Ubiquiti, a company with prosumer routers that have become synonymous with security and manageability, is now accused of covering up a serious security flaw. After 24 hours of silence, the company has now released a statement that does not contradict the whistleblower’s claims.
A company whistleblower claimed that the company itself had been breached and that the legal team was preventing efforts to accurately disclose the risks of the breach to customers.
Hackers had full access to the company’s AWS servers – and they could have accessed any Ubiquiti network devices that customers had set up to control through Ubiquiti’s cloud service. Hackers were also able to gain cryptographic secrets for single sign-on cookies and remote access, complete source code control and signature key exfiltration.
The whistleblower also stated that the company does not keep logs that show who accessed or did not access the hacked servers. The company’s statement also confirmed that the hackers were trying to extort money, but did not address the cover-up allegations.
The fact that Ubiquiti does not deny the allegations gives its customers an insufficient warning. It encouraged users to change their passwords and allow two-factor authentication, but did not resort to the blocking of all accounts and the requirement for password resets – which would have been a more appropriate response.
For more information, read The Verge’s original story.