In context: Internet of Things (IoT) devices have often been scrutinized for being prone to security vulnerabilities. Many reports have detailed how smart cameras, doorbells, etc., are relatively easy to hack. It seems things haven't changed much in the last several years.
A new development now puts the spotlight squarely on networking device manufacturer Ubiquiti after the company admitted that a misconfiguration with its cloud infrastructure allowed some of its customers to watch footage from strangers' security cameras.
The admission came days after some Ubiquiti customers reported seeing images and videos from other people's cameras through the company's Unifi Protect cloud app. One of the first persons to report the bug was a Redditor claiming his wife received a notification, which included an image from a security camera that didn't belong to them.
Another Redditor reported something even more alarming. The poster claimed to have navigated to the official Unifi device manager portal and logged into someone else's account despite entering their own Unifi credentials. The user claimed seeing footage from another customer's UDM Pro and could navigate the device and view or change settings.
A Ubiquiti customer on the company's forum claimed to have accessed "88 consoles from another account" when logging into the Unifi portal. The user had full access to these devices until refreshing their browser. After that, the client returned to normal, with only owned devices showing.
After a massive outcry from customers, Ubiquiti fixed the bug. Last week, Ubiquiti released a statement admitting that in "a small number of instances," users either received notifications from unknown consoles or accessed consoles that didn't belong to them.
The company claims the problem happened due to an upgrade to Ubiquiti's UniFi Cloud infrastructure, which it has since resolved. So, customers should no longer worry about their other users accessing their cameras and UniFi accounts. While the company claimed the bungle affected 1,216 accounts in one group and 1,177 in another, supposedly fewer than a dozen instances of improper access occurred. It added that it would notify those customers about the breach.