The tweet seems to imply that the entire Ubiquiti Networks line of network hardware could be compromised.
That's a shame; I was thinking of installing some in my house.
I'm sure that Ubiquiti's customers will not be happy if they find out that the US Govt can access their private data.
I assume by default that any hardware from any NATO nation is compromised by the NSA and other Western intelligence agencies. I also assume that any Chinese or Russian hardware is compromised by their respective intelligence agencies. And I assume that the NSA and other Western agencies are constantly trying to get backdoors into Chinese hardware (and I assume the Chinese are trying the do the same to ours). You're basically screwed no matter what.
I think it’s worth noting that these vulnerabilities affected devices which had their management page open to the internet, which is universally known as a bad idea. At least the ones I’ve seen.
There is a big difference between an exploit affecting all devices vs a subset which requires a specific not-best-practice configuration. Regardless, still good to be aware they exist.
> they’re Latvian and don’t necessarily have to bow to the NSA.
reply
The majority (I'd say all) of the Eastern-European countries that are also NATO members do in fact bow to the US, and thus to the NSA/FBI/the Secret Service.
In a world where local PD can kick my door in, shoot me in the face, and the news will report that I had it coming because I own a gun, I find it hard to care that the IC can burn a technical access backdoor to access my private data.
I'm currently replacing my network equipment with Mikrotik, not because I believe it to be safer than Ubiquity, but because then at least it's made in the EU.
But now I'm thinking: Is it better that the US is spying on me in Europe, vs. having EU governments do it? I feel like I'd be somewhat more safe from the US, compared to if my own government decides to spy on me. Maybe I should look into Chilean network equipment, I can't imaging that they'd have much interest in my online activities.
> But now I'm thinking: Is it better that the US is spying on me in Europe, vs. having EU governments do it? I feel like I'd be somewhat more safe from the US, compared to if my own government decides to spy on me.
> In recent years, documents of the FVEY have shown that they are intentionally spying on one another's citizens and sharing the collected information with each other, although the FVEYs countries claim that all intelligence sharing was done legally, according to the domestic law of the respective nations.
So in practice, it's entirely irrelevant: your data will end up Hoovered up by someone, coated with a veneer of legality, and provided back to your government to act on (or not).
Don't be too interesting to your government, I guess?
Europe doesn’t make that many chips (unfortunately), chances are high there’s US/Chinese components in there too. Since your network hopefully sees mostly encrypted traffic anyway (even if you're running Plex on the LAN, that should use SSL), I‘d be more concerned about HW in desktops, notebooks and tablets.
In democratic countries we also have rights against (unjustified) spying by our governments. Sounds like a better long-term plan for everyone is to make them work. Especially when even the ideal equipment won't do much against metadata spying by ISPs and cellphone carriers...
okay, so assuming the US gov can access my private LAN data due to my use of the Ubiquiti USG as router/firewall, USG wifi APs etc, of what form would this data exfiltration take? can we please explore/explain how this "compromise" would happen in real-life.
if i were sniffing for outbound WAN traffic as root on the unix-like that the USG run, would i see the exfiltration traffic? or is this [supposedly/apparently] happening at a lower layer that an OS can't see i.e. some kind of BMC or BIOS layer?
wouldn't such traffic also have to navigate the varieties/restrictions of DOCSIS etc? or are they also compromised?
is the worst-case scenario here some kind of giant C2 network with waves hands tons of compromised lower-than-OS mini pieces of firmware exfiltrating data over waves hands compromised network providers hardware into the giant NSA AWS cloud?
Would be an interesting experiment to see what an oscilloscope sees on the wire vs what tcpdump records... There was a story somewhere on the net where someone complained thay they wanted to include a do not record payload parameter in tcpdump and couldn't get it through.
Pretty sure only the EdgeRouter and some of the older Unifi Security Gateways use Cavium chips. Most of the newer stuff (like the Dream Machine line) I don't think are anymore. None of the Unifi APs did either I don't think (the U6 ones have Mediatek chips in them)
Yeah, I have one at home too, so I really want more detail on what the exploit is (I wonder if if is perhaps IPSEC specific, like an RNG flaw since they talk about VPN and encryption appliances, or it could be something to do with Cavium HSMs and unrelated to the network processors).
If you're not under the threat cone of nation state surveillance (like trying to exfiltrate the radar-asborbing paint formula on the F35) then I wouldn't be too concerned.
"That's not the point! It's about privacy!"
Sure. I'll choose it ignore the fact that our civilization is somehow still functioning in a post-nuclear world.
It's not about privacy, it's about security. If there's a backdoor in a HSM or network interface, that backdoor can be used by others as well. That might start with foreign nation states, but might eventually leak to regular private persons or entities as well.
A backdoor is an extra attack vector with often very unfavorable properties that you as a user are unaware of.
A Mann is being executed in Saudia Arabia for tweeting a negative tweet about the government to his tiny following. Not exactly someone who thinks they are a target of a nation state.
100% agreed. If you’re concerned about privacy, being tracked online by corporations is a bigger concern than the the NSA. If you’re the target of an NSA investigation, you’re already fucked. Changing your network equipment is not going to help.
On the contrary, changing equipment may actually help quite a bit when dealing with the NSA. The 2016 documentary "Zero Days" which was centered around the creation of Stuxnet showed that the NSA targeted specific hardware models to look for security holes. They had to buy matching hardware themselves and rigorously try to break it which took time and wasn't trivial to do
And in the mean time, all my browsing, payment, and location data collected by corporate ad brokers got handed over to the NSA for just the cost of a letter.
I don’t see the point in constantly changing hardware that I don’t even know is safe, just to prevent what will already happen.
You don't see the point in constantly changing hardware, but you have no problem with changing subject, I see. I would encourage you to give Zero Days a watch sometime
> If you're not under the threat cone of nation state surveillance
The average reader may be surprised by how far this cone can extend in some circumstances.
It has been established that the NSA conducts industrial espionage [0], under the cover of national security [1]. To what degree the term "national security" narrows down the scope of any surveillance measures is likely unfamiliar to the laymen, but an NSA representative gave a short description on the agencies views to that regard in 2013:
"The intelligence community's efforts to understand economic systems and policies, and monitor anomalous economic activities, are critical to providing policy makers with the information they need to make informed decisions that are in the best interest of our national security." [1]
While it affirms that it does not steal trade secrets, the NSA reserves the right to pass on critical information about economic developments towards policy makers, who then can use this knowledge in their decision making.
Notable examples of industrial espionage conducted by the NSA consisted of spying on EU antitrust regulators investigating Google for antitrust violations [1], alleged espionage of business conducted by brazilian oil giant Petrobas [2], international credit card transactions [3], SWIFT [4], and the infamous allegations of espionage against european defense company EADS [5].
It's noteworthy that this short list only comprises cases that got attention of the media, the actual list of targets in europe was much higher, about 2000 companies in europe, many of them defense contractors.[5]
So, to summarize, it may be much easier to fall into this cone, than one would assume. The agency is also at odds with it's own claims as this this excerpt from a Guardian article [2] clearly shows:
"The department does not engage in economic espionage in any domain, including cyber," the agency said in an emailed response to a Washington Post story on the subject last month.
[...]
"We collect this information for many important reasons: for one, it could provide the United States and our allies early warning of international financial crises which could negatively impact the global economy. It also could provide insight into other countries' economic policy or behavior which could affect global markets."
But he again denied this amounted to industrial espionage. "What we do not do, as we have said many times, is use our foreign intelligence capabilities to steal the trade secrets of foreign companies on behalf of – or give intelligence we collect to – US companies to enhance their international competitiveness or increase their bottom line." [2]
To me these statements are mutually exclusive: How is providing policy makers with insights from foreign politics and possible industrial espionage (i.e. not necessarily actual technologies, but research objectives of foreign companies) not giving an advantage to domestic companies, if those policy makers act appropriately?
The NSA has been caught lying before (see: the Snowden leaks) so I wouldn't trust them to be forthcoming about their industrial espionage, if they are engaging in it. Of course they'd deny it.
> How is providing policy makers with insights from foreign politics and possible industrial espionage not giving an advantage to domestic companies, if those policy makers act appropriately?
Let's imagine OpenAI was a Russian company operating mostly in secret. This RU OpenAI secretly discover and use GPT-4-like technology, and show promise that they are not done innovating. While these LLMs are often overhyped, these recent innovations no doubt present a policy issue, right? I'd say there are legitimate national security reasons to know about that technology, not just about making money or making a better product for cheap.
The distinction being made is that the NSA may steal data related to this, but they aren't just giving it to Google to make Bard better. They are getting intel and giving lawmakers the tools to fund research, write policy, or whatever else our elected representatives deem beneficial. Any side action or under the table dealings would make this distinction meaningless of course. So, for the example above, if we started funding departments to research the threat of LLMs/AI, inform the public of the issue, and inform companies that their data is being pillaged to train AI... that is all very different from just stealing a cool new widget design and getting it to market first.
I think there's no debating that this is morally gray, but I think it's a few steps off of what other nation states are doing by stealing tech and implementing it in "private" companies. It's certainly worthy of criticism, but I think it's unhelpful to bucket it with the other type.
If the LLM example isn't your thing, it also makes a lot of sense for the NSA to steal information related to weapon/defense tech, even if developed by a private company, and even if we use what we stole to implement countermeasures. I can't honestly be morally outraged about invading the privacy of someone developing tools of war against you. Fwiw, I wouldn't blame Russia or China for trying this against the US gov or defense contractors either, but it's not like I'd be happy about it. My point is that that is not so much economic espionage or corporate espionage as much as it is just plain old espionage. It saves lives and protects American hegemony - which I recognize may be counter to many people's ideal situation.
It's a nuanced thing. When you take two morally questionable things and reduce them down to both just being bad, the ones doing the worse things benefit. E.g. "all politicians lie" is a handy phrase for truly corrupt politicians because the ones who make small mistakes or half-truths are in the same bucket as them, and the outcome is apathy for the issue rather than being upset at all of it. Kinda the classic whataboutism trope - not to imply you are doing that, but just to say that's where it often leads.
So we're evaluating the US policy on international espionage on constructed examples now?
> Let's imagine OpenAI was a Russian company
Nevermind that they're not and that Russia can't currently develop these models, due to lack of silicon. All targets I mentioned, with the exception of the brazillian oil company we're in european states, at the time (and still!) closely allied with the US.
> The distinction being made is that the NSA may steal data related to this, but they aren't just giving it to Google to make Bard better.
How would you even know at this point? Who controls the NSA? There haven't been any leaks since the Snowden revelations and there likely won't ever be any again, since Snowden could only make his move due to some misconfigured/outdated network quota control software.
Hell you can't even FOIA information about these policies, and agencies will go so far to withhold evidence in court when it concerns espionage! And soon as a court case involves this information, the court recedes from the public and is held in secret.
My hostility against US policy is by no means anywhere above the european average, but when it comes to public statements about surveillance, I have no reason to trust the US Government. The Bush administration has proven that it is possible to flout the US constitution on a massive scale with just 10-12 people. At this point I can't blame people putting forward some crazy conspiracy theories about the deep state or qanon, because the US gov has given no indication to be believably concerned about compliance with their own laws.
Гулаг (gulag) is the acronym for "Гла́вное управле́ние исправи́тельно-трудовы́х лагере́й" which translates to "Head management office of correctional work camps". And if you're going to go for all incarcerated, the number is actually somewhere in the 2.1mil range in the US, because hey, jails are a thing.
Oh please, the United States is so incredibly armed, my death will likely come at the hands of some misplaced right-wing militarized fascist group performing mass murders under the guise of "Freedom" and "A return to the constitutional purity of the US".
I've been promised that that was going to happen any day now since the wrong person got elected back in 2000. Nearly a quarter century on I am beginning to suspect that somebody was overstating something, I can't quite put my finger on what though...
Trying to understand what crypto is the network hardware itself performing? TLS is end to end, even if you run a VPN on the router the keys were not generated there probably
Crypto matters for exactly this reason. All my internet traffic passes through unsafe middle-boxes, it is TLS and DH that make sure I can pass through untrusted middlemen without them knowing what is going on.
Ubiquiti is all cloud based. If the government wants in to your auto-updating ubnt hardware, it's just a simple court order away. They don't need a backdoor.
That's part of the reason I've started moving away from their routers - I still have an Edgerouter but never went to the Dream Machine or USIP routers. At the moment the OPNSense appliances [1] which are made by the company that sponsors the fork (Deciso B.V.) are my pick for that. They're an EU company, and the thing runs fully open source software on a commodity embedded AMD chip.
I'm still using the access points, since I can run my own controller still, either virtualised in a container or VM, or a raspberry pi and you don't have to connect it to the cloud. I haven't found anything better, TP Link seem to have some interesting looking stuff but I worry about the security given they're based in Shenzhen...
It may be auto-updating by default, but that can be trivially disabled. Likewise, their cloud connectivity/management is optional. I'm running without issue multiple air-gapped Ubnt networks using their self-hosted controller software.
Perhaps there is some new watered down usage (like what happened to "literally" or "bricked") but that is precisely why people use the term "air-gapped" - to denote networks with PHYSICAL separation from other means of access.
(Of course, if you connect an AP, it's no longer air-gapped."
All your computers are plugged into the mains for electricity... Always, always the thing that's ubiqutious is the perfect entrance for the oppressors, since noone suspects anything about those innocent things.
Yeh but it is still closed source, no?
I guess if it is air gapped that could be fine, but we are talking mid level network gear here, so for 99% of its use, it isn't air gapped. It is enabling broader connectivity.
So you would have to trust the closed source software at some point.
That was an insider trying to extort the company by pretending to be an outside hacker. He then posed as a whistleblower to try and throw investigators off the trail.
Ubiquiti has many other problems besides this. The worst is their vendor lockin, where even basic network operations are not possible if you happen to have any non-ubiquiti hardware in your network. You should stay away.
I ran UBQT hardware with mikrotik router and third party firewall. UBQT replaced old frankenstein hardware that had the worst channel management etc.
Everything got so much better, customers issues dropped to almost zero (sometimes was hundreds of issues a day)
We always had other vendor for part of the network, and that had no impact.
People are misinterpreting me, thinking I mean that it's not even possible to intermingle equipment. That is not the case.
The specific issue I ran into was that I had a non-ubuiqiti router and AP on my network, and there was absolutely no way to set firewall rules on the Ubiquiti gateway for any clients connected through the non-ubiquiti equipment. This should obviously not be a problem. The gateway provided those clients IP addresses through DHCP and they are in its ARP table, so it should be supported.
