Thousands of Ubiquiti cameras and routers vulnerable, despite patches available


More than 20,000 internet-exposed Ubiquiti devices are open to attackers, revealing sensitive data about the owners, Check Point Research warns.

Among the affected devices are popular compact, wide-angle, WiFi-connected Ubiquiti G4 Instant Cameras, and Cloud Key+ devices.

The vulnerability lies in the two custom privileged processes that were exposed on the devices’ network interface. Open ports 10001 and 7004 were using the UDP protocol (User Datagram Protocol, one of the core communication protocols). Some compromised devices already display warnings such as “HACKED-ROUTER-HELP-SOS-DEFAULT-PASSWORD.”

ADVERTISEMENT

“Over 20,000 Ubiquiti devices were identified as exposed on the internet, revealing informational data including their platform names, software version, configured IP addresses, and more,” the report reads. “The exposed data could be used for technical and social engineering attacks.”

This vulnerability is not new. In 2019, denial-of-service (DoS) attacks were carried out on Ubiquiti devices by exploiting a service on 10001/UDP, and Rapid7’s assessment revealed almost 500,000 vulnerable devices at a time. Since then, the patches have been released.

However, five years later, thousands of devices remain vulnerable, serving as an example of how difficult it is to fully mitigate a vulnerability, especially among Internet of Things (IoT) devices.

According to Check Point Research (CPR), vulnerabilities in exposed ports could completely compromise the device. CPR was able to send spoofed discover packets on their internal test network, and both the G4 camera and the CK+ responded, validating their concerns.

Random sampling confirmed that over 20,000 devices on the internet, which are likely unpatched, also respond to spoofed packets.

“Decoded hostnames revealed detailed information about devices, including owner names and locations, which could be exploited for social engineering attacks,” researchers said. Some of the other revealed device types were NanoStation Loco M2 and AirGrid M5 HP. Owner information included full names, company names, and addresses.

Ubiquiti previously patched the vulnerability and stated that the devices with the latest firmware only respond to internal IP addresses. However, Check Point notes that simple mistakes can persist for years and remain significant attack vectors.

“IoT device updates are slow to propagate, often taking years to reach all deployed units. Some users may never update their systems, leaving them perpetually vulnerable. Consequently, developing IoT devices according to security-by-design principles and incorporating built-in protection mechanisms against exploits and malware from the outset is imperative,” the report argues.

ADVERTISEMENT

Users should ensure that their cameras or other devices are updated to the latest firmware version. Patching and updating used devices should become a regular part of the cyber hygiene routine. Users should always choose not to expose IoT devices directly to the internet if it is unnecessary. If it can’t be avoided, make sure you’re not revealing information about yourself.