The document discusses the centralized and automated network management system called Unifi, highlighting its features, products, and security vulnerabilities. It details the company's market presence, technology stack, and issues with vendor response to security bugs. Various technical aspects about network adoption, configuration, and potential exploitation techniques are also covered.

1. UNIFI’d
ownage
Centralised and Automated network management, lol
Where What Who
BSidesAU Unified Ownage Tim Noise

2. tIMNOISE
• twitter/dnoiz1
• github/dnoiz1
• mIRC/dnz
• streetz/notorious D N Z
• tim@drkns.net
Future cyborg and self contained darknet

3. UBiquitiNetworksa network vendor that isn't Cisco or Juniper
• Make wireless backhaul devices
• Make enterprise networking devices
• Added more products in SOHO/enterprise range
• Decided all these devices could be managed from
a web interface, called Unifi (now with cloud!)
• Publicly listed on NASDAQ
• Public bug bounty on hacker1

4. UNIFIMarketingIt just sounds so easy to be a network administrator!
• “The Global Leader in Managed WiFi Systems”
• “Millions of shipments per year”
• Powered by MongoDB (webscale)
• Written in Java (cross platform)
• Distro packages / repos for *nix
• Easy to use web interface
• Wifi heat maps / network maps etc
• Fancier throughput graphs not RRDtool
• Optional “CloudKey” device.
• Troy Hunt’s Jetski has fast wifi

5. BUGBounty23 bugs = Zero Dollars^WDays
• Between jobs
• Bug bounty looked appealing
• Submitted lots of bugs in Unifi / U-AP
• No response from Ubiquiti
• Found more bugs, didn't bother submitting
• Got a job and forgot about it for 12 months
• All bugs closed as `informative` 12 months later
• Poor Vendor response - make it a talk

6. UNIFIactualSecurity nightmare
• Basically a shiny Command and Control
• Written in Java, nested dependencies
• Java runs as root
• MongoDB runs as root
• Self Signed Certificates
• Cloud Connected (optional but wtf)
• Centralised/reused device login (in mongo)
• Passwordless MongoDB
• Implements AES-CBC on top of HTTP ?
• ….And more

7. UNIFIactualSecurity nightmare

8. TestEnvironmentEmulating what we would expect to see in the wild
• Controller running on Ubuntu VM
• Controller installed from official repo
• Originally version 3, now version 5
• Started with 1x UAP-AC-PRO
• Added 1x Unifi Switch 24 POE
• Added some NanoBeam ACs (AirOS, not unifi)

9. UNIFIAdoptionJoining Mirai^WUnifi platform
• LED is white when not configured
• LLDP, CDP, Ubiquiti (UDP 10001) for discovery
• Attempt to Adopt (provision) a device from www
• Controller SSHs into device
• Configures SSH password, inform URL, SSIDs etc
• Device periodically informs
controller of its status,
throughput, connected clients,
client roaming etc
• LED becomes blue

10. FindingTheControllerWhich panel is helm control?
• Almost exclusively on VLAN 1
• TCP: 8080, 8443 Management www
• TCP: 6789 (throughput metrics), 8880
(guest portal)
• UDP: 10001, 3478 (STUN)
• HTTP Server header: Apache-Coyote/1.1
• Certificate: s:/C=US/ST=CA/L=San Jose/
O=ubnt.com/OU=UniFi/CN=UniFi
• Older versions contain files in webroot eg:
hotspot.jsp, /upnp/ and more

11. CAPTURINGInFORMSgrabbing the messages off the wire
• Basic MITM techniques
• ARP spoofing (dsniff, ettercap, etc)
• Promiscuous mode on VM physical interfaces
• DNS Poisoning (when DNS is configured in Unifi)
• Messages are over HTTP on port 8080
• tcpdump / wireshark or simpleHTTPserver

12. DECOMPILINGunifiThe source will tell you the secrets
• Extract the JAR
• can use JAD for older
versions (class version < 50)
• JD-GUI for newer versions
• Read and follow the mess
that is produced
• In this case InformServlet.java
We’re looking at the /inform
route

13. DECODINGMESSAGESMagic? not really.
• Decodable 40 byte Header
• Compressed (snappy) and
Encrypted (AES) Body
• AES Key per device in mongo
• Legacy Plain Text Inform
now disabled
• Encoded JSON -> Mongo
• 40 Bytes header, data next

14. DECODINGMESSAGESMagic? not really.

15. SpoofingInformsYo, its me, your boy

16. PlainTextPasswordsHow else do you store them?

17. VERSIONUPGRADESLazy packaging is lazy
• Leaves redundant fields in
Mongo (ie plain text PSKs/
password)
• World readable configuration files
leftover (more plaintext stuff
• Basically doesn't clean up

18. GUESTACCESSPOINTSRun it on the management controller, what could go wrong?
• Built in Hotspot / guest portal access
• Vouchers, Payments (Stripe, Paypal, etc)
• Facebook / Google+
• Restricts configured subnets
• Same host/application as management
platform
• The same database contains datasets
for device management and guest data

19. TAKEAWAYKeeping your fingers greasy
• Hardware is solid (not much investigation)
• OpenWRT build targets as alternative fw
• Find the controllers, find the devices
• Attempt to bust crypto
• Physical access is a winner
• SSJI = game over
• Use reverse proxy for Guest Access, Inform and Management
• Endure the pain to segment the network

20. QUESTIONS?

21. tIMNOISE
• twitter/dnoiz1
• github/dnoiz1
• mIRC/dnz
• streetz/notorious D N Z
• tim@drkns.net
Future cyborg and self contained darknet

22. UNIFI’d
ownage
Centralised and Automated network management, lol
Where What Who
BSidesAU Unified Ownage Tim Noise