 A few people had tagged me in this, so I thought I'd bring it up. Mr. Jim Troutman here. This is a tweet he had on January 29th. Heads up, Ubiquity network devices are being remotely exploited via port 1001 Discovery Service. Results in a loss of device management, also being used as a weak UDP DDoS amplification tag, 56 bytes in, 206 bytes out. If you're not familiar with DDoS amplification tactics, do a Google search and there's plenty of explainers on it. But the short of it is, UDP does not check the source when a packet is sent. So you can lie about where it's coming from, which means when you send the 56 bytes in, 206 bytes go towards that next destination. And if you've monkeied with the packets a little bit, you can make that destination be someone else. Multiply that times lots of these devices exposed on the internet, and you do have a little bit of a problem. Not the biggest problem, but it's still a concern. And obviously, this is somewhat concerning, but let's talk about what it means. Now, Unify, Ubiquity networks, is directly replying to this tweet. They are not ignoring it. They are addressing it. But let's talk about how this happened or what's wrong and is it really a security risk? Yes, it is a security risk. I guess I should probably just address that. I'm not trying to, as many people know I like Unify, but that does not mean that this does not present some type of a security problem. But what is this? Well, this is the discovery port. And this is the response that Unify has been aware of this problem for a while. And it kind of comes down to slightly a misconfiguration problem and a ease of use problem. So they're aware that you can turn this off then they tell you how to turn it off here in this link. And I'll leave links to all this so you can follow along here. But in short, what it does is this UDP port is for part of the discovery process to discover Unify's using their different plugins and being able to find another Unify device on the management interface when you plug these in and configure them. But the problem is these shouldn't be public facing the internet. So while I applaud Unify for working on a firmware to mitigate this, the reality is people who don't know how to configure things very well constantly are configuring things to be public facing. We are not worried about this from any of our clients because yes, we have used these devices but we never make the management interface on a public IP space where it's publicly accessible. Matter of fact, we set up management lands and then we have VLANs where we route the actual traffic over. This is like standard practice for setting these up. They're not part of the external exposed sections of the network. And this isn't just a Unify problem. This really goes down to any devices should not be their management interfaces publicly exposed. Whether you're putting in a Cisco, a Fortinet, it doesn't matter if it's a brand name or not brand name one. The management interfaces of devices should not be public facing. Matter of fact, they shouldn't even be office facing if you can avoid it. And when you set up a larger enterprise network, you make sure you mitigate who has access to the management interface. You put restrictions on that. You lock it down as tight as possible because well, there's people on the inside of your network that you don't want accessing the interface. And I can certainly guarantee you there's external people who don't, you don't want accessing this as well. But unfortunately, and we're gonna link to this as well, there's a little bit more research and a little bit deeper dive from the folks over here at Rapid7. So they said, understanding ubiquity discovery service exposures. And kind of like I said, this is one of those if you Unify chose not to have this discovery feature, you would have a harder time finding them. You'd have to look at like a DHCP table versus just using some of their apps to go, hey, look, I'm just gonna link it out on this port and find the device. So it's an interesting problem. It kind of is a problem of misconfiguration more so than like security. It is concerning that flooding this port per Mr. Trout's right up here. Flooding the port does cause the device to become inactive and inaccessible. So he does talk about it as an risk. Now, we don't know of any exploits that occur by flooding this port 1001 with UDP packets, but it is concerning that it disables device and the reason why is because that's how the attacks begin. You find something that crashes the device and then you find out something if that crashes it, you keep plugging away at it until you find the right magic combination of things that cause it maybe to give you access. But once again, this is also why you should never leave management ports exposed to the internet because this can happen. And a lot of people do it out of convenience or it's been mentioned right here in the Rapid7 blog that a lot of Wisp companies do this. And, you know, this is one of those problems when you use some of the less expensive equipment, they made it easier to use, but people who are choosing the least expensive, easiest to set up equipment aren't necessarily the best network engineers at the same time or is security minded, which has led to some pretty big numbers out there. 17,000, 192,000 nano stations, 131,000 air grids, light beams, they kind of run down the list here. And they're using Shodan in their own tools. Sounds like they have a tool called Sonar that is what Rapid7 maintains to kind of scan the internet to find all this to have Project Sonar looking for these things, but you can use Shodan to look this up as well and find there's quite a few of these devices misconfigured out there. So is it the end of the world? Not really, it should be fixed, yes. But like I said, it's not something I'm concerned about with my clients because we never expose management interfaces. Generally, you have some type of box inside the client's network and that's what we maybe sometimes refer to as a jump box. So you control access to that one particular box via VPN or however you get into the network. And then from there, you can then get into that network to get to other things. So there's different designs you can do that you should be doing to keep this more secure. You don't just publicly put public, routable IPs on all of your nano stations and set it up that way and leave it all exposed. This is what leads to these type of problems because that should not be public-facing. And like I said, I'm happy that there's some firmware updates to fix it, but generally speaking, there's probably a Venn diagram we could draw for people who misconfigure things and leave them all publicly exposed and people who don't update firmware. I bet the same people just fall right into that same category. So if you have something publicly exposed, rethink your network setup, do push the firmwares, follow the mitigations on here. And it's still interesting. I, like I said, it's one of those, do you blame ubiquity for making it easier to configure your devices in leaving this exposed or do you blame the people who do it? Let you decide in between, feel free to continue the discussion over on my forums. And I'm open to other people's ideas on there, but generally speaking, I lock everything and I don't leave my manager interfaces exposed to the greater internet because the greater internet is a place where people will just pound away at those things if you do leave them exposed. All right, thanks. Thanks for watching. If you liked this video, give it a thumbs up. If you want to subscribe to this channel to see more content, hit that subscribe button and the bell icon and maybe YouTube will send you a notice when we post. If you want to hire us for a project that you've seen or discussed in this video, head over to laurancesystems.com where we offer both business IT services and consulting services and are excited to help you with whatever project you want to throw at us. Also, if you want to carry on the discussion further, head over to forums.laurancesystems.com where we can keep the conversation going. And if you want to help the channel out in other ways, we offer affiliate links below, which offer discounts for you and a small cut for us that does help fund this channel. And once again, thanks again for watching this video and see you next time.