Posting this here since I’ve filed a disclosure with Ubiquiti on Feb 28th 2016 and had no acknowledgment other than to be patient. But two months of not even looking at what is quite a serious issue isn’t acceptable to me.
I do really like the Unifi Video product (hardware + software) so it’s a shame it’s let down by poor transport security and slow addressing of security issues by the vendor. I intend to write up a proper review soon, but it was more important to get this report out first.
My mitigation recommendation is that you only communicate with your Unifi Video systems via secure encrypted VPN, eg IKEv2 or OpenVPN until such time that Ubiquiti takes this seriously and patch their shit.
28th Feb 2016 – Disclosure of issue via HackerOne (#119121).
There is a SSL/TLS certificate validation flaw on the Unifi Video application for Android and iOS where it accepts any self-signed certificate served by the Unifi Video server silently allowing a malicious third party to intercept data.
Versions of software used;
- Unifi Video 3.1.2 (server)
- Android app 1.1.3 (Build 153)
- iOS app 1.1.7 (Build 1.1.48)
Impact
Any man-in-the-middle attacker could intercept customers using Unifi Video from mobile devices by replacing the secure connection with their own self-signed certificate, capturing login password, all video content and being able to use this in future to view any cameras at their leisure.
Steps to reproduce:
- Perform clean installation of Unifi Video server.
- Connect to the web interface via browser. Self-signed cert, so have to accept cert.
- Connect to NVR via the Android app. No cert acceptance needed.
- Connect to NVR via the iOS app. No cert acceptance needed.
- Erase the previously generated keystore on server with: echo -n “” > /usr/lib/unifi-video/data/keystore
- Restart server with: /etc/init.d/unifi-video restart
- We now have the server running with a new cert. You can validate that, by refreshing the browser session and it will require re-acceptance of the new self-signed certificate and can see new generation time & fingerprint of new cert.
- Launch the Android app. Reconnect to the previously connected NVR. No warning/validation/acceptance of the new self-signed cert is requested.
- Launch the Android app. Reconnect to the previously connected NVR. No warning/validation/acceptance of the new self-signed cert is requested.
- Go get some gin and cry :-(
Comments
Whilst I can understand an engineer may have decided to develop the mobile apps to always accept a cert the first time it sees it to simplify setup for customers whom will predominately have a self-signed cert on Unifi Video server, it must not accept subsequent certificate changes without warning to the user. Failing to do so, allows a MITM attack on any insecure networks.
I’d recommend a revised workflow such as:
- User connects to a new NVR for the first time. Certificate is accepted silently (or better, shows the fingerprint, aka SSH style).
- Mobile app stores the cert fingerprint against the NVR it connected to.
- Cert gets changed – whether intentionally by user, or unintentionally by attacker.
- Mobile apps warn that the NVR’s cert fingerprint has changed and that this could be dangerous/malicious. User has option of selecting whether they trust this new certificate or whether they do not wish to connect. This is the approach that web browsers take with changed self-signed certificates.
This would prevent silent MITM attacks, whilst will allowing a cert to be updated/changed intentionally.
Communication with Ubiquiti:
12th March 2016 Jethro Carr
hi Ubiquiti,
Can I please get an update – do you confirm there is an issue and have a timeframe for resolution?
regards,
Jethro
15th March 2016 Ubiquiti Response
Thank you for submitting this issue to us, and we apologize for the delay. Since launching with HackerOne we have seen many issues submitted, and we are currently working on reducing our backlog. We appreciate your patience and we’ll be sure to update you as soon as we have more information.
Thanks and good luck in your future bug hunting.
24th April 2016 Jethro Carr
hi Ubiquiti,
I’ll be disclosing publicly on 29th of April due to no action on this report after two months.
regards,
Jethro
26th April 2016 Ubiquiti Response
Thank you for submitting this issue to us, and we apologize for the delay.
We’re still reviewing this issue and we appreciate your patience. We’ll be sure to update you as soon as we have more information.
Thanks and good luck in your future bug hunting.
As of October 30th 2016, Ubiquiti has closed the issue I raised as a duplicate of issue 81472 which has not been publicly disclosed either (https://hackerone.com/reports/81472).