Monday we looked at issues with the business class routers at Juniper Networks and Cisco Systems. Today we are going to look at an exploit affecting the Ubiquiti brand of cable modems.
Cable and DSL “modems” are used by most consumers, and many small businesses to connect their home or business network to the Internet. These “modems” are really routers.
(It has been a personal pet peave of mine that these devices were called modems when they were introduced in the middle 1990s. These devices are routers. The telcos and cablecos called them modems because consumers already knew about dial-up modems, and they figured it would reduce confusion. Sort of like when early auto makers called their product a “horseless carriage.”)
Anyway, it was reported by security company Imperva that there is a huge botnet comprised of tens of thousands of Ubiquiti routers. These routers were delivered to the ISPs (Internet service providers) that ordered them with the remote access port enabled and very easy default passwords (ubnt/ubnt). This allows anyone to remotely connect to a Ubiquiti router and make changes to the software or monitor traffic, just as the backdoor on the Juniper products did.
Ubiquiti’s defense, if it is one, is that the orders from the ISPs requested this feature be enable to make it easier for their techs and support personnel to help their customers to set up their Internet connection. Evidently, policy at the offending ISPs was to leave the default passwords in place. Geographically, the largest offending ISPs appear to be in Brazil, Thailand, and the United States.
Ubiquiti also recently fell victim to the “CEO Fraud” scam warned about by the FBI in January 2015, to the tune of $46 million in fraudulent money transfers. Evidently not the sharpest of tacks are working at Ubiquiti.
Most of these routers are engaged in extortion exploits using DDoS (distributed denial of service) attacks. Some of these routers are actually being used by more than one cyber-gang. Some of them, have software on board that searches the Internet for other Ubiquiti routers to attack.
So if your ISP uses Ubiquiti products, you may want to call them up and have them change or better yet turn off the remote access portal. This is something that you could do yourself, and instructions can be found at the Ubiquiti support site.
On Friday we will be ending our “Router Week” series with an good new solution for home and small business router users.