 Tom here from Lauren systems and we're going to talk about this excellent piece of security research that I'll link to down below Wrists from symmetric key encryption in ubiquity unifies informed protocol. Now. I'm not good at click bait So I'll share with you where this problem occurs. This is very specifically in the adoption process So if you are adopting this over the public internet or over a network that would be untrusted if someone was well Completely capturing all of your data that exchange that happens during the adoption process does reveal the keys We're gonna walk through how that works ways to mitigate it But I want to make sure people know this not necessarily the end all oh my gosh Everything that traverses the public internet can suddenly be hijacked But there's a potential if you were was a threat actor on the line essentially listening in to the Handshake and process that occurs during the adoption of a device. There is some risk I'm quite a bit of risk where you're gonna go through the whole proof of concept and how this works now before we dive on into this Let's first feel like to learn more about me or my company head over to Lawrence systems calm If you like to hire short project, there's a hires button right at the top If you like to help keep this channel sponsor free and thank you to everyone who already has there is a join button here for YouTube and a patreon page your support is greatly appreciated if you're looking for deals or discounts on products and services We offer on this channel check out the affiliate links down below They're in the description of all of our videos including a link to our shirt store We have a wide variety of shirts that we sell and new designs come out Well randomly so check back frequently and finally our forums forums dot Lawrence systems comm is where you can have a more in-depth Discussion about this video and other tech topics you've seen on this channel now back to our content We're gonna start here with an overview of the unify inform protocol Ubiquities unified product line consists of router switches Wi-Fi access points done a lot of videos I'm on this channel these devices do not have any local management instead of relying on controller software running locally or Hosted remotely which is the unified controller software that I've done videos on as well as far as like how it is a control plane That is multi-tenant which means I can manage many different companies through one single control plane And I say that as in I host my controller in the cloud or for example There's the hostify solution which I've covered on this channel as well it is a cloud controller where you can manage all your different devices and you connect each of your sites to this and It's in that adoption phase which we're going to show how the exploit works Improper use of encryption is essentially what's at the heart of this and what that means is they didn't encrypt One things are in their default mode It's really basic how unify handles this and we're gonna cover the demo here in just a second in terms of the setup But basically all the unified devices out of the box have the same username and password and same Static key in here and this is a real problem. So this is it improper use because well everything comes with the same key They did this so when you get a brand new device It's easy to adopt and bring into your network and then the keys are changed You can't actually use device in an in an unadopted state the device is essentially useless doesn't provide anything real It doesn't do anything and it's unadopted So it's not as much of a security concern because you can't even set a config on it without adopting it but obviously this is where Not much of a concerned can security concern can become a bigger deal when you dive into it Like we're going to here as in sniffing what exactly happens and we're gonna go down There's a whole proof of concept and mitigation, which is essentially the mitigation for this is don't Adopt these systems unless they're on a trusted network or not going out across the public internet But I want to walk through now and they have a whole right up here and I've already compiled it. They have the github Breakdown of another link to another github that tells you really in-depth how these Protocols work how it talks and I've already done the setup work to get all of this setup They have all the instructions in here I'm not going to walk through those in detail, but let's go ahead and dive into our network setup and how we're actually going to extract the keys Right here is my pf sense. Here's my lab unified controller now. This is all internal addressing So we're at 172 16 69 17 This is my internal controller and we are running the latest as of right now I should say the latest version of the unified controller software the 6.0 series no don't upgrade to the 6.0 yet. I have another video on that topic. I'll leave a link to There's still some testing going on, but I wanted to do it with the latest version So we have here is my us x g 6 poe Which is right here plugged into that on a separate network. We have my unify access point now This is plugged into 192 1683 dot 189 is the IP address and it's getting it from my pf Sensebox by the way, these are all private IP addresses, but this same applies if it's public that's part of the simulation I didn't bother spinning it up in the public cloud. Just we're not really worth the trouble to do so, but Ideally if you have a threat actor who is here on the line who is Intercepting this whether it's going out over the public internet like this or Internally if you have a threat actor, I can listen to this process either side of the network So they're over here. They can listen on the line There's somewhere in between anyways between your adoption and your controller This is where the threat problem comes in now short answers to how to mitigate this if you were to have this device Over here on the same network and you have a clean network or even in a scenario I have here I don't have any untrusted threat actors besides myself sniffing packets on my network so if I adopt this device to this controller and then Migrate it to a cloud because I'm doing a key migration at that point and it's already keyed that does mitigate this But we're going to show is we're going to sniff the line here That's the traffic going across to this controller so we can extract the keys and basically prove what this security researcher put together That it all works. So in order to do that, we have to do some wire sharking Now I've got a whole video on wire shark and PF sense I'll link to but PF sense has a really slick way to actually pull wire Shark directly in to my Linux terminal here or you can go in PF sense and just grab a p-cat file I like to do it the fun way by running wire shark locally on my computer here So we're going to do wire shark. We're going to log into my PF sense We're going to pull and filter specifically for host 3.189 And then we're going to SSH into that because this device is a Unify access point that's still at the default has not been adopted yet. So first we'll kick off wire sharks We start grabbing packets All right, and you can see it's actually got some queries going out DNS queries It's basically looking and doing not much and we're going to go ahead and log into it over here UB NT UB NT that's the default password now by SSHing into this and we can show you something real quick We'll make some noise We're going to go ahead and ping something. We'll ping 1.1.1 at 1 and Look ICMP request to 1.1.1. So, you know, I'm capturing the right device I'm capturing data out of it and you can see it going back and forth now the goal is going to be to set the Informi URL so what we do here is we are going to set the Informi URL to be my Unify controller, which is this right here. So it's at 172 1669 17 and just like they show in The unified documentation we're going to SSH into this device and then use a manual set in form Now normally if the device is on the same network and it will automatically adopt So if we're in the same subnet with the device the discovery protocol that Unify uses allows it to find networks in Devices on the same network and automatically adopt them when you have a device on a separate network or you want to adopt to a Cloud controller you need to set the Informi URL because we're just going to use IPs It's going to be all IP addresses and it's dead a full path, but the process is the same So we're going to set the Informi URL to be 172 69 17 Go over here Set in form 172 69 17. Let me get wire shark going behind here and here comes that adoption process They went the back and forth Now we'll switch back over to here pending adoption and this is the point I close this here close this plus the adopt Now it's gone through the adoption. Now once it goes to this adoption It's done the process of capturing this has been complete. So I sniffed the traffic I listened to the communication between this particular device and the Unify controller and now we're going to grab this cap after I'll make sure it has all the full capture of the packets once we confirm it's adopted So it says adopting So the changes I'll have the full capture and we're going to save it and walk through the proof of concept All right, so we adopted the controller sniffed the packets now comes the fun part I took that wire shark I dumped it into a p-cap file and then I went over and per the instructions that the security researcher did Use their pixie dust tool that is over on their github So we went over and I loaded go I clone the get repo you just go go build the install Instructions are really that simple step one step two step three and copy over p-cap file now. What did it extract? Let's find out. So here is that unify adoption dot p-cap find keys message false log stored er equals false and That's it. I've now extracted the key. What can you do with this key information? Well, they actually have a couple fun things in here You can view the sent informed from the device truncated there You can view config settings as applied to the device This is actually really kind of clever that you are able to pull this type of information out including guest mode password Yeah, that's not good So as you're pushing commands and settings over to this unify because we are able to extract the key during the Adoption process. There's all these fun things that you're going to be able to do with this information So is this a really big problem? I guess is what a lot of you might be asking and yes and no and let me explain The reason I say yes and no is because the issue is definitely something I think you know if I should fix It may be one of those things that they take a long time to fix because fundamentally You got to think about all the devices out there and changing. It's not simple. How do you mitigate this? It's really easy go over here to our diagram and as I mentioned earlier You just want to make sure that wherever you're adopting these and for example if we are going to adopt these and this is actually the process We've been following forever over here at my company for all of our local clients or even some that were not so local We ship things to we adopt all the devices internally here get them all updated configured then We put them over at the clients deploy them and set them up by doing that process As long as our network is trusted which it is then there's not really an issue here If you were to do the circumstance like I did in the demo here where you adapted it And there's potentially someone because you passed it along an untrusted network in this particular demo here I was the untrusted actor Extracting the files Extracting the capture from the adoption so I became the problem so to speak and I was able to pull that information And get those keys out of the controller Yes That's obviously an issue and if you're just hosting it somewhere on the cloud and you you said inform and well Someone's out there listening Yeah, they could possibly get this and then have configuration information that is being passed over there But it also requires another thing that wasn't mentioned here an article of persistence So let's say I have something and use digital ocean as example because we've certainly spun a few of these up in digital ocean Or even hostify we've recommended a lot of people there That would mean someone would have to be on the line listening when you adopt the device and then Continue to be on the line after you adopt the device Applying that key to decrypt the data now I'm not here defending trying to say that this particular Circumstances, you know not serious But I will tell you that it takes a lot to have someone on the public internet persistently listening to you now If you have a three letter agency after you that's in completely different scenario and obviously this is probably going to be Something maybe they would do if they had a target in mind and that target was Someone that they want to throw a lot of resources at yes large government agencies have resources to really pursue this It is a little bit more difficult not impossible For someone to tap the line of somewhere like digital ocean just tapping all the line requires well a lot of Know-how and getting in somewhere and it's a massive amount of data to capture when you talk about tapping the line Like I said, I'm not trying to say that this shouldn't be fixed or anything at all or it's not serious I just want to show the real likelihood of this happening is actually a little bit lower Unless you're someone who's got a government agency very interested in sniffing the content of what you do in that case I hope you're doing things very securely and only doing it the way I mentioned where you adopt them internally and pass them out now The passing of a controller when you move it from a locally hosted and adopted controller to the public internet is Passed off securely it provided you use the default way Unify does it it hands off the encryption keys in an encrypted manner now one thing I'll admit that I thought was kind of interesting And it was this line right here It's not that Unify didn't do anything to obscure and just leave everything out in plain text matter of fact they do encryption based on MD5 some and You can do some reading you'll find MD5 some not particularly a strong methodology Especially when you base it on a weak hash MD5 some is just a hash and they base that hash on UBNT think about that for a second that's going to be in a word guest list in terms of if I was going to come up with a Hash based on something there are plenty of MD5 some You know reverse engineering tools out there and they're easy to do especially because there's many of them They're based on common words and part of passwords But they base it on their company name and of course the default SSH credentials of UBNT and UBNT So yeah, I thought that part was a little bit funny when I was reading through here I'll leave links to all this so you can do your own research and once again They did I think this is just an excellent write-up because they provided proof of concept They described how it works they described everything in between on this and I'm hoping a Unify addresses this It's gonna be a while before they get it addressed I think because of all the devices they have out there, but it is a Solid piece of information, but I'll let you determine based on everything I told you whether or not you think it's something you directly need to worry about but yeah still interesting stuff on the play with I did enjoy doing this whole proof of concept. Thanks, and thank you for making it to the end of the video If you liked this video, please give it a thumbs up If you'd like to see more content from the channel hit the subscribe button and hit the bell icon If you like YouTube to notify you when new videos come out If you'd like to hire us head over to Lawrence systems calm fill out our contact page and Let us know what we can help you with and what projects you'd like us to work together on If you want to carry on the discussion head over to forums that Lawrence systems calm Or we can carry on the discussion about this video other videos or other tech topics in general even suggestions for new videos They're accepted right there on our forums, which are free Also, if you like to help the channel in other ways head over to our affiliate page We have a lot of great tech offers for you and once again Thanks for watching and see you next time