Internet Accessible Ubiquiti Device Discovery Service

Description

The Ubiquiti Device Discovery Service is an application used to facilitate the discovery of Ubiquiti devices in a managed environment. It is installed automatically as part of the UniFi controller software installation process and is enabled by default.

The Ubiquiti Device Discovery Service listens on port 10001/UDP.

Problem

An Internet Accessible Ubiquiti Device Discovery Service can be abused for a Distributed Denial of Service (DDoS) Reflection/Amplification attack against a third party.

In addition, an internet accessible Ubiquiti device discovery service will allow a malicious actor to extract potentially sensitive information of the network devices that have the service enabled. Information such as the Name of the device, IP address, MAC address, Firmware version, Model, Status and the Extended Service Set Identification (ESSI) of the device if wireless-enabled.

The minimum Bandwidth Amplification Factor (BAF) of the Ubiquiti Device Discovery Service is 3.67:1. The maximum BAF of the Ubiquiti Device Discovery Service is between 30-35:1.

Ubiquiti Device Discovery Service

Ubiquiti Inc. develops wireless and wired technology platforms to deliver highly advanced and easily deployable communications to a global customer base with a focus on high-capacity distributed Internet access, unified information technology and consumer electronics for home and personal use. Ubiquiti networking products are powered by the Ubiquiti Network Management System (UNMS) and UniFi software platforms to provide high capacity distributed internet access and Unified information technology management.

Ubiquiti Network Management System (UNMS)

The Ubiquiti Network Management System (UNMS) is a comprehensive management controller with a graphical user interface that is used to centrally monitor and manage several of Ubiquiti network device platforms, such as airFiber, airMAX, edgeMAX and UFiber. UNMS provides configuration backups, firmware updating, monitoring and alerting.

Ubiquiti UniFi Networks

Ubiquiti's UniFi is an ecosystem of wireless access points, routers, switches, security cameras, controller devices, VoIP phones and access control products. UniFi network equipment is managed by the UniFi Network Management Controller. The UniFi Controller is a wireless network management software solution from Ubiquiti Networks used for configuring and monitoring an UniFi network or multiple wireless networks using a web browser. The Unifi Controller software is installed automatically as part of the installation process when creating a UniFi network. The software can be installed on Linux, Mac OS X or Microsoft Windows operating systems. It requires a Java Runtime Environment 1.6 (or above).

UniFi Access Points

UniFi Access Points connect to the UniFi Controller software either by Ethernet or by a wireless connection. Multiple wireless networks can be organised into Wireless Local Area Network (WLAN) groups on different Access Points.

Time Division Multiple Access (TDMA) Protocol

Ubiquiti uses the TDMA protocol on a number of their platforms. TDMA is a digital modulation technique used in digital cellular telephone and mobile radio communication that enables multiple clients to share the same frequency by dividing the limited spectrum available over a radio frequency cellular channel into different time slots. TDMA allows each client to send and receive data using pre-designated time slots scheduled by an intelligent Access Point (AP) Controller. The 'time slot' method eliminates hidden node collisions and maximises air time efficiency. It provides improvements in performance in latency, throughput, and scalability compared to other systems.

Ubiquiti Network Platforms

No.	Name	Service
1.	AmpliFi	Reliable mesh Wi-Fi system for home use - Main router connect directly to modem.
2.	airFiber	Radio transmitters and antennas - Point-to-Point (PtP) broadband service that utilize microwave radio towers.
3.	airMAX	Fixed outdoor wireless links - Point-to-MultiPoint (PtMP).
4.	EdgeMAX	Routing solutions
5.	NanoStation	Low-cost outdoor broadband Customer Premises Equipment (CPE) that integrate a radio with a dual-polarity directional antenna in a weatherproof form factor.
6.	UniFi	Software-Defined Networking (SDN) solution with seamless integration of high-performance routing, switching for improved wireless performance.
7.	UniFi LED	Smart led lighting
8.	UniFi Video	Video surveillance
9.	UFiber	Optical line equipment and accessories
10.	sunMAX	Solar Panels and accessories

Common Ubiquiti Products

Product Name	Platform	Usage
AirRouter HP	airMAX	Multi-purpose Wireless Router that can act as a standard Small Office/Home Office (SOHO) router or operate in two network modes: Bridge or Router mode.
NanoStation M5	airMAX	Wireless Point-to-Point (PiP) connectivity to a video surveillance system, or use as an airMAX Customer Premises Equipment (CPE).
NanoStation Loco M2	airMAX	Low cost outdoor broadband CPE with a secondary Ethernet port and software enabled Power over Ethernet (POE) output for seamless IP Video integration.
LiteBeam M5	airMAX	Lightweight and compact outdoor wireless broadband CPE for long distance wireless broadband bridging.
PowerBeam M5	airVIEW	Dish Reflector Design that directs Radio Frequency (RF) energy in a tighter beam width, blocks or spatially filters out noise - Improved noise immunity.
PowerBridge M3	airMAX	Powerful Point-to-Point (PtP) airMAX Base Station with Dual-Polarity Array Panel Design that provides optimum Multiple Input, Multiple Output (MIMO) performance at long distances.

UniFi-Ports

Protocol	Port No.	Usage
UDP	3478	Port used for Session Traversal Utilities for Network Address Translation (STUN)
UDP	5514	Port used for remote syslog capture
TCP	8080	Port used for device and application communication
TCP	8443	Port used for application GUI/API as seen in a web browser
TCP	8880	Port used for HTTP portal redirection
TCP	8843	Port used for HTTPS portal redirection
TCP	6789	Port used for UniFi mobile speed test
TCP	27117	Port used for local-bound database communication
UDP	5656-5499	Port used by AP-EDU broadcasting
UDP	10001	Port used for device discovery
UDP	1900	Port used for "Make application discoverable on L2 network" in the UniFi Network settings

Verification

To establish if a host has an Internet accessible service, simple utility programs or tools included with the standard Linux/Ubuntu distribution can be utilised. The test should not be run on the host itself or from the local network, instead it should be run from a different node on the Internet.

Nmap - (Network Mapper) - (https://nmap.org)

To confirm an Internet accessible Ubiquiti Device Discovery Service, the 'Nmap' open source network scanner utility program can be utilised.

Nmap is used to discover hosts and services on a computer network by sending packets and analysing the responses.

Insert the IP address of the host you wish to check for an Internet accessible Ubiquiti Device Discovery Service when invoking the 'Nmap' open source network scanner utility program together with the options included in the following example.

$ sudo nmap -sU -p10001-oG - xxx.xxx.xxx.xxx

An Internet accessible Ubiquiti Device Discovery service listening on port 10001/UDP will return information similar to that shown below:

$ sudo nmap -sU -p10001 -oG - xxx.xxx.xxx.xxx

# Nmap 7.80 scan initiated Fri Aug 13 12:21:20 2021 as: nmap -sU -p10001 -oG - xxx.xxx.xxx.xxx

Host: xxx.xxx.xxx.xxx ()	Status: Up

Host: xxx.xxx.xxx.xxx ()	Ports: 10001/open|filtered/udp//scp-config///

# Nmap done at Fri Aug 13 12:21:22 2021 -- 1 IP address (1 host up) scanned in 1.52 seconds

Options

sudo   :Elevated privileges are required to access raw sockets.

-sU    :UDP Scan.

-p     :Only scan specified port.

-oG    :Grepable Output - This output places all results for a single host on a single line.

-      :Hyphen Symbol - Shortcut to send grepable output to STDOUT rather than to a file.

socat - (https://copyconstruct.medium.com/socat-29453e9fc8a6)

To establish a connection to an Internet Accessible Ubiquiti Device Discovery Service, and elicit a response from the Ubiquiti device, the 'socat' (socket cat) command line based utility for data transfer between two addresses can be used.

Insert the IP address of the host that has an internet accessible Ubiquiti Device Discovery service, together with the port number 10001/UDP.

An Internet accessible Ubiquiti Device Discovery service listening on port 10001/UDP will return information similar to that shown below:

$ echo -ne "\x01\x00\x00\x00" | socat -t 1 udp:xxx.xxx.xxx.xxx:10001 - | hexdump -C

00000000  01 00 00 9a 02 00 0a 24  a4 3c 93 a9 ff b9 1f 60  |.......$.<.....`|

00000010  63 02 00 0a 24 a4 3c 92  a9 ff c0 a8 01 01 01 00  |c...$.<.........|

00000020  06 24 a4 3c 92 a9 ff 0a  00 04 00 0e 7a 93 0b 00  |.$.<........z...|

00000030  2a 48 41 43 4b 45 44 2d  52 4f 55 54 45 52 2d 48  |*HACKED-ROUTER-H|

00000040  45 4c 50 2d 53 4f 53 2d  57 41 53 2d 4d 46 57 4f  |ELP-SOS-WAS-MFWO|

00000050  52 4d 2d 49 4e 46 45 43  54 45 44 0c 00 03 4c 41  |RM-INFECTED...LA|

00000060  50 0d 00 0c 41 69 72 77  61 76 65 5f 57 69 66 69  |P...Airwave_Wifi|

00000070  0e 00 01 03 03 00 22 58  4d 2e 61 72 37 32 34 30  |......"XM.ar7240|

00000080  2e 76 35 2e 35 2e 36 2e  31 37 37 36 32 2e 31 33  |.v5.5.6.17752.13|

00000090  30 35 32 38 2e 31 37 35  35 10 00 02 e4 a2        |0528.1744.......|

0000009e

Options

echo                  :Command that outputs the string it is being passed as arguments.

-n                    :Option - Do not output the trailing newline.

-e                    :Option - Enable interpretation of backslash escapes.

"\x01\x00\x00\x00"    :Binary Payload Data.

|                     :Pipe Character - Connects the STDOUT of the first process to the STDIN of the second process.

socat                 :socat command line utility.

-t                    :Timeout [timeval] seconds.

xxx.xxx.xxx.xxx:10001 :Socket Address - Transport protocol:IP Address:Port Number.

-                     :Hyphen Symbol - Shortcut to read in the STDIN and process it.

|                     :Pipe Character - Connects the STDOUT of the first process to the STDIN of the second process.

Hexdump               :Hexdump utility displays the contents of binary file in hexadecimal, decimal, octal or ASCII.

-C                    :Option - Canonical hex+ASCII display.

Solution

If the Ubiquiti Device Discovery Service is not required, disable it.

If the Ubiquiti Device Discovery Service is required, restrict access to trusted clients or specific IP addresses by blocking incoming connections to port 10001/UDP on the firewall.

Supplementary Information

Ingress & Egress Filtering

Filter	Description
Ingress Filtering	Ingress filtering is a simple and effective method to limit the impact of DoS attacks, by denying traffic with a forged IP source address (IP spoofing) access to the network, and to help ensure that traffic is traceable to its correct network.
Egress Filtering	Egress filtering limits the impact of a compromised network in a Denial of Service (DoS) attack on networks of other organisations, by preventing traffic with a forged source (spoofed) IP address from leaving the network. Port used for remote syslog capture

The implementation of best practice in relation to Ingress filtering limits the impact of a Denial of Service (DoS) attack on one's own network while the implementation of best practice in relation to Egress filtering limits the impact of a compromised network in a Denial of Service (DoS) attack on networks of other organisations. Additional information on Ingress & Egress Filtering can be found at the following link - Ingress & Engress Filtering

UDP Based Denial-of-Service (DoS) Attack

The User Datagram Protocol (UDP), a generic carrier for several higher-level protocols, has a number of properties that makes it susceptible to exploitation for DoS attacks against third parties. Additional information on the components and techniques deployed in an UDP based DoS attack can be found at the following link - UDP Based Denial-of-Service (DoS) Attack

Additional Information

Rapid7 Labs - Understanding Ubiquiti Discovery Service Exposures
Shadowserver - Open Ubiquiti Report a Cyber Security Incident
Router-Switch.com - What is Ubiquiti Networks UniFi
Ubiquiti Inc - airOS/airMAX and management access
EdgeRouter - Ubiquiti Device Discovery Service
Ubiquiti - UDP Broadcasts on Port 10001
Ubiquiti - UniFi Network - Getting started
Ubiquiti - UniFi-Ports Used
Preferring SOCAT over NETCAT