SN 813: A Spy in Our Pocket

Beep boop - this is a robot. A new show has been posted to TWiT…

What are your thoughts about today’s show? We’d love to hear from you!

I changed my password and reset my 2FA on my Ubiquiti account back in January, when this was first announced.

To Veeam, great to see them on board. I’ve been a happy Veeam user for over half a decade now. Excellent and reliable product. I even used the free version to back up my home PC, when I tried switching to Linux. When it turned out the hardware was incompatible, I had my 3 SSDs and 1 HDD restored and back running Windows in about an hour, I just needed to apply the monthly security update for Windows that I had missed, whilst messing with Linux, everything else was as I had left it, TOP!

They’re a Russian company trying to whitewash their Russian origins because of the Kaspersky spying thing from a few years back. They may be amazing, but I’m not trusting any Russian product because of the way Russia has been acting of late… they FSB (KGB) is notorious for pressuring companies into “hiding” backdoor access in anything and everything. For a recent example: Russia’s Twitter throttling may give censors never-before-seen capabilities | Ars Technica see also Veeam Relocates Headquarters To United States: Here's Why - | ChannelE2E

If you go to their YouTube channel, there appears to be a lot of content in Russian… so clearly they’re not so far removed as they want people to believe: https://www.youtube.com/c/veeam/videos

Also this: https://www.zdnet.com/article/how-a-digital-cold-war-with-russia-could-threaten-the-it-industry/

@Leo what are you gonna be do about you Ubiquiti network and do you still trust it/them?

Also, on the Apple Google thing: think that it would make at least some sense that an Android device would transmit more data right after startup because they do some additional things by default when the device is setup (at least when you login to your Google account from the setup screen) like email.

Apart from changing your password and reseting the 2FA on the cloud side and double checking the USG firewall rules, if you have one, there isn’t much you can currently do.

Hacked is hacked, you can only batten down the hatches as much as possible.

What damage can they currently do (known facts):

  • Most damaging, they could, possibly, download a custom firmware, but that would need to be signed with the Ubiquiti digital certificate, hopefully they weren’t stupid enough to have that on the cloud servers that got hacked (that should be kept locked up and only available on the internal build server).
  • If you have a USG or other firewall device (Dream Machine, UDM etc.), check to ensure that no additional rules have been added for port passthrus (E.g. to allow them to attack an internal PC on your network that would otherwise not be accessible from outside).
  • They could perform a type of denial of service attack by changing VLAN assignments on specific ports of your switches or the VLAN-SSID assignments
  • They could perform a type of denial of service attack by changing the SSID passphrase
  • They could gain access to your network by registering the SSID passphrase (needs local access to the wi-fi network to be of any use)
  • They could gain access to your network by creating a new SSID (needs local access to the wi-fi network to be of any use)
  • Theoretically, they could lock you out of your account (change the password and the registered email address), if they could decrypt the password - or were in a position to change passwords from the admin side.
  • Theoretically, they could lock you out of your account by resetting the 2FA token for the account - assumes through the hack that they got access to the 2FA secret and could either register it themselves or they could change it through administrator access to the UI platform.

As long as the password and the 2FA token have been changed and your firmware and the firewall rules haven’t been changed, there should be relatively little they can do.

If the firewall rules aren’t the same as those in your documentation (i.e. what you set up), then remove them straight away and ensure you have changed your username, password and 2FA again, just to be sure. You will also need to check the machines that were affected by the firewall changes, to ensure that they haven’t been attacked and either taken over or malware installed etc.

If the firmware versions don’t match the versions listed on the Ubiquti site (check here for the available firmware downloads for your kit: Ubiquiti - Downloads ), you should contact Ubiquiti ASAP (you should also isolate all Unifi equipment until you have contacted support - either pulling the plug physically or disabling the uplink ports on non-Ubiquiti switches / routers upstream, so they can’t communicate with the network or the Internet.

Hopefully Ubiquiti support will be able to help you clarify that the firmware is actually correct or they will be able to walk you through manually resetting the device to a current firmware and ensuring there is no permanent malware left behind. (NOTE: it has not been proven that the hackers have been able to get the necessary keys and information to bypass the Ubiquiti firmware update security, this is purely hypothetical, but is something that you should check “to be on the safe side”.)

If your WI-Fi kit can no longer attach, then it is possible they have changed SSID passphrase, change them again (don’t put them back to what they were, use a new passphrase and change it on all affected Wi-Fi devices, a pain, but the safest way). This is a sure sign you have been hacked.

If there is a new SSID in your set-up, remove it. This is a sure sign you have been hacked.

If wired kit doesn’t seem to connect properly, check the VLAN settings on your switches and routers, if they don’t match your documentation, reset them as appropriate. There is a good chance you have been hacked.

If in doubt, create a new account, reset the controller (or better still, re-install it, if you aren’t using a cloud key) and either restore it from a known-good backup or reconfigure the system from scratch - this can be a lot of work, if you have dozens of Unifi devices on your network, but probably still cheaper than throwing it all out and configuring a new system from scratch that you are unfamiliar with.

You should also contact your security team / your external security consultant if you found anything anomalous.

1 Like

What I found interesting was that the volume of bits transferred from Google devices was higher, but the actual range of information collected and transmitted by Apple was higher. That means that Apple is using a much more compressed / efficient data collection API (E.g. they are collecting compressed data or a binary format and Google is collecting JSON or XML formatted data).

In terms of bandwidth, you are being charged less for the information Apple is gathering, compared to Google, but Apple is actually collecting more information in the process (assuming a non-flat-rate mobile data package).

I was really disappointed in Steve’s and Jason’s response to the Facebook story. Maybe I missed something, but it seems they were mocking a woman for releasing a statement that was entirely true and actually clarified the situation. They then went on to complain about Facebook (nothing new there). Am I missing something here? The information this story is talking about is information that was collected two years ago. The only difference is that instead of it being available for a price on the dark web, now it is available for free. Yes, it means the data is more widely available for people with bad intentions to exploit, but it’s not like there is anything Facebook could do about this. Through all of this, neither Jason nor Steve provided any action that Facebook could have or should have done here. They just mocked the spokewoman for doing her job and complained that Facebook had closed the barn door after letting all the information out. This change was made two years ago when the vulnerability that allowed this information to be scraped was found. Maybe they should have locked down their tools better in the first place and I’m sure this was something that was mentioned in the stories at the time this data was originally obtained.
I guess I just expected more insight from the host of a show titled Security Now. Nowhere in this story did they say that Facebook did anything wrong now (the data was obtained two years ago after all). It really was just a rehash of a story from two years ago and a mocking of Facebook for stating that fact. What else should have Facebook done? The fact that neither host provided any opinion as to what Facebook should have done now shows me they didn’t have any idea what Facebook could have or should have done.
I really think they made this story out to be much more than it really was. Even in the description of the show they note it as Facebook’s Whoopsie. If this was two years ago, sure that makes sense, but the story now should be about how the data from two years ago is now more widely available and people should maybe be more aware of phishing scams. Instead, the show description and the way the story was covered in the podcast make it seem like Facebook screwed up again and it was just another opportunity to bash on Facebook.

I took it as mocking the response not the person.

Yes, you’re right, Facebook SHOULD be saying things like that. It’s not Steve’s job, nor anyone else, to do any apologizing or warning on Facebook’s behalf. They should show contrition, admit they screwed up in the past, that they’re sorry their past screw-ups are still hurting people today, and link them to helpful advice (probably hosted on a Facebook page) on how to stay safe.