back to article Ubiquiti blunder let some folks view others' security cameras, accounts

Ubiquiti says it fixed a bug that allowed some of its customers to glimpse strangers' security camera footage and access accounts and devices that didn't belong to them. The surveillance and networking gear maker blamed a cloud system misconfiguration for the privacy breach, and said as of late Thursday "the problem is solved …

  1. An_Old_Dog Silver badge

    "Cloud" Misconfiguration?

    Not being a cloud expert, I don't see how a cloud-system misconfiguration could cause this. I don't see how even a misconfiguration of a computer, which just happens to be in the cloud, could cause this.

    Seems to me this is just another programming error (or set of multiple errors).

    1. Alex Brett

      Re: "Cloud" Misconfiguration?

      The common cause for things like this is that you try to move authentication/session handling to a load balancer, but get it wrong so the LB uses a backend connection with someone else's user identity and thus the backend server thinks you're someone else and serves up their info...

  2. elsergiovolador Silver badge

    Someone else's computer

    Not ours

  3. Ace2 Silver badge

    I love, love, love my Ubiquiti wireless access point. Hasn’t so much as burped in years since I installed it.

    It’s not cloud-connected though… never would, never will…

    1. FIA Silver badge

      I'd be more concerned about your other APs that are burping if I were you?

      Have you lost any family pets in odd circumstances?

    2. Altrux

      Same - excellent kit, managed via the on-prom "cloud key" (strange name) console. I can access it remotely via a WireGuard VPN client to my home magic box. The Wi-Fi and UniFi cameras are excellent, and I'm very pleased with this dramatic upgrade to the home network.

  4. ChoHag Silver badge
    FAIL

    Why do you have the data?

    If you must have it, why is it not encrypted per-user rendering it useless noise ~if~when it accidentally slips out?

    > "less than a dozen" folks had strangers remotely accessing their accounts

    One random stranger poking around inside my house is one too many. And the permission to do so was granted by the security provider!

    Clowns.

    1. FIA Silver badge

      The irony is this is par for the course in the security industry.

      There's a particular CCTV maker that had (still has?? haven't checked in years) a hardwired and unchangeable login for their (often web exposed) systems.

      It's not visible in the UI, so you won't know it's there, but the support staff do, and some forums.

      Good job Shodan's not a thing, eh.

  5. Anonymous Coward
    Anonymous Coward

    Sigh

    unless it's *your* encryption, it's a waste of time.

  6. Altrux

    Good kit though

    Oh dear - shame, because the UniFi kit is really, really good. I've just upgraded my whole home network, using a Ubiquiti PoE switch, a confusingly-named "Cloud Key" console (meaning your data and camera feeds are stored locally on the 1TB device, /not/ in the cloud), a couple of cameras and a couple of Wi-Fi APs. Doorbell to follow next. It's brilliant: easy to use, very nicely designed, works out of the beautifully-packaged box (they even include a tiny spirit level to use when fixing the wall-mount plates!), gets regular software / functionality updates, and requires no subscription of course.

    I can access it remotely, only because I setup a VPN to my home magic box (and I have static IP), then I point the app or browser at the private IP, either on my laptop of phone. I'm very happy with the setup, and presume I'd be immune to this security snafu, since I'm not using their cloud-based accounts, but the fully on-my-prem behind-a-VPN setup.

  7. Piro

    Sigh

    Boring. Why does everything end up being crap? I guess vpn is the only way

    1. Ken Moorhouse Silver badge

      Re: Why does everything end up being crap?

      My eufy doorbell has been working for a long time now.

      However, thanks to a feature foisted upon me called Local AI, by the time I get alerted to a courier ringing the doorbell, the driver has revved up his engine, and is long gone.

      I suppose it is a useful feature. I missed all sorts of Trick or Treaters this year - except one particularly persistent group of kids who thought I looked real scary: Hey I always look like this.

  8. ovation1357

    What a mess! A product like this needs to be secure by design such that this kind of blunder simply isn't possible.

    This is exactly the reason that there's no chance I'll be getting any "cloud" connected cameras or microphones any time soon..

    The kids keep asking if we can get an "Alexa" - nope!

    It's a real shame this serious breach of trust comes from UniFi because, like several other posters, I have been very impressed with their products and although I'm not considering any cameras (even on-prem ones), I'll be a bit more wary of their security next time I'm looking at their products.

    1. Piro

      Exactly

      It shouldn't be possible. The device is on-prem, all the data is on-prem.

      Ubiquiti should be providing a proxy to your device, using encryption that is only ever accessible from your account to the devices that match, your device should be rejecting all connections which don't have the appropriate key.

      The fact this clearly isn't happening is insanity.

      They need to do a total rethink of their security model. This has made me immensely distrustful of them, and I'll have to take measures.

      1. Korev Silver badge
        Mushroom

        Re: Exactly

        Ubiquiti should be providing a proxy to your device, using encryption that is only ever accessible from your account to the devices that match, your device should be rejecting all connections which don't have the appropriate key.

        When you install their software, they're very keen for you to use their "Cloud" offering and IIRC it's on by default

        Cloud gone wrong icon -->

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like