Thank you Ubiquiti... massive bot-net

[MrGuvernment]

https://threatpost.com/default-cred...ve-ddos-for-hire-botnet/112767#comment-504523

The part that i am curious about was:

Incapsula discovered a botnet, still largely active, that primarily consists of routers manufactured by the California-based networking company Ubiquiti Networks. While the firm initially assumed the routers suffered from a shared firmware flaw, researchers were able to determine that all units are remotely accessible via HTTP and SSH on their default ports, and could also be accessed via vendor-provided default login credentials. This opens the routers up to eavesdropping, man-in-the-middle attacks, cookie hijack, and gives attackers the ability to gain access to other local network devices. - See more at: https://threatpost.com/default-cred...ve-ddos-for-hire-botnet/112767#comment-504523

Wondering, are these solely Routers or AP's, and if Routers, WHY are they default shipping with administration over WAN open..

Also i would say all routers now a day should be prompting people to run a setup to set a user and pass and do away with the "default user and pass" settings as we know most users are too lazy to change them and set up their systems correctly.

 

[TCM2]

lulz

Never trust proprietary.

 

[fluke420]

I'm not sure how credible that source is. We ran a scan against our ERL and none of the ports listed are open from the outside.

 

[klank]

The article(s) are just being sensationalist.

Most routers come with default credentials, most even are not locked down. So this isn't something out of the ordinary. I will however say that the Edge Routers should be easier for a novice to lock down then they currently are.

 

[/usr/home]

The article(s) are just being sensationalist.

Most routers come with default credentials, most even are not locked down. So this isn't something out of the ordinary. I will however say that the Edge Routers should be easier for a novice to lock down then they currently are.

Though I'd argue that the EdgeRouters aren't for JoeBlow with no experience.

 

[nitrobass24]

Pretty standard stuff. You would be amazed at how many organizations dont change this stuff.

 

[klank]

Though I'd argue that the EdgeRouters aren't for JoeBlow with no experience.

I fully agree that the ER's are not for the casual user.

 

[MrGuvernment]

It is scary how many people leave defaults... *runs and starts running an IP scanner on the internetzzzz*

 

[Dew]

This is nothing more than idiots not changing the default username, password, and ports.

All of these settings are configurable on UBNT products. The reason why access is not blocked by default on the WAN side is that UBNT products don't often have a true WAN side AND they are not intended for amateurs.

If someone is too stupid to look at the big orange banner telling you to change the default username, check the box that says disable remote management, and/or change ports then they are not the target audience.

Here is what I am talking about:

 

[MrGuvernment]

I guess any device i have seen, Remote management is disabled by default..

Sure people ignore stuff, and we know how inept end users can be, but why make it even easier for them..

 

[Dew]

I guess any device i have seen, Remote management is disabled by default..

Sure people ignore stuff, and we know how inept end users can be, but why make it even easier for them..

Because these devices are intended for WISPs/Businesses and not the consumer (at least not configuring by the consumer). If I am a WISP configuring a 2 mile link, I sure as fuck don't want to get locked out of remote access because it was set by default and now I have to go drive 25 minutes to the other end just to re-enable it. Tuning the security parameters are something that I do AFTER I have my link stable and am satisfied by the results.

End users should be messing with this on a WAN connection just about as often as they should be messing with a PIX/ASA on a WAN connection.

 

[TCM2]

Well that's fine if idiots are not the target audience. If only someone had told that to the idiots that now target the Internet with their fine botnet.

Because these devices are intended for WISPs/Businesses and not the consumer (at least not configuring by the consumer). If I am a WISP configuring a 2 mile link, I sure as fuck don't want to get locked out of remote access because it was set by default and now I have to go drive 25 minutes to the other end just to re-enable it. Tuning the security parameters are something that I do AFTER I have my link stable and am satisfied by the results.

End users should be messing with this on a WAN connection just about as often as they should be messing with a PIX/ASA on a WAN connection.

And how does that prevent the ISP from properly configuring remote access before shipping the unit? You don't send it completely unconfigured anyway.

 

[Grentz]

As said, these are easy to lockdown and designed for WISP usage.

This is not the same as normal internet router usage. Most WISP installs have the client radios managed by the headend. Thus the true external access is upstream

 

[TCM2]

If this is professional gear, then it makes even less sense to ship it default open.

Why should a hardware manufacturer ship the devices wide open if their intended usage is by ISPs who send them pre-provisioned to customers? The ISPs need to touch them anyway to work with their setup, so a default-closed state wouldn't affect them at all. They'd just provision an additional SSH key or whatever remote access method in addition to their network credentials.

The argument is completely backwards.

 

[MrGuvernment]

To manage it should be using VPN's to link locations and LAN IP's to manage, not open HTTP / SSH on a WAN link, and HTTP at that, not even HTTPS...lets snif some packet while we are at it!

 

[wizdum]

If this is professional gear, then it makes even less sense to ship it default open.

Why should a hardware manufacturer ship the devices wide open if their intended usage is by ISPs who send them pre-provisioned to customers? The ISPs need to touch them anyway to work with their setup, so a default-closed state wouldn't affect them at all. They'd just provision an additional SSH key or whatever remote access method in addition to their network credentials.

The argument is completely backwards.

This is a BS article that doesn't take the use case into consideration. This is also NOT about the EdgeRouters. EdgeRouters block access from the WAN by default (actually, by default there is no WAN,LAN, or anything). This article is about the 8 year old Ubiquiti "AirRouters". The AirRouters were designed to be installed and managed by a WISP, not the customer. Thats why WAN access is open by default. It was designed to be the end point on a WISP's LAN, where the WISP blocks access at THEIR edge.

Unfortunately these started showing up on Amazon after they were discontinued in 2011 (probably retailers trying to offload old stock), allowing non-technically savvy people to buy them.

You need to think about this like a WISP. To a WISP, the customer's WAN is your LAN. The WAN port is the "safe" side, the customer's LAN side is what you need to protect yourself from.

 

[TCM2]

Uhh, yeah. Reread my last post.

 

[wizdum]

Uhh, yeah. Reread my last post.

I did, and you're still thinking of this as remote access. This is not remote access, these devices are on your LAN, this is local access. The web UI is never exposed to the internet. These are not sent to customers pre-provisioned. They are set up on site by a professional because it is impossible to tell which AP you are connecting to unless your tower sites are very simple (this is another issue with Ubiquiti, theres no "installer" user, only full admin and read-only).

WISP networks are different from ISP networks, most WISPs operate on a bridged LAN with NAT. Customers never see the management LAN, and the internet never sees the management LAN.

Ubiquiti changed this behavior in v5.5.2 of their firmware anyway, which was released in 2011. WISPs complained for a while, so they made it a checkbox item instead in 2012.

I still blame the vendors for selling End of Life "enterprise" hardware with out of date firmware to random consumers and touting it as a "new" replacement for their Linksys router. These things don't even support MIMO, and they have 10/100 ports only.

I am awaiting the Author's follow-up article that complains about un-patched vulnerabilities in Cisco CatOS and Windows 98.

 

[Grentz]

wizdum is correct. Those of you thinking of traditional ISP setups are not getting how WISP setups are typically deployed and managed. It is much more like a LAN than a WAN and that is best practice.

Think of it closer to ethernet handoff (where the "ISP" equipment is typically just a managed switch). Then again, unless you have worked closely with a telco most probably do not realize how that works either...

 

[Deleted member 12106]

I think by and large its shame on whoever did not config their equipment. If you are not bright enough o change default passwords and secure your network, you have it coming and deserve it. There needs to be more responsibility for those who are deploying equipment blindly, especially using default passwords, ports, and not doing due-diligence to secure their equipment/lan.