Check Point Research Reveals Ubiquiti Camera Vulnerabilities

Check Point Research (CPR) discovered that besides the secure shell (SSH) protocol (which needs manual activation) and a web server for standard management,

author-image
SMEStreet Edit Desk
New Update
 Check Point Research
Listen to this article
0.75x 1x 1.5x
00:00 / 00:00

Check Point Research (CPR) assessed  the popular Ubiquiti G4 Instant Camera, a compact, wide-angle, WiFi-connected camera with two-way audio, along with the accompanying Cloud Key+ device that supports the application.

Key Highlights

  • CPR conducted an attack surface assessment, discovering two custom privileged processes were exposed on the camera’s network interface: Ports 10001 and 7004, both using UDP protocol
  • As a result of the port vulnerabilities, over 20,000 Ubquiti devices were identified as exposed on the Internet, revealing informational data including their platform names, software version, configured IP addresses and more
  • The exposed data could be used for technical and social engineering attacks

Overview

In 2019, Jim Troutman tweeted about denial-of-service (DoS) attacks that were carried out on Ubiquiti devices by exploiting a service on 10001/UDP. In response, Rapid7 conducted their own assessment of the threat and reported almost 500,000 devices were vulnerable to the exploitation. Ubiquiti was made aware of the vulnerability and said the issue had been patched and their devices were running the latest firmware.

Now five years later, over 20,000 devices still remain vulnerable to this issue. This serves as a key example in how difficult it is to fully mitigate a vulnerability, not just amongst desktops or servers, but among Internet of Things (IoT) devices as well. The informational data exposed during this probe could be useful in conducting both technical and social engineering attacks. Our research uncovered the sheer magnitude of data users are exposing, while most likely being unaware of it.

CPR’s Attack Surface Assessment

Check Point Research (CPR) discovered that besides the secure shell (SSH) protocol (which needs manual activation) and a web server for standard management, two custom privileged processes were exposed on the camera’s network interface, using UDP protocol on ports 10001 and 7004. This raised concerns, as vulnerabilities in these services could lead to a complete compromise of the device.

Using tcpdump on port 10001, the researchers identified the Ubiquiti discovery protocol. The CloudKey+ device regularly sent 'ping' packets to multicast and discovered devices, and the camera responded with 'pong' messages containing detailed information such as platform name, software version, and IP addresses. Two key points stood out:

  1. No Authentication: The discovery ('ping') packet lacked authentication.
  2. Amplification Potential: The response from the camera was significantly larger than the discovery packet, indicating a potential for amplification attacks.

CPR was able to send a spoofed discover packet on our internal test network, and both the G4 camera and the CK+ responded, validating our concerns.

Internet Replication

We then tested if this behavior could be replicated over the internet. Despite port forwarding, the devices did not respond to internet probes, likely due to our specific network setup and NATing. However, using a custom decoder, we identified over 20,000 Ubiquiti devices on the internet. Random sampling showed these devices also responded to spoofed packets.

This issue had been reported earlier (CVE-2017-0938) and addressed by Ubiquiti, stating that devices with the latest firmware only respond to internal IP addresses. Despite this, about 20,000 devices remain vulnerable, a significant reduction from the 500,000 previously reported by Rapid7.

Privacy Concerns

This situation highlights the difficulty in fully mitigating vulnerabilities, particularly in IoT devices. For instance, decoded hostnames revealed detailed information about devices, including owner names and locations, which could be exploited for social engineering attacks.

Examples of exposed data include:

  • Device Identification: Revealing device types like NanoStation Loco M2 or AirGrid M5 HP.
  • Owner Information: Full names, company names, and addresses, providing breadcrumbs for targeted attacks.

Some devices even displayed warnings like “HACKED-ROUTER-HELP-SOS-DEFAULT-PASSWORD,” indicating they had been compromised.

Responsible Disclosure

Check Point Research contacted Ubiquiti about the devices that responded to the internet probe. Ubiquity informed us that the issue has been patched. Devices running their latest firmware should only respond to discovery packets sent from internal IP addresses.

Conclusion

This case serves as a reminder that simple mistakes can persist for years and the cyber security industry must remain vigilant as threat actors continue to look for ways to exploit our increasing dependency on technology in our daily lives. Fixing bugs and security issues in IoT devices post-sale is exceedingly challenging. Unlike cloud services, where a single patch can instantly secure all users, IoT device updates are slow to propagate, often taking years to reach all deployed units. Some users may never update their systems, leaving them perpetually vulnerable. Consequently, developing IoT devices according to security-by-design principles and incorporating built-in protection mechanisms against exploits and malware from the outset is imperative.

How to Stay Protected

Here are some things camera owners can do to avoid being infected:

  1. Make sure your camera is using the latest firmware version and install a patch if available.
  2. Patching your camera, router, and other IoT devices needs to become part of your regular cyber hygiene routine.
  3. More and more IoT vendors enable automatic updates by default. Make sure that this automatic update feature is enabled. Ask the seller/vendor before buying an IoT device if it offers automatic updates.
  4. If possible, do not expose your IoT devices, such as cameras, directly to the internet. If you do, ensure you’re not revealing more information about yourself than necessary (like names, addresses, and other personally identifiable information).

Check Point IoT Protect provides manufacturers with a Nano agent, a comprehensive set of security features that developers can embed into their devices for device-level security, reducing the need for frequent patches. This software package is a standalone solution designed to identify and block cyberattacks on IoT devices. It hardens the device, monitors its activity, and prevents malicious actors from taking control of connected devices.

Check Point Research cybersecurity