(a) used hardware that had known firmware security holes AND forced every Unifi customer to use said hardware
(b) installed a “backdoor” into each Unifi-distributed router on the pretext that the backdoor will be used by Unifi remote technicians should the customer need help. The problem is that this back door can be used by ANYONE, and not just Unifi staff
One of the LowYat.net forums members found both problems and posted an extensive guide about how users can fix the problems above themselves. However, by doing so, he has also brought visibility to the problem, and any customer who does not follow his advice is vulnerable to a blackhat hacker attack.
The same person also recently did a scan of the Unifi network, and at least 60% of the customers seem to be unaware of the weaknesses in the system or know about the vulnerabilities but have chosen not to, or are unable to do anything about it. For these people, numbering in the thousands of customers (including business customers!), the end result is the same: their networks are vulnerable to hackers and can be disabled, hacked, exploited, and invaded AT ANY TIME.
After reading the guide, and even someone like myself, who has zero knowledge about Linux or hacking should be able to get into an unsecured Unifi router with little more than a single click of a button.
Potentially, this means that someone who is really deranged can disable 60% of the Unifi network by crashing the customers’ routers. Just write a script to auto-scan the network for unsecured routers, tap into each one with the “backdoor” vulnerability TM has placed into each router, and disable the router permanently e.g. replace the firmware.
The question is whether or not this person should have released information about the vulnerability in the first place. I’m thinking that he did the right thing — if he didn’t tell the community about the vulnerability, then only the “people in the know” would have the knowledge, and then 99% of the Unifi network would be unsecure, and any person who belonged to the 1% group could exploit the network as he pleased.
At least now, we have at least 40% of the Unifi customers who have secured their routers, and are aware of the vulnerability and have taken steps to protect themselves such as replace the vulnerable routers altogether. At least now, TM is aware that the customers are aware, and this should put pressure on them as an organization to do something about it. If they don’t, does this open them up to a massive class action lawsuit? possibly. Imagine if a hacker used this backdoor to invade your network, stole all your banking account passwords and/or caused damage to your business — wouldn’t TM be liable?
This is the guide written by the LowYat forumer, and his explanation and instructions how to fix the vulnerability:
If you’re a Unifi customer, i strongly suggest you read it and apply the counter-measures mentioned there.
Edit: Read this EXCELLENT follow up from the LowYat forumer who found and helped us patch the vulnerability. He discusses the sort of havoc a blackhat hacker can do to anyone on the unsecured Unifi network.