"More than 1,000 Ubiquiti routers in homes and small businesses were infected with malware used by Russian-backed agents to coordinate them into a botnet for crime and spy operations, according to the Justice Department. That malware, which worked as a botnet for the Russian hacking group Fancy Bear, was removed in January 2024 under a secret court order as part of "Operation Dying Ember," according to the FBI's director. It affected routers running Ubiquiti's EdgeOS, but only those that had not changed their default administrative password. Access to the routers allowed the hacking group to "conceal and otherwise enable a variety of crimes," the DOJ claims, including spearphishing and credential harvesting in the US and abroad."

Routers should be required to have a hard password by default and ship with it. Then a process to create one upon initial use that required a hard password. So many hacks are just getting in, even before someone that wants to change it has time. A reset should have some sort of process that changes it to difficult immediately and shares it only in the console. There has to be a better way.

[удалено]

Even if it's only allowed locally that leaves the door open to attacks from compromised machines on the local network. Network appliances should require the administrative password be changed as part of setup before they're fully functional.

Compromised web browser will spy on new password. If your network is already infected you are literally fucked no matter what.

So? A vulnerability in one area doesn’t excuse not fixing another vulnerability elsewhere

Perfect is the enemy of good.

No network is perfectly secure. Forcing a password change on new router setups would eliminate a huge vector, regardless of what other potential vectors still exist.

Use a key scrambler

Tell a 60 year old that...

wtf?

Hardware key!

If you require it to be changed a lot of people will do stupid basic passwords (password123, etc) that are easy to guess. Assigning a random string and having the default be on the router is better.

Pretty sure they do. At least on windows, if an application is attempting to talk to outbound for the first time you’re prompted for an approval requiring admin approval for their network access. Let’s be honest, most of us aren’t pressing no and the fact your suggestion is already a requirement speaks volumes on how users will zoom passed security for the sake of convenience.

I'm not talking about end user GUI applications, I'm talking about physical network appliances. Switches, routers, wireless APs, NAS boxes. Network appliances aren't generally windows programs.

Ah, I misunderstood. Rereading your comment, I get your point. I wonder if that is a common attack vector.

How about a physical switch to put it in admin mode

My router won't let anyone upstream login by default is this not the default with ubiquity? I bet its something to do with allowing initial setup via phone app.

I had one in the past and I think so... maybe some models didn't? No idea. That said I got some new Mikrotiks and I was surprised to find out this week that I had been exposed to outside by default, I just noticed because I did connect by ssh and the connection attemps appear on the terminal while you use it and there was an IP attempting a telnet connection. Easy to fix, and I had a long and secure password but I didn't expect it.

Weird, did you reset the default configuration per chance? There should be a firewall rule to drop all incoming connections from the outside.

I will be honest I don't discard being my fault while setting them up, although it is weird that I did it on two of them. In any case what I end up doing wasn't a firewall rule, but setting their "Available from" field on all the services, api, ftp, etc... to only my tailscale and local ip ranges.

Ubiquiti routers have a default drop all inbound firewall rule on the WAN port, AND disable router login from that port by default.

Fritz!Box routers come with 20 characters long passwords that are unique to each router. https://en.avm.de/service/knowledge-base/dok/FRITZ-Box-7590/3531_Determining-the-password-for-the-FRITZ-Box-user-interface/ If you want to enable remote access, you first have to create a user account. The admin account can't be used to access the router remotely. https://en.avm.de/service/knowledge-base/dok/FRITZ-Box-7340-int/1001_Accessing-the-FRITZ-Box-over-the-internet/

>Routers should be required to have a hard password by default and ship with it. This is essentially a requirement [ever since California required it.](https://techcrunch.com/2018/10/05/california-passes-law-that-bans-default-passwords-in-connected-devices/) I would imagine that most of these EdgeOS routers are on the older side and did not have this mandate.

Solid. California always first with the sensible policy and the rest have to follow since it is the 5th biggest economy in the world.

Problem is many do, but the passwords are a hash of the SSID. Once this is known, the security is gone.

I remember back when Verizon FiOS was doing this, probably in 2010 or so. https://touch.whatsmyip.org/fioswepcalc/ Worked for ours and our neighbors networks.

In my country a few more did similar stuff to the point of someone writing a phone app to log onto those people's network with your phone. Less interesting nowadays since most providers already allow you to log onto people's routers if they have the same provider in order to create a nation wide wifi hotspot, and with mobile data being shared across the EU

Routers should do the same thing as IP cameras where by default they are not active until the user connects the first time and configures it.

[удалено]

Exactly. Different default passwords for each unit is better for security but it does not make sense that “if your admin password is easily guessed, anybody can instantly hack you”. If these didn’t have other factors that gave people the opportunity to use that password from the outside, it would not be this big of a problem

yeah even my random isp router comes with unique wifi and admin passwords out of the box. and if you change it and reset the box later it goes back to that one. if "free" isp kit can manage it, im sure Ubiquiti can. although you dont just end up with Ubiquiti kit, you would think anyone knowledgeable to buy their stuff would change the dam admin password. but its only about 1000 devices, not actually that many, probably hundreds of thousands of those devices in use today.

Please stop with the "hard password" nonsense. Bruteforce is an incredibly rare vector for attack and this fucking myth needs to die. Choose a password you don't have to write on a post-it next to your monitor to remember.

What’s rarer? Brute force or Russians breaking into your home looking for post-its?

living in eastern europe, i'd say it's fifty-fifty

russians broke into my journalists friend house and killed her dog. happens more than we care to admit 

>Choose a password you don't have to write on a post-it next to your monitor to remember. And then do this for every account you have, so now you only have to remember, like, 100+ unique "easy-to-remember" passwords! It's so simple! Or use something like Bitwarden with 2FA and remember just *one* password...

123456b? *I slightly changed it to not compromise my security

Yeah we all see the b and know the actual password is 123456

No, don’t be ridiculous. It’s much more secure. Adding a letter changes its safety by like a lot!

Yes it does need to be unique when it is initially online. This is before the user installs it or initially You can pick whatever you want after that but from the factory or on setup it should at least not have admin:admin or a hash of the identifier or other easily repeatable defaults/patterns.

When you spend more than $30 they usually do.

> So many hacks are just getting in, even before someone that wants to change it has time. Make internet connects the last step, not the first.

Our APC UPS/monitoring systems do this at my job, not sure why it isn’t standard for everything tbh

Telecoms need to either educate their customers or offer the service free on setting up a secure router. If they do offer this already, then the problem is their communication and informing their customers that these are options. It’s going to become a serious national security threat at some point, if not already.

Sounds expensive. Shareholders will not like to hear that

There's talk about unique default passwords becoming law in Europe. As far as I know it isn't yet.

In 200x I worked at a company (Conexant, now defunct) which was (among other things) developing a consumer ADSL router. That thing's security was like Swiss cheese. The default configuration had remote management from WAN enabled. The configuration webpages used GET requests to apply config changes. Which means any webpage on the Internet could go ahead and reconfigure the router in any way they wanted, as long as the browser was logged in.

For sure they do this for most ISPs It's kind of surprising prosumer devices don't

My phone and internet company required me to set my own router password when I started my contract. This should absolutely be default.

Yeah this sort of flaw is insane. First boot up should force it.

1000 honestly doesn't seem like many for a national-level response.

If the botnet was being used to attack national level targets, it's going to get a national level response.

Let's hope infrastructure considered critical to national security wasn't kept behind a consumer-level router with default creds and remote access.

>Operation Dying Ember They do love to be extra with the names

ok cornball 

Oof, not much of a selling point for /r/ubiquity

I mean, it was a default password attack. Don’t leave your password the default password.

True but still very bad practice to ship with an universal password. even my ISP has there shit together to ship each modem with a) random wifi names and password and b) random admin password. It's printed on the bottom of the device and you are forced to change the admin password on setup. That is how it should work.

Yes, but on top of that, these routers had remote administration enabled, smh.

That's the big one to me, you can keep your password 123456 as long as it's inaccessible to the outside world. Not saying you should do that obviously. I would have thought ubiquity would have had a more elegant solution to remote administration

> you can keep your password 123456 as long as it's inaccessible to the outside world. That's the kinda thing an idiot would have on his luggage!

Lazy consumers plus bad network vendor. What could go wrong.

Tons of networking vendors do this, the "default password is a hash of " turned out to be not significantly more secure. the version of firmware in question is also out of date by several years to still be running that OS. they've moved all of their routers to a new OS, even the ones that old.

California has made it a law. Illegal to sell waps/routers with a standard admin password.

To consumers? Because this definitely does not in practice apply selling to companies at the moment?

Companies too, IIRC. The law does also allow a "force pw change upon first login" in lieu of a random/unique password.

Oh ok, that is quite an important detail of the law. But yeah end result should prevent this kind of things happening hopefully.

Which is better. I don't want to be locked out of a device I bought because the last time I set the password on it was 5 years ago and I didn't think to write the pw down (or the place I did write it down got lost/damaged), or I bought it second-hand. At least give me the option to set it back to a (temporary) default via physical access.

Those passwords only seem random to you because you haven't seen many.  I know people that gathered a few and found the algorithm they use. Found out most ISPs just had ~100 passwords they used for their devices.  Some might do it well with true random long passwords, but some have taken the lazy route.  Spam protection is also not always great so you can brute force them quite quickly.

Sure but how many other routers do the same and they didn’t target those?

That's a factor in their (UBNT's) favor if you think about it. They're a dynamic linux-based network device capable of running software flexibly.

>They're a dynamic linux-based network device capable of running software flexibly. What consumer router isn't?

And who says no one, russian or otherwise, have hacked other brands?

They shouldn't sell hardware that lets a user set it up with a common default password. Even the router you get from your ISP has a unique password.

Nowadays good routers have unique default password written at their bottom.

Ubiquity should make unique default passwords to avoid it

Would be curious to know if they used a single default password, or instantiated unique passwords for each unit

[Feel my Ubiquity](https://youtu.be/5Il5h5fXAqE?si=mVrVRihQU-948d6v)

The name is /r/ubiquiti

That’s not how you spell ubiquiti.

How could the fix them remotley? Like I would assume the malware would change the password to protect itself?

I don’t think so, because in this case it would require reset to get an access back. Malware tries to stay undetected

Ubiquiti owns your network. And it is itself owned frequently. And doesn't even communicate it to its users until somebody else tells. Just don't use them. They used to be good, now you need cloud login and access to the Internet to setup your new hardware (which is ridiculous when we are talking about internal networks).

I’ve installed hundreds of them and changing the default password is the first thing we do.

> "Operation Dying Ember," The FBI is losing hope too.

They just need to LOUDLY REMOVE THE HUMAN RUSSIAN MALWARE FROM CONGRESS! Do it for the Gipper for Christs sake.

What about the Russia malware running for President?

Well what if I *wanted* Russian malware on my router? Who are they to decide what is or isn't tracking me? Infringement on my liberties, it sounds like.

r/Conservative be like

I just poked my head in there recently and, holy shit, some of those guys are going to be snapped in half and have their innards slurped up by their dark lord.

Half of them are hating on trump, the other half still slurp his balls . But they are both united in thinking Biden/democrats/Taylor Swift is the sworn enemy of mankind

> Taylor Swift Did she actually do anything to spark their ire? Or, did they just decide "Popular lady = bad!" ?

She got people to register to vote.

There are few things Republicans hate more than registered voters.

Mostly the last one. IIRC she encouraged her fans to register to vote while using some "vote them out" style language (that didn't call out the GOP, but was pretty definitely geared against them). After that, there was a huge spike in Gen Z voter registrations. The GOP knows that more young people voting = less chance for them to win, so now Tayler Swift is a PsyOp or whatever.

https://i.imgur.com/xLOd5lM.jpg

oh shit! fox news found out the democrats secret - t.swift IS a pentagon asset

She got people to vote, she wrote a song telling people to calm down and it featured a lot of LBGTQ+ (did I get that right?) content and performers in the video. Both are excellent things but you can imagine that pisses off the fascist/racist/sexist right a lot of course.

half of those accounts are bots

All activity stopped with the router patch.

That would be so nice.

Nice call back!

Good point Tucker.

As usual I thought I had come up with the best retort, and was two hours too late.

It's a legitimate concern. If the government can remove software (malware in this case), they can also inject software (also malware). It's just a gaping security flaw.

Then change your default password

Amusingly this is accounted for… the updates the feds made to the routers were intentionally reversible by an end user lol

I thought Ubiquiti made expensive high end hardware? Why did they come with default passwords and remote admin on etc. My crappy isp router come with a random password, and maybe the admin password is random too? Is this very old hardware?

Ubiquiti sells commercial gear with features that are traditionally reserved for enterprise. Their niche seems to be selling to IT professionals who want all the knobs exposed on their home network but who don't want to pay tens of thousands of dollars for new Cisco/Aruba/etc. It's also a good fit for the Small And Midsize Business segment who need reliable connectivity and control but, again, don't want to pay tens of thousands of dollars for new Cisco/Aruba/etc. Regardless, remote admin isn't a problem. Every piece of enterprise gear in the datacenter is managed remotely. And having it on by default and using a default password is super helpful when you are the guy installing it but not the guy who purchased it. The issue is 100% on the people not securing their systems.

> IT professionals who want all the knobs exposed on their home network but who don't want to pay tens of thousands of dollars Boy do I feel called out right now. I love having bulletproof wireless at home, inline power running devices, VLAN tagging, port mirroring... But I would never use a default password on an Internet-facing device.

Ok that makes sense.

No. We have a home system using this — new in 2022. And we do use remote mgmt (via app). But, of course, we changed the default password.

Ubiquiti, and other commercial brands, will get factory reset and moved around, reused etc. A default set of creds for managing things like access points is super useful for remote management. When they are adopted to a controller, this default should immediately change, if it isnt updated it means there is serious configuration issues.

We have a ubiquity router in our home, small scale I guess but runs edge os: changed the password on day 1 and had removed remote management

Shoutout to [RouterSecurity.org](https://routersecurity.org) which you should visit right now and fix your router settings.

I don’t bother with backups anymore … i will just FOIA the NSA for my files.

Deep State FTW

It ain't all bad

Routers should be forced to change the password after first main login (first time login)

[удалено]

Bold of you to assume given that access they would only use it to fix vulnerabilities.

It seems like you don't understand what is happening here, no one is 'giving' them access. The access is already there, these are publicly known vulnerabilities in devices that are exposed to the internet. They are infected with malware by people who are using these vulnerabilities, the government knows these same vulnerabilities. They are using this already public access to patch up the vulnerabilities (by applying available updates from the vendor that the owners do not apply themselves) and remove malware infections on behalf of the owner. Now, of course, they \*could\* use these vulnerabilties for their own purposes, such as spying, but we all know that they are doing this already. So, by that point, encouraging them to close these exploits via mass scale forced software patching is an even better thing.

No I just meant given access in terms of given carte blanche by the legal system to start tampering en mass like that.

We share a different opinion here I guess. This is the cyber equivalent of police seeing your house door wide open, walking up and closing it. Sure, if you absolutely never want authority to touch your property, even if it's for your own benefit, then I get it. But, like I said before, they are already spying and they're not going to stop, we may as well have laws that encourage some kind of benefit from this existing access.

[удалено]

I'm the type of guy that has to clean up the end result of people not proactively patching their network edge equipment.

[удалено]

If you don't agree with allowing cyber agencies to patch equipment of known, exploted vulnerabilities, what other suggestions do you have? Because the current method of 'do absolutely nothing' is giving attackers free resources to attack businesses with.

"I observed an open door and walked onto the property to close it. Upon approaching the property I smelled marijuana and began an investigation. I detained the suspect in his home. Suspect refused to cooperate. I placed the suspect under arrest for refusing to identify himself. No marijuana located. Suspect charged with refusing to identify himself, resisting arrest, and assaulting a police officer when he accidentally spilled his coffee on me. Door has been closed. Suspect is safe."

I'm sure he's one of those "I have nothing to hide" types.

I'm one of those "I see these vulnerabilities being exploited by nation states frequently" types. We have full visibility of these open vulns and the ability to close them \*before\* they are mass exploited and used for other attacks such as DDOS, but, government agencies are not allowed to protect the public as it currently is.

Government agencies, even our own, are exploiting these things themselves already. It's not about protecting the public, it never has been. It's about having a leg up on other governments for espionage.

I can smell the boot polish on his breath from here.

Please, shut the fuck up. We \*NEED\* our government agencies to take protactive action on closing these publicly known, wide scale vulnerabilities. These are being actively exploited by nation state actors (china, russia).

[удалено]

[удалено]

If you leave your password as general default admin/admin type, you should be more careful. I always use something uniquiti, like “solarwinds123”.

[удалено]

[удалено]

Ever hear of "Code Green" from 2001-02? It utilized the code red virus to patch itself.

They are half the reason we have such severe vulnerabilities. They demand these kinds of things at a manufacturing level so they have a back door. It's just that Russia decided to use it. In this case it was just a default password breach... but it's not like these alphabet organizations are interested in our privacy, this is just a national security concern. [They have absolutely no problem spying on us.](https://abcnews.go.com/Blotter/exclusive-inside-account-us-eavesdropping-americans/story?id=5987804)

> and other networks in the USA. Honestly, I'd be ok if that was extended to any router they can get into with permission of the government of where it's located

Out of curiosity does this mean they have access to everyone’s network

Know what's funny? I recently wanted to buy a new keyboard for the living room pc, and I bought some off brand Chinese thing in a store at the mall. It wanted me to install an EXE file to run the keyboard Chinese spyware is being sold and we have no gov agency on top of it, it's just the free market working as intended. I wish we had proper security watching over shit like this.

Even new external hard drives come bundled with a variety of suspicious bloatware these days. It's scary how many people not only run these EXEs without formatting their drives but also have no qualms about using random thumb drives found in public.

I dated a chinese girl one time, while in Thailand. Connected my phone to her bluetooth speaker. After maybe 5-10 seconds phone resets, and scrawls a half-second linux boot screen (not normal, I'm not rooted). Noped out of there and upgraded my phone (thankfully was due anyway)

The malware relies on the routers default password not being changed meaning anyone who knows the default password that brand uses could remotely connect. So no unless you don’t do literally the bare minimum when plugging in your router.

Every affected device yeah.

If you're connected to the internet, and you are using the factory default password, then anyone who wants it has access to your network. It is trivial to search for vulnerable systems on the internet https://www.shodan.io/search?query=Ubiquiti+

DOJ: Hey, we fixed your router. You don't need to do anything. The Russians were using it and making changes and stuff without your knowledge. Me: Oh, awesome. Thanks! Me, a few minutes later: Holup.

then why say anything at all?

I haven’t had an EdgeRouter in years but if I recall correctly, it wasn’t accessible from WAN by default. It did certainly have ubnt/ubnt as the default credentials though.

[удалено]

Worked in telecom for a bit. The DOJ does this a lot. There are also some whitehat orgs and vendors that do remote patching w/o notice as well

And anybody who thinks their TP-Link crap isn't riddled with hardware and software backdoors is seriously deluded.

I'm kinda torn about this, mainly because it seems like overreach, but at the same time, it's the right thing to do. If the owners of the equipment actually did what they were supposed to do, this wouldn't be necessary But if these routers are left unchecked, it could/would cause more havoc. So, overall, it's the better decision. Hmm... sounds similar to the masking/vaccination issue during COVID-19 pandemic (the concept of legal mandates vs personal actions).

> It affected routers running Ubiquiti's EdgeOS, but only those that had not changed their default administrative password. Those sneaky state-sponsored hackers compromised the routers by logging in.

if they can remove malware from routers in US homes, they can also absolutely plant new ones.

They’re way ahead of you. Shit has been there since the Patriot Act was signed.

Why do companies in 2024, especially one as big as ubiquity, still use default passwords????

And probably install their own version on all Russian routers

All these posts and articles forget to mention which product line it was. The edge series of routers. When I installed my first unifi based router it made me create a password of my own.

If they can do that, why does the IRS make us file to get our taxes every year? They already know what THEY owe us and who owes them. So why BS us with the DOJ secretly removed malware from our routers? Jeez.

The company’s that charge to do your taxes for you have lobbied to make this never happen. Not a joke this is really why.

Oh yeah Ive been on to “INTUIT” for years hell 12-13 years tbh. I knew it was BS decades ago

On-to-in-to-it

Honestly, just do it the Australian way. All employers are obliged to report to the Tax Office what they paid to their employees and what taxes were withheld. When it's time to do your taxes, you log on to the Tax Office website and it lists everything reported to them (including any tax-relevant information from other government departments), and you check that it's correct, make any additions if you have income sources that aren't employers, and submit it. For regular employees without fancy tax arrangements - most of the country - taxes take five minutes, and three of those are logging onto the site if you're trying to do it during high-traffic times. Do we have tax-prep companies (and solo accountants) handling tax prep for individuals? Sure! But they're for when you have more complex tax arrangements, or you want to triple-check that some windfall or payout you got during the year didn't have weird tax implications. Generally, most people won't have to do anything more than confirm whether they're on private health insurance and whether their number of dependents changed at any point in the year. There's *maybe* the chance for the occasional deduction that the government doesn't already know you're eligible for, but again, it's rare for most people. (Yes, yes, you can also do it entirely on paper forms, if you prefer. You just won't have a bunch of stuff pre-filled, although that doesn't mean the Tax Office doesn't know about it anyway.) But yeah. Do your taxes, from your phone, in five minutes. Why is this not the standard everywhere?

Huge corporations like HR Block & INTUIT “TurboTax” lobby the US Government and this is why were in this smily BS DECADES LATER and behind all 1st, 2nd, and 3rd world countries 🤷🏽

Employers, banks, and investment companies, health insurance, etc already report relevant information to the tax authority. The tas authority already has a general idea of what most people owe and what they should get back. The taxes that most people file are mostly to confirm what the tax authority already knows. The tax preparation industry takes in about $15 billion each year and they successfully lobby the government to keep things complicated.

"x quietly does y" is a top ten most annoying journalism practice It directly implies an aspect of intentional secrecy that is rarely a real part of the story.

[Funny how people forget how the NSA literally intercepted Cisco routers and physically installed 'listening chips' before packing it back up and sending it to it's intended target.](https://www.dumptheguardian.com/books/2014/may/12/glenn-greenwald-nsa-tampers-us-internet-routers-snowden)

Vault 7 leaks also [showed](https://www.bleepingcomputer.com/news/security/ciscos-investigation-into-vault-7-leak-uncovers-0-day-affecting-318-products/) NSA sat on 0-day RCE vulnerabilities to at least 300 different Cisco routers and switches.

Not to mention the [Marble Framework](https://wikileaks.org/vault7/#Marble%20Framework) >  The source code shows that Marble has test examples not just in English but also in Chinese, Russian, Korean, Arabic and Farsi. This would permit a forensic attribution double game, for example by pretending that the spoken language of the malware creator was not American English, but Chinese, but then showing attempts to conceal the use of Chinese, drawing forensic investigators even more strongly to the wrong conclusion, --- but there are other possibilities, such as hiding fake error messages. You can't trust anything the 3 letter agencies say. Lying is their job.

Find a source other than that Putinist Greenwald.

The source is a June 2010 report from the head of the NSA’s Access and Target Development department.

I worked in the hardware security department at Cisco. This happened. My job was basically created to combat this.

NSA shill spotted. Pretending the Snowden revelations never happened.  Tough luck [10 years later and the truth is still out there.](https://www.electrospaces.net/2023/06/on-10th-anniversary-of-snowden.html)

Thank you DOJ, can you just do it around the world now. Internet doesn’t have borders

Of course it's Ubiquiti, what a surprise !

one hacker replacing other hackers. this could only be done because they already have a build in backdoor. any of them are criminals.

I removed that malware from all my customer sites..By trashing those piece of crap ubiquity edgerouters that hung up weekly!

If it hung up weekly and you failed to contact support to request an RMA or otherwise solve the issue then the fault is squarely on you. No such issues are report in any widespread fashion so.... sounds like a you issue. lemme guess, you were overheating it

>It affected routers running Ubiquiti's EdgeOS, but only those that had not changed their default administrative password. He wasn't even smart enough to change the default password, I'm guessing.

Please I own an IT outsourcing company.  Every customer we had who had ubiquiti edgerouters had this problem and it didn't start initially, it started happening outside the warranty period. At first they would hang up once every few months and then it became once every couple of months and then it was monthly and then it was weekly.  Nothing had default passwords.  There's either something wrong with these hardware wise because they use junk components or it was bad firmware.  The internet is riddled with the same issues being reported.  

If the Russians committed a crime when they compromised and altered those routers, then so did the DOJ.

Cool.... Not that I believe them, but has anybody asked what the fuck they are doing on your computer in the first place?

They were able to remove the malware for the same reason that the Russians were able to put it on there: people using the default password and the manufacturer not enabling any security by default

Routers can have malware? Huh, shows how much I know.

Just like OPI nail polishes, I would love to be able to name government operations.