Ubiquiti highlights troubled security path for operators
Editor's Note: This article has been updated following a retraction by Brian Krebs
In January, equipment vendor Ubiquiti told customers to reset their passwords due to a security breach involving a third-party cloud provider.
The announcement appeared to be a relatively routine security warning. Such alerts among equipment vendors have become increasingly common as the noise around cybersecurity continues to rise.
However, the situation took on added weight when security researcher Brian Krebs reported last month that the issue was in fact a "catastrophic" security breach, citing comments from a whistleblower involved in the situation.
However, on August 31, 2022, after this article was published, Krebs retracted his report because of a federal indictment against his original source.
Nonetheless, that original report sparked widespread concerns about the company's equipment. The financial analysts at Raymond James last month warned Ubiquiti investors that "we see this as a good opportunity to highlight the risks and opportunities as investors think about the evolution of the security landscape. These claims are impactful, as, according to the whistleblower, the company massively downplayed a breach of their entire network that gave the bad actors essentially god mode access to all of the company's networks as well as routers and security products installed in customers' businesses and homes."
In the last 30 days, Ubiquiti's stock has been all over the place. It was trading as high as $389.88 a share on March 26; its closing price on Wednesday was $275.41.
To be clear, most of Ubiquiti's business – including the gadgets involved in the hack – is centered on selling gear such as Wi-Fi routers, security cameras and network video recorders. But roughly a third of Ubiquiti's revenues come from the sale of radio, basestation and backhaul equipment, mainly to fixed wireless network operators. In the US, Ubiquiti's network operator customers have included the likes of Etheric Networks, Common Networks and Rise Broadband.
Those companies and Ubiquiti did not respond to questions from Light Reading about the issue. But another former Ubiquiti customer said he was not surprised about the situation.
"Their security aligns with the overall nature of their equipment, relatively cheap and flimsy," said an executive with a fixed wireless network operator in the US that used to use Ubiquiti equipment. He asked to remain anonymous.
The executive said Ubiquiti suffered a separate hack several years ago that "devastated many equipment users in the US who hadn't properly implemented administrative passwords and found all their gear bricked and requiring truckrolls to manually load firmware. It was a massive problem in the US."
It's true that this year's hack isn't the first for Ubiquiti. In 2015, the company reported that an unknown party stole around $47 million by tricking top Ubiquiti executives via "employee impersonation and fraudulent requests."
Operators trip through security obstacles
Ubiquiti's troubles help to again shine a light on the pitfalls network operators face as they navigate the security landscape. Indeed, operators have long had to keep an eye on the security practices of their vendors. For example, hackers got their talons into vendor Nortel's network as far back as 2000, according to a Wall Street Journal report from roughly a decade ago. More recently, Russian hackers used software from vendor SolarWinds to break into Cox Communications' cable network, according to Reuters.
The topic has geopolitical implications, too. US officials have charged Chinese vendor Huawei as a threat to national security, to the point that the US government is in the process of doling out almost $2 billion to remove Huawei's equipment from all US networks.
And those threats are just on the vendor side. Some hackers have specifically targeted network operators themselves. For example, according to a 2018 report from Cybereason, a hacking operation with nation-state backing – and originating from China – targeted global telecom providers for a number of years in an attempt to gain access to customer call records, location data and other information. Separately, the US Department of Justice said in 2019 that AT&T employees took more than $1 million in bribes to install malware and unauthorized hardware on the company's network.
"Recent cybersecurity incidents demonstrate how vulnerable telcos and their customers are to a wide variety of threats," wrote security research and consulting firm HardenStance in a January report. "As they evolve with digital transformation and a cloud-native deployment model, telco security strategy should prioritize applying more rigor – and up-to-date thinking and techniques – to addressing long-standing vulnerabilities."
Nonetheless, the US telecom industry, in general, is working to prevent government regulators from imposing new security standards. FierceTelecom just this week reported that trade groups including USTelecom, CTIA and the Telecommunications Industry Association (TIA) are urging the Biden administration to support "industry-led technical standards and best practices to address cybersecurity, supply chain and other global challenges."
"We don't want government overreach," TIA CEO Dave Stehlin told the publication.
- Nortel Got Super-Hacked
- Russia-linked cyber group hacks US government agencies
- T-Mobile hacked again