Ubiquiti breach news

FYI: Anyone interested in routers should read this Brian Krebs article from yesterday

Whistleblower: Ubiquiti Breach “Catastrophic”

2 Likes

Yup, a few of us guessed there was more than met the eye a couple months ago.

I hope Peplink invests $$$$ into security

Sigh. I’ve been assigned to work on a couple of projects that are being migrated to Azure.

I’ve warned that as much as Cloud deployments are great and efficient and high performing, your attack surface has greatly increased. Cloud providers invest heavily in security and give you the tools to fully manage your solution. And therein lies the problem, if you don’t know what you’re doing, resources can be left wide open to the public. I can make blob storage open to the public with a simple click.

Cloud is powerful but requires a lot of time and effort to learn and wield.

With great power comes great responsibility.

3 Likes

@Michael234 yep. Never understood the cult/fanboy fascination with Ubiquity after I read about the company itself A few years ago. Shady practices.
They crank out a lot of hardware and supporting it well is not a priority. Charges $1000 or more for a “security appliance” that just runs Suricata which anyone can install on any PC box.

Says something about how arrogant they are if they really thought they could keep a lid on that… Sad that someone had to risk his job though

The language might be a little too colorful for some peoples liking, but on the subject of the openly shady behavior of Ubiquity over the years, the written points here are a pretty good laugh with at least some pretty reasonable truth from what I can tell

2 Likes

I’ve become the self appointed IT support for my parish during the pandemic. Setting up live-streaming led me to their networking équipement. You guessed it, a couple if UAP AC Pros and à managed unifi switch. But no controller!

Contractor setup a couple APs using their own local controller to adopt them, didn’t bother doing much of a site survey. They installed them about 40ft apart on the same channels.

I bought them a cloud key in hopes to update the 2 year old firmware. But would need to factory reset everything and SSH into each AP and apply the firmware at the command line since the controller software and AP firmware aren’t compatible!

Given this latest breach, I don’t think I’ll go ahead with setting up a USG either.

Maybe I can talk them into investing in Peplink. I have some familiarity with it. :slight_smile:

Wow, that is quite an article.

2 Likes

I don’t know if this helps, but from my point-of-view (non-professional) it seems pretty clear to me that Peplink actively supports its products for far longer than most companies do in the networking hardware business.

That in itself is a cost saver in the long run… you could argue it’s in your church’s interest to switch to Peplink at some point when feasible.

For example I have an 8 port Ubiquity EdgeSwitch.
Original firmware was 2016. 2018 firmware upgrade actually reduced functionality and took away features that they said in a forum post in response to annoyed users that they would later reimplement those features. And the next thing I know they decided this switch was EOL without even restoring the functionality that all the users pay for in the first version of its firmware.

Compare that to The long list of products on Peplink’s firmware downloads webpage, many of which are older yet Peplink still releases firmware updates for many of them.

Inevitably they can’t continue to support every product forever, but they sure seem to do it for a whole lot longer amount of time than other companies and that’s pretty cool.

(Also cool is that For their access points, Peplink provides a locally managed option as well, which is almost nonexistent in the whole industry these days… eg Cisco, HP Aruba,…These days most access points have to be set up with an active Internet connection to a cloud backend because they’re too cheap to have a server running on local hardware too…and that’s ridiculous… especially when you’re trying to troubleshoot)

3 Likes

@Michael234 ha I know it reads almost like a satire lol

This could be a moment for Peplink to shine and snatch up some additional market share but that would require some focus shifting from expensive enterprise equipment to more affordable consumer equipment…

on one of the Hacker News threads someone wondered why there was so little mention of Peplink as an alternative.

2 Likes

Out of curiosity, can you start a new post in its own topic saying what you’d like to see, and what you’re generalizing as consumer affordable?

(Not a criticism. I wish they had more switches, and a 1gb soho WiFi-router combo with Cellular being only an optional add-in component and with as many ports as the Balance One has… but it’s only one topic per thread)

Adding to what “Datahead’ requested, please give it two WAN ports and make it a Primecare product. $50 US/year like the 20X.

Capture the prosumer market.

Since this article is about router security, I would be very curious to know how RA in Peplink products is secured.

For Peplink support personnel to connect we just have to enable RA. Then connections can be established without any visible authentication, authorization or specific connection-time consent by the recepient. This is wonderful for support usability and I’ve used it on many occasions for Peplink support to connect & help with router issues (thanks guys!).

Given the above, I just cannot visualize how an adequate security mechanism can be layered on top of this very open-seeming RA. Is there public key -based certificate authentication behind the scenes, with Peplink having the private key?

I hope it’s not a matter of Peplink having a major password for RA. And especially not of having a shared password reused accros routers, as at least one networking vendor has done in the past.

Hoping someone from Peplink can provide clarity on the matter! :slight_smile:

2 Likes

I do not know how its done, but the most important issue is that we are in control. We turn it on when we want and turn it off when we want. And, the status is displayed on the Dashboard page should we forget that its on.

3 Likes

Hello @Vitaly,
Some of how RA operates can be extracted by looking into the ports used in this overview

As with @Michael234, we also encourage our customers to turn off RA when not required. It is a great support tool, though sensible security requires people to be conscientious with managing it.
We have seen snippets of how it works, and from what we have seen, it was built first and foremost with security in mind for protecting the customer. It is among the best product support tools from a vendor we have seen.

We have had customers do penetration testing on Peplink solutions when set up with InControl2, and you will find articles from others here in the forum on this matter.

Here are two guides that can help new people with that

Happy to Help,
Marcus :slight_smile:

3 Likes

The TCP/UDP port listing is certainly interesting, however, my concern is primarily with the security of the authentication flows with RA. I have not previously seen or heard of a RA product that’s both:

  1. Secure, and
  2. Requires no password or another user-visible factor (ex. connection-time approval) for vendors to universally connect to devices from all customers

The authentication (and thus pen-test results) for InControl2 to me is a separate item. Those can be architected, designed and implemented with other software methods.

So I would love to see some details from Peplink or a 3rd party security company around the security of the RA solution. @TK_Liew , is that something Peplink has available?

P.S. Yes, disabling RA when not needed is part of the defense-in-depth strategy. Even when disabled in the UI however, some RA solutions may be vulnerable to exploitation.

When RA is enabled on a device, the devices connects to our RA servers and check the validity of the servers.
Support access permission will be checked and validated before logging onto RA systems.
RA access to the devices will be granted upon successful certificate-based authentication to RA servers.
We do not have a “global password” or “backdoor password”.

1 Like