Ubiquiti announced it has fixed a bug that allowed some customers to glimpse strangers’ surveillance footage and gain access to accounts and devices that did not belong to them.
The surveillance and networking equipment maker blamed the privacy breach on a misconfiguration of its cloud systems, and said late Thursday that “the issue has been resolved and all Ubiquiti accounts are properly associated across our infrastructure.” Stated.
People sounded the alarm Wednesday. According to one customer: Detailed description of strange behavior On Reddit, “My wife received a notification from UniFi Protect that included an image of a security camera. But here’s the problem: This camera isn’t ours. ” he posted.
UniFi Protect is a management app for Ubiquiti security cameras that allows users to view live feeds and recordings, download footage, and configure equipment. Customers can manage and configure multiple cameras through the app, but access to devices belonging to that specific user is to be restricted and viewing other customers’ cameras and her feeds is not allowed. not.
“This notification came completely out of the blue and showed footage from an unfamiliar camera,” the “confused” customer continued. “What’s even weirder is that right after her wife received the notification, she opened the Protect Her app and only her two cameras were listed as usual.”
It also raised concerns about potential security breaches, or perhaps disgruntled developers causing problems on the network.
Ubiquiti did not respond immediately. registerThis is a comment request from .
Other concerned customers quickly told their stories and agreed.
And here are our personal favorite reactions, even if it’s just shouting into the wind. “Well, there’s always a chance something like this could happen when you connect something local to the internet :)”
According to Ubiquiti, the security disruption began on the morning of December 13th.
“Thanks to your feedback and support, we have fixed a small number of cases in which users were receiving push notifications on their mobile devices that appeared to come from an unknown console, or those users were able to access a console they were not aware of. Case confirmed. Make it yours,” the consumer electronics company said in a statement. support forum.
An upgrade to the UniFi cloud infrastructure caused an outage, which they say has now been fixed.
The manufacturer was not specific about the number of customers affected by the misconfiguration, saying it was “still investigating.”
But everything the user described on Reddit seems to be accurate. One customer group receives a notification on their mobile phone from a device belonging to another customer group. Both of these groups are “minority users,” Ubiquiti claimed.
Additionally, Ubiquiti said some users who received push notifications on other people’s devices “may have been granted temporary remote access” to accounts that did not belong to them.
The company says it “believes” that “less than a dozen” people’s accounts have been accessed remotely by strangers, and promises to contact these people via email to let them know.
We expect that to happen shortly after the industry finishes notifying another customer that Russian cyber spies have compromised Ubiquiti routers. ®