Researchers found a flaw in Ubiquiti G4 Wi-Fi cameras, that exposes the selection of important chunks of information. They suppose a similar vulnerability was used back in 2019 to perform DoS attacks on a massive number of cameras. But despite Ubiquiti claims about fixing the issue, there are still enough devices susceptible to the issue.
20 Thousands Ubiquiti G4 Cameras Susceptible to DDoS Attacks
As far as the research goes, there are two privileged processes that are exposed through UDP to the global Internet. While sounding like not a big deal, these exposed processes allow dumping information about the device, which may further result in a DoS attack or device compromise.
By contacting the camera through the UDP protocols 10001 and 7004, the CheckPoint research team found the discovery protocol of the camera. Contacting the device resulted in the latter sending back its information – software version, IP address and the platform name. This is achievable without any authentication, which is already not a good sign, as this gives the full information about the company, addresses and other details about the device owner.
Another interesting detail is that the size of the response packet, that the camera sends back, is much larger than the input package. That opens the gates for amplification and so-called reflected DDoS attacks. By sending ping requests with a packet that contains a spoofed sender IP address, it is possible to direct the response to a network or a system that should be DDoS-ed. At the same time, forcing the cameras to send response packages creates a certain load, too, which creates the field for even more attack scenarios.
Are Ubiquiti Users and Cameras in Danger?
Not really. Compared to the half a million devices found in Rapid7’s research from 2019, the current 20,000 devices that the CPR team managed to locate is not too much to worry about. Still, a free-to-use selection of devices available for usage in Reflect DDoS attacks is a point of concern. Hackers typically pay serious money for getting a configured botnet for this purpose, and be sure – they will not ignore the opportunity to use one for free.
From the perspective of device owners, it is a rather irresponsible behavior. The base flaw – CVE-2017-0938 – got a fix from Ubiquiti long, long ago. The fact that there were a lot of devices running an outdated firmware version in 2019 is concerning, but not too bad. But 7 years later, in 2024, that just should not happen. And since it is not only about the opaque DDoS probability, but also about collecting information about the owner, that is also a privacy risk. Using it, hackers can plan on further attacks, building conclusions about the structure of the internal network.
