Ubiquiti Corrects Privacy Breach Allowing Access to Strangers’ Camera Footage
Ubiquiti has reported that they have rectified a critical vulnerability which allowed its users to inadvertently access other people’s security camera footage, as well as accounts and devices unrelated to their own. This unwarranted access was due to a cloud system misconfiguration that has now been resolved, ensuring that all Ubiquiti accounts are correctly segregated across their infrastructure.
Initial Incident Report and Company Response
The issue first came to light on Wednesday when a customer took to Reddit to describe an unusual event: his wife received a notification from UniFi Protect showcasing an image from a camera they did not own. Ubiquiti’s UniFi Protect is an application designed for managing their security cameras, which should only provide access to the user’s own devices, not the feeds of others.
Concerns Over a Potential Security Breach
The unexpected notification displayed footage from an unknown camera and, adding to the customer’s confusion, his wife discovered that only their actual cameras were present in the Protect app upon inspection. This bizarre occurrence prompted concerns over a possible security compromise, including speculation about a disgruntled developer potentially tampering with the system. Despite the alarming circumstances, Ubiquiti failed to provide an immediate comment when reached out to by The Register.
Community Voices and Ubiquiti’s Acknowledgment of the Issue
Following this singular event, other Ubiquiti customers echoed similar experiences of receiving notifications or having access to unknown devices. Despite the less serious take of one responder who attributed the issue to the inherent risks of connecting devices to the internet, the company admitted the problem began on the morning of December 13. Ubiquiti thanked users for their input on their support forum, which assisted in identifying the issue linked to an upgrade of the UniFi Cloud Infrastructure.
Investigation and Remediation Efforts
Although the exact number of affected clients remains unclear, Ubiquiti examines the incident’s scope and confirms that the misconfiguration has been corrected. Moreover, the company confirms that the reports by users on Reddit were indeed accurate. A small subset of individuals received notifications from equipment owned by others, suggesting a breach of account isolation.
Company’s Promise to Contact Affected Users
Additionally, a few of the individuals who received mismatched push notifications may have inadvertently gained temporary access to others’ accounts. Ubiquiti believes that fewer than twelve people experienced strangers accessing their accounts remotely and has pledged to reach out to these customers by email. This outreach will likely follow after dealing with another security issue, involving potential compromises by Russian cyber-groups on Ubiquiti routers.