 Tommy from Warren systems and I did a video about the flaw that was discovered by a security researcher in the unify Adoption process and the flaw is really a Potential for someone to sniff out the key if this was done over the public internet If there was someone listening in on the wire if they captured the entire p-cap only of the adoption process not after There was a potential for them to gain the key if they had all those packets And then that would allow sniffing on the line for commands sent back and forth from a remote controller across the internet So this is a follow-up to that into a couple workaround options first work around option is obvious adopt on a local network And then transfer to remote network and no problem there that way the key exchange happened Behind a firewall be in a trusted network. This allowed, you know an easy way to mitigate this not a mitigation Run VPNs between the sites so if you have a remote site and then you have a Site that's in the cloud to set a VPN for the controller And then you adopt the local devices over the VPN tunnel once again not passing that key Over the public internet or anywhere someone could sniff it a third option that I didn't even think of that was sent to me and Suggested and I wanted to try it So that's what we're doing right now was to do this over an SSH tunnel because you only need to Have the adoption process over a VPN or on a trusted network or in a closed process once adopted the keys Once exchanged other than the exchange process being the problem are secure So if the system is already adopted and that's why when you move it on site because the key exchange isn't happening Where it could be sniffed out once the keys are set inside the system. It should work so we're gonna do this over SSH and Pretty simple. We're just gonna use SSH tunneling. I have videos on SSH Tunneling I'll leave links to and I'll leave a link to the video I did before on this topic before we dive into this Let's first feel like to learn more about me and my company head over to Lawrence systems calm If you'd like to hire short project There's a hires button right at the top if you'd like to help keep this channel sponsor free and thank you to everyone Who already has there is a join button here for YouTube and a patreon page your support is greatly Appreciated if you're looking for deals or discounts on products and services we offer on this channel check out the affiliate links down below They're in the description of all of our videos including a link to our shirt store We have a wide variety of shirts that we sell and new designs come out. Well randomly So check back frequently and finally our forums forums.laurancesystems.com is where you can have a more in-depth discussion about this video And other tech topics you've seen on this channel now back to our content Now nothing's changed for my last demo other than we'll be logging into the XG6 POE as opposed to the access point But it's not relevant really what device you use to do this. The process is the same for adoption for the unified devices Let's go over here and See that we've got wire shark running the same way and then I'm using Tmux Just to split the screen right here because we're going to log into the device twice One login session will be to create the tunnel The next login session will be to do the adoption and of course wire shark capturing the entire process all the way So let's SSH in UBNT since default password and Then we'll SSH again UBNT default password We've created two connections from my computer to this one now what we want to do is create the SSH tunnel And what we're going to do is just forward port 8080 the informed port over here So we're going to SSH into the controller IP address 172 16 69 17 And we're going to wrap 8080 in there. I'm using root someone will lose their mind that I'm doing this all this route This is just for the demo you probably shouldn't do everything as root and having a password enabled root authentication not a great idea Go ahead and put our password for root. Yes, it's that short because this is a demo system Someone will complain about that as well And now we will do the set and form now instead of set and form which before would have been The IP address of the controller, which is normal or the fully qualified domain need depending on you set it up We're going local host because we've wrapped port 80. We've tunneled it and now we're going to do set and form over here And before I do that you see here's the controller just waiting for something to happen We've got actually no devices in there. We're going to go ahead and set the inform Use the controller to complete the process There we go pending adoption and now I'm going to hit adopt going through the adoption process and We can look through here. Everything's being encrypted over SSH V2 tunnel But the adoption process occurred it went over the tunnel and let's see what actually happens here So going through the adoption I'll jump ahead to it actually being adopted because it'll actually log me out of here and reboot it and Cross your fingers that it all works because I haven't done this demo yet All right And now the adoption process is complete one note that I want to make sure people are clear on is This one here under system settings Then the controller configuration Making sure you have the proper fully qualified to name or IP address of your controller It is important that you have this because when we did the set informer doing a local host And we don't want it to remain local host if you don't Implicitly set this I believe unified defaults to using whatever you and set informed with is what it will continue to use because we used a Local host because we were doing SSH tunneling. Well, that would be a problem And so I have made sure I set it to this but let's look through the packet capture now And I'm actually going to grab all these packets which I don't think any of the exchange was done over This here's the request for the inform everything put over there We're gonna dump these packets and run it through that same processor the proof of concept the pixie does tool and see if it was able to find the key in here shouldn't have found Anything because everything was passed over SSH to get the key exchange done, but let's check real quick. They saved my adopt over SSH PCAP we're gonna send it over to the spot where I have pixie dust set up Which is root at 192 168 3.194. It's just another Debbie and system where I had Loaded this up at SSH into it and there's your command pixie dust in adopt over SSH PCAP find keys messages false think we have me use last time Nothing does not find it. So this is a true work around that will work It's going to tunnel everything right over the SSH just like it did here So if we follow this a little bit further up, you'll see everything was done over SSH versus the previous one I think I still have that PCAP file Here's that other one. I should be able to drag it right in here and this adoption process There's all the different config files that was from there versus the other one Which is missing all this because everything was tunneled in SSH. So the to answer the question This is a fully viable solution in terms of adopting things to a controller The downside is now you have to open up SSH password authentication to the controller which creates Its own problems so to speak because well anytime you open up password authentication You have the potential for people to start hammering away at that particular system Now a mitigation for that installing SSH keys putting the keys in for each one of the devices But that again seems like more work. I just want to throw this work around out there I thought it was an interesting methodology to do it You can always of course filter your SSH to only allow IP addresses from where you're coming from and Temporarily do it. You can see this is a little bit I don't say clunky of a work on but less than perfect The bigger hopes is that unifies gonna redo the adoption process and do it in a manner that is more secure Final thoughts I have on this because people are pointing out like well This just means blah blah blah bad unify and the reality is a security researcher took the time to find this in this particular product Does this flaw exist in other products? There's a big maybe I'm not gonna say no until someone at a high skill level has taken the time to take apart other Products and look at the protocols they use it is not unheard of for major companies to have these types of flaws This is just the nature of security. It's really hard They assume the process was good enough when they wrote this implementation and it's not and this is just how security goes We look for problems as security researchers. They are found they are reported these companies then come up with work around some Mitigation have been on the internet since before most things were encrypted So I'm happy to see all these changes But yeah in the early days of the internet before people really started poking at things nothing was really encrypted So everything to me is this an iterative process of getting things locked down and more secure and this is all just part of the security process and the evolution of devices on the internet and Yeah, this is definitely an issue But like I said, this is just one more thing I wanted to throw in a toolbox of ways to mitigate this and I thought it was an interesting Workaround that does indeed work. All right, thanks And thank you for making it to the end of the video If you liked this video, please give it a thumbs up if you'd like to see more content from the channel Hit the subscribe button and hit the bell icon if you like YouTube to notify you when new videos come out If you'd like to hire us head over to Lawrence systems calm fill out our contact page And let us know what we can help you with and what projects you'd like us to work together on If you want to carry on the discussion head over to forums dot Lawrence systems calm Or we can carry on the discussion about this video other videos or other tech topics in general even suggestions for new videos They're accepted right there on our forums, which are free Also, if you like to help the channel in other ways head over to our affiliate page We have a lot of great tech offers for you and once again, thanks for watching and see you next time