any configuration changes if default credentials are being used. We feel this is a good mix of security & flexibility. Some products already have this implemented, others are in progress.
As a reminder, always make sure you're running up to date firmware, and have properly secured your network equipment (enabling firewalls, limiting management access, and changing default credentials).
Sometimes it's hard to share exactly what's going on behind the scenes at the company, but as we've grown the last few years, product security is one thing we've added to our priority list. I wanted to share some of the progress we've made. There's always room for improvement, so if you have suggestions or questions, feel free to shoot us an email: firstname.lastname@example.org