![]() ![]() We can also see from the product version table above that along with being exposed to attackers, most of the devices in each product family are running outdated versions. It seems that attackers have already identified additional problems with these devices and have exploited over 17,000 of them, as evinced by the defaced hostnames. ![]() HACKED-ROUTER-HELP-SOS-HAD-DEFAULT-PASSWORD HACKED-ROUTER-HELP-SOS-WAS-MFWORM-INFECTED The patterns observed seem to reinforce the smaller ISP/WISP theory, as many of them seem to map back to defaults correlating popular ISPs around the world.īy inspecting the name of the device, which will generally default to something based on the model name or whatever is configured at initial install, we see even more troubling patterns: Name In some cases, the discovery response includes the ESSID of the device if it is wireless-enabled. For example, by grouping by the model names returned by these responses, we see big clusters around all sorts of Ubiquiti models/devices: Product Similar analysis by registered owning organization shows that many of these are ISPs, many of which are probably wireless ISPs (WISPs).īy decoding the responses, we are able to learn about the nature of these devices and clues as to how or why they are exposed publicly. That is a lot of devices.Įxamining where these devices live shows that Brazil is home to more than half of these, with large chunks in the U.S., Spain, and elsewhere: ![]() This showed 498,624 unique IPv4s with port 10001/UDP open, 487,021 unique IPv4s confirmed to be speaking this discovery protocol, and 486,388 unique physical devices based on MAC address tuples found in the responses. In order to understand more about this issue and inform fellow defenders in the information security community, we performed a Sonar study of port 10001/UDP, where we collected and analyzed the responses by parsing out the distinct fields returned in UDP payload. It is unclear what other capabilities exist in this service, but it would not be surprising if there were other management capabilities baked in or nearby. With such a large quantity of potentially vulnerable devices exposed, a DoS harnessing the available bandwidth and power of these systems could be used to conduct an attack in excess of 1Tbps, which is a crippling amount of traffic to all but the most fortified infrastructure. The amplification factor is 30-35x but does not appear to suffer from multi-packet responses, at least with what is known today. At least this portion of the protocol is quite simple, requiring a simple 4-byte message that elicits a large response including the name, model, firmware version, IPs, MACs, and sometimes the ESSID if it is a wireless device of some manner. Research has learned that this service is used for a variety of things, including device discovery to facilitate easily locating of Ubiquiti devices in a managed environment. Ubiquiti recently acknowledged that this was an issue, has released a workaround, and is in the process of putting together an official fix. Quick sleuthing by the security community showed that this issue has been brewing since the summer of 2018. 29, the Rapid7 Labs team was informed of an interesting tweet by Jim Troutman indicating that Ubiquiti devices were being exploited and used to conduct denial-of-service (DoS) attacks using a service on 10001/UDP. Last updated at Thu, 14:21:28 GMT Introduction ![]()
0 Comments
Leave a Reply. |