Full Report
"I was presented with 88 consoles from another account," one user reports.
Analysis Summary
# Incident Report: UniFi Cloud Account and Video Feed Misrouting
## Executive Summary
Multiple users of Ubiquiti's UniFi Protect system reported a critical security issue where they were able to access and control other users' private security camera feeds and network consoles via the cloud management portal (`unifi.ui.com`). This incident appears to stem from a configuration or authentication flaw allowing unauthorized cross-account viewing and device management. Ubiquiti has not publicly detailed the root cause, but users are taking immediate action by logging out and clearing browser data.
## Incident Details
- **Discovery Date:** December 13-14, 2023 (Based on user reports posted over the past 24 hours relative to the article date of Dec 14, 2023).
- **Incident Date:** Ongoing at the time of reporting (Dec 13-14, 2023).
- **Affected Organization:** Ubiquiti (UniFi product line).
- **Sector:** Consumer/Prosumer Network Hardware and IoT Security.
- **Geography:** Global (Based on Reddit reports).
## Timeline of Events
### Initial Access
- **Date/Time:** Unspecified, occurred when users logged into their accounts.
- **Vector:** Cloud Authentication/Session Management flaw via `unifi.ui.com`.
- **Details:** Users logging into the UniFi cloud portal were presented with consoles, settings, and private video feeds belonging entirely to other, unrelated accounts, even while their own email address remained displayed.
### Lateral Movement
- **Details:** Once logged into the foreign account, users reported the ability to navigate the foreign device dashboard, view live/recorded video, and change system settings. This suggests the session token granted broad access to the associated device(s).
### Data Exfiltration/Impact
- **Details:** Private security camera footage (including one user reporting video of an unrecognized business and another receiving a notification of a stranger in their backyard) was exposed to unauthorized parties. Full administrative control over the target network gateway (UDM Pro/SE) was potentially gained by unauthorized users.
### Detection & Response
- **How it was discovered:** Users discovered the issue organically by logging into the UniFi cloud portal or receiving notifications for cameras they did not own.
- **Response actions taken:** Affected users logged out, cleared cookies, and reported the issue on social media (Reddit) and Ubiquiti community forums.
## Attack Methodology
This incident appears to be a systemic failure related to the cloud service rather than a direct external attack employing traditional malware tactics.
- **Initial Access:** Legitimate user credentials used to access the cloud portal, but the service incorrectly authenticated or authorized the session for the wrong hardware/data set.
- **Persistence:** N/A (Session-based flaw).
- **Privilege Escalation:** N/A (The flaw bypassed necessary authorization checks, effectively granting *default* administrative access to another system).
- **Defense Evasion:** N/A (Not an adversary using defense evasion).
- **Credential Access:** N/A.
- **Discovery:** N/A.
- **Lateral Movement:** Successful access to other users' consoles/devices via the flawed cloud session manager.
- **Collection:** Viewing and potentially downloading private video streams.
- **Exfiltration:** Unauthorized viewing/access to private data streams.
- **Impact:** Unauthorized viewing of private video surveillance.
## Impact Assessment
- **Financial:** Undisclosed. Potential costs related to incident investigation and remediation by Ubiquiti.
- **Data Breach:** Highly sensitive Personal Data (video feeds showing private residences and activities) was exposed across multiple users.
- **Operational:** Users were unable to rely on the security of their surveillance systems. Disruptions to management via the cloud platform.
- **Reputational:** Significant negative press and erosion of user trust in Ubiquiti's security practices.
## Indicators of Compromise
*Due to the nature of this system misconfiguration, traditional IoCs are not applicable; the "indicator" is the cloud service misdelivering console information.*
- **Network indicators:** Access to `unifi.ui.com`.
- **File indicators:** None specific to this session-flaw.
- **Behavioral indicators:** A legitimate user account being presented with unexpected, seemingly random consoles or push notifications referencing unaffiliated security devices/locations.
## Response Actions
- **Containment measures:** Users manually logged out of the affected cloud sessions and cleared browser cookies/cache.
- **Eradication steps:** Not detailed in the article, presumably server-side fixes by Ubiquiti to correct the account-to-console mapping logic.
- **Recovery actions:** Users needed to re-establish trust in the platform before relying on it again for monitoring.
## Lessons Learned
- **Key takeaways:** Cloud-managed network infrastructure introduces critical single points of failure related to authentication and authorization architecture. A failure in session mapping can instantly expose sensitive data across the entire user base.
- **What could have been done better:** Ubiquiti needed robust validation checks ensuring that a user's authenticated session token only maps to the specific device IDs explicitly associated with that user ID in their database.
## Recommendations
- **Prevention measures for similar incidents:** Implement rigorous access controls (ACLs) within the cloud management backend to enforce strict data segmentation between customer accounts. Mandate multi-factor authentication (MFA) universally, and perform comprehensive, continuous testing of cloud session persistence and authorization checks.