Check Point Research assessed the popular Ubiquiti G4 Instant Camera, a compact, wide-angle, WiFi-connected camera with two-way audio, along with the accompanying Cloud Key+ device that supports the application.
Overview
In 2019, Jim Troutman tweeted about denial-of-service attacks that were carried out on Ubiquiti
devices by exploiting a service on 10001/UDP. In response, Rapid7 conducted their own assessment of
the threat and reported almost 500,000 devices were vulnerable to the exploitation. Ubiquiti was made
aware of the vulnerability and said the issue had been patched and their devices were running the latest
firmware.
Now five years later, over 20,000 devices still remain vulnerable to this issue. This serves as a key
example in how difficult it is to fully mitigate a vulnerability, not just amongst desktops or servers, but
among Internet of Things devices as well. The informational data exposed during this probe could
be useful in conducting both technical and social engineering attacks. Our research uncovered the sheer
magnitude of data users are exposing, while most likely being unaware of it.
CPR’s Attack Surface Assessment
Check Point Research discovered that besides the secure shell protocol and a web server for standard management, two custom privileged processes were exposed on the camera’s network interface, using UDP protocol on ports 10001 and 7004. This raised concerns, as vulnerabilities in these services could lead to a complete compromise of the device. Using tcpdump on port 10001, the researchers identified the Ubiquiti discovery protocol. The Cloud Key+ device regularly sent ‘ping’ packets to multicast and discovered devices, and the camera responded with ‘pong’ messages containing detailed information such as platform name, software version, and IP addresses. Two key points stood out:
- No Authentication: The discovery packet lacked authentication.
- Amplification Potential: The response from the camera was significantly larger than the discovery packet, indicating a potential for amplification attacks
CPR was able to send a spoofed discover packet on our internal test network, and both the G4 camera and the CK+ responded, validating our concerns.
Internet Replication
We then tested if this behavior could be replicated over the internet. Despite port forwarding, the devices did not respond to internet probes, likely due to our specific network setup and NATing. However, using a custom decoder, we identified over 20,000 Ubiquiti devices on the internet. Random sampling showed these devices also responded to spoofed packets.
This issue had been reported earlier and addressed by Ubiquiti, stating that devices with the latest firmware only respond to internal IP addresses. Despite this, about 20,000 devices remain vulnerable, a significant reduction from the 500,000 previously reported by Rapid7.
Privacy Concerns
This situation highlights the difficulty in fully mitigating vulnerabilities, particularly in IoT devices. For instance, decoded hostnames revealed detailed information about devices, including owner names and locations, which could be exploited for social engineering attacks .
.Examples of exposed data include:
Device Identification: Revealing device types like Nano Station Loco M2 or AirGrid M5 HP.
Owner Information: Full names, company names, and addresses, providing breadcrumbs for targeted attacks. Some devices even displayed warnings like “HACKED-ROUTER-HELP-SOS-DEFAULT-PASSWORD,” indicating they had been compromised.
Responsible Disclosure
Check Point Research contacted Ubiquiti about the devices that responded to the internet probe. Ubiquity informed us that the issue has been patched. Devices running their latest firmware should only respond to discovery packets sent from internal IP addresses.