As reported in 2019, over 20,000 Ubiquity G4 Instant cameras and their accompanying Cloud Key+ devices are still vulnerable to two custom-privileged vulnerabilities on the camera’s network interface. These vulnerabilities could enable attackers to carry out social and technical engineering attacks.
These flaws are present in the camera’s network interface, which uses the UDP protocol on ports 10001 and 7004. This exposure allows attackers to obtain crucial information, such as platform names, software versions, and IP addresses, which can be exploited by threat actors.
The discovery refers to a 2019 incident when security researchers exposed denial-of-service (DoS) attacks on Ubiquiti devices via port 10001/UDP. Further analysis revealed that nearly 500,000 devices were susceptible to this exploitation.
Although Ubiquiti claimed to have patched the vulnerability, recent findings indicate that over 20,000 devices are still at risk, demonstrating the persistent nature of such security flaws.
Researchers used tcpdump to analyse traffic on port 10001, identifying the Ubiquity discovery protocol. They discovered that the CloudKey+ device regularly sent ‘ping’ packets to multicast addresses, prompting responses from the camera with detailed device information.
Later, researchers identified two critical issues:
- Lack of authentication: The discovery packets lacked authentication, making them easy targets for spoofing.
- Amplification potential: The camera’s response was significantly larger than the discovery packet, enabling potential amplification attacks.
“CPR was able to send a spoofed discover packet on our internal test network, and both the G4 camera and the CK+ responded, validating our concerns,” the researchers noted.
Researchers also tested the feasibility of exploiting these vulnerabilities over the internet. Although their network setup prevented direct responses to intent probes, a custom decoder revealed over 20,000 Ubiquiti devices responded to spoofed packets online.
“This issue had been reported earlier (CVE-2017-0938) and addressed by Ubiquiti, stating that devices with the latest firmware only respond to internal IP addresses. Despite this, about 20,000 devices remain vulnerable, a significant reduction from the 500,000 previously reported by Rapid7,” researchers said.
The exposed data includes detailed device information and personal identifiers, such as owner names and locations. This information is a goldmine for cybercriminals conducting social engineering attacks.
Some devices even displayed messages like “Hacked-Router-Help-Sos-Default-Password,” signalling that they had already been compromised.
The issue underscores the problems in fully addressing vulnerabilities in IoT devices. Researchers observed that, unlike cloud services, where patches can be deployed universally and instantly, IoT device updates are slow to propagate, often leaving many units vulnerable for years.
Researchers have urged users to install the latest firmware, patch the internet devices including routers, turn on the automatic updates feature, and if possible, avoid exposing IoT devices to the internet.
In the News: Former Rabbit employee leaked API keys causing the data breach