I just read about the Ubiquiti EdgeRouter X Hack by Russian and Chinese hackers but I haven’t seen anything about this from Tom or Chris at Crosstalk.
What is this all about and what do I need to do?
Is it time to replace the Ubiquiti EdgeRouter X and if so, with what? I have looked at pfSense before but it seems quite complex.
I’m surprised that I have not heard anything from Ubiquiti.
Any words of wisdom?
A quick internet search , you would have found lots of articles on this subject
There are posts on Unifi forum, about this subject.
If you have changed the default username and password, you are not affected.
Willie Howe has done a video on it Are EdgeRouters Secure? - YouTube
It’s amazing how many security incidents were because of default credentials being used.
Paul,
You are making assumptions. I susbscribe to Willies Youtube as well as Tom and Chris. It was Willies video that alerted me to the issue and I then read stuff on the Internet.
My point is that I am a registered user with Ubiquiti for this product and I did not receive an email from them. To me this is poor. If the US government is putting out stuff on these routers I would expect an email from the company and I don’t expect to have to search for info. It’s not like this is some sort of kettle with a suspected fault! If I were Ubiquiti I would want to send out an email immdeiately.
To make it clear I never use default credentials on anything and I set mine up following videos from Chris and Willie.
But I am also very aware that everyone is now saying that passwords are not secure and we need to use passkeys etc.
So, my post is still valid. Is there something about the US government saying this that goes beyond default credentials and is there a better way of securiing the Edgerouter or is it time to look elsewhere?
Although I set up a different account and password is that really enough?
Personally I also think Ubiquiti should send out emails when there are new firmware updates. Maybe there is something I should have signed up to but I’ve never received anything.
Well in that case, unless you’re using a very insecure password, you should be fine.
Yes, but more to protect users from themselves, like clicking on links and entering their passwords on phising sites, or them using insecure passwords, not because (secure) passwords are inherently insecure. 
You can read their advisory here: Russian Cyber Actors Use Compromised Routers to Facilitate Cyber Operations > National Security Agency/Central Security Service > Press Release View
Link to the PDF with the full report: https://media.defense.gov/2024/Feb/27/2003400753/-1/-1/0/CSA-Russian-Actors-Use-Routers-Facilitate-Cyber_Operations.PDF
They don’t say so, and I don’t think so.
Maybe you should have made that more clear in your original post, if that was your main point.
If you already changed the password when you put the router into operation, and if you are on the latest firmware, not even that would have been necessary.
As of February 2024, there was no firmware update, because everything related to these attacks was already fixed a long time ago. But apparently there are still many devices out there with default credentials and outdated firmware, and these devices are now being exploited.
I get that but I’ve never had an email about firmware updates. I only know when I log into the router. To me that’s not good.
Okay, But if passwords are no longer secure on websites, servers etc. why are they okay on a router? It’s just a computer running an operating system.
I read what is being said but I find it difficult to believe that the US government would put out a post if there was not something more serious behind it.
You’re not wrong, manufacturers could do a better job of notifying users about security vulnerabilities and firmware updates.
On the other hand, the Edge Router X is a very inexpensive device, and there are not many comparable devices in this price range at all. Also, I doubt that other vendors will send out emails about firmware updates for devices in the sub-$100 range, in fact, many of these cheap devices from other vendors are likely to be discontinued after a few years, if they see any any firmware updates at all
Of course, most devices that are still supported by their vendors will notify you about updates via their web interfaces, but I don’t know if the Edge Router X does that; I haven’t used it in a while. Not because I think the Edge Router X is a bad product, but because of the additional features that pfSense offers.
Beacuse the admin interface of a router ussually isn’t exposed to the internet.
However, I don’t say there shouldn’t be options for 2FA or other more secure authentication methods on routers, but then again: Don’t expose the the web interface to the internet and use a secure password and you’re fine.
Also, nowadays routers, even cheap ones, either have a pre-programmed random password that is more secure than admin/admin or admin/password, which can of course be changed, and/or they prompt the user to change the password during setup.
And again, passwords are not inherently insecure. Insecure passwords are insecure!
Well, yeah compromised routers are a serious thing, and it’s even more serious if Russians are behind it
Seriously, insecure default passwords are bad, but as I said, most manufacturers handle this differently these days, including Ubiquity. On the other hand, users who simply unbox the device, plug it in and leave it running unchanged for years are at least partly to blame.
I’m going to get beaten up for this but a couple of months ago I read somewhere (I don’t remember where but it was a serious source) that super computers with AI can now crack all passwords even if they are long and complicated.
It may, or may not be true, but I would like to find another option if there is one available.
My original post was probably badly worded but I’m in the UK and it was late. Plus I am partially sighted so it is hard to read stuff these days. But my post was not just out of slight concern.
In the last 6 months, or so, I have had websites refusing to let me connect (and Google sometimes) because (it said) there was suspicious activity from my IP address. I have no idea why. But when I saw Willies viideo I was currious if there is something more serious going on. That is why I wanted other views.
I can’'t think of anything else going on from my IP address. I suppose I should have asked if this happens to other people.
Given that I have a different account on the Ubiquiti and a long password, I was just curious what other peoplle thought.
If I could get a router with a security key that would seem like a good idea but I have no idea if there are any available.
Being in the UK I don’t know whether the US government puts out things like this often but I imagine that there are many routers with default accounts/passwords and many not being updated. Most of the non-IT people I meet never change the account/password on their routers and are shocked when I suggest they should.
And loads of people seem to have IOT devices with no security or updates at all. So, I wondered why the Edgerouter was specifically mentioned.
Even if that were true, and who knows, maybe it will be true some day, that’s not what happened here.
Sure, we could now start a debate about AI taking over the world by cracking every password, governments spying on their own citizens (with the UK being a prime example ) and governments spying on foreign citizens, which all seems a bit far-fetched in this context, or about non-existent passkeys and 2FA in routers and poor information policies by manufacturers, about which I already partly agreed with you.
Or we could just admit that these attacks could have been prevented by following three simple rules, two of which even my 80-year-old non-technical dad knows, and one of which should be known by at least somewhat technically advanced users, which is the target audience for Edge routers, btw.
1 would have prevented this entirely, 3 probably as well in most cases, and 2 would probably have at least prevented the infection with malware.
I have to reply on this thread because some “education” is needed here.
OP, for starters, you are talking about a 78$ firewall/router here addressed to moms & pops home that usually leave the default password on just about anything - just like their old Linksys and what not ancient fw/router they had previously if any.
Second, Ubiquity will not advertised to everyone to change the default password to their own device as this is said in the basic documentation and is common knowledge by people who actually know what they are doing. If people think they are clever enough to buy an off the shelf ultra cheap firewall/router , they also ought to know how to secure it properly.
Third, do you really expect that this device at this price range to be bullet proof against attacks, from whoever it can be and even with the latest firmware and default password change?
Come on people get real a little bit. We’re in 2024, not in 2014 where this router technology came from.
Things have change and we have to change our behavior and stop buying cheap stuff thinking we will be protected against today’s threats landscape. And to cry that Ubiquity didn’t send a flare up to its customers is to be pretty inconsiderate of today’'s day and age in cyber-security.
Sorry but I missed the eduction in your post!
It is very sad that forums now seem to have become a place for people to just criticise others rather than help.
My OP may have been badly worded but it was very simple. If the US government puts out a statement which seems to single out Edgerouters because of default credentials. Why when there are loads of other devices with the same issue?
Is there something more to it? That was my basic question and I was surprised not to receive an email on the sunject from Ubiquiti. Does the lack of email from them imply that there is something more going on? If I were Ubiquit I would want to clarify things. Those were my questions.
Other people seem to be saying the Edgerouters are secure and you are saying that no one should expect that from such a cheap router. Both cannot be right!
So, if you disagree with those who say they are secure say why and discuss it with people who know about these things.
I have spent my career in IT but not in security. I have no idea which routers are securre and which are not. I have no idea how to hack something and no desire to do so. I rely on the advice from forums like this. Is the Edgerouter hackable even if the web interface is not exposed? I haven’t got a clue. People who know more than me say it is not. I rely on others who know about these things.
Eduction would be explaining why people should not expect a cheap router to be secure and suggesting what they should purchase instead. I saw no such education in your post. In fact, I have no idea what the point of your post was.
Willie Howe did a nice video on Youtube explaining the situation and explained how it is due to user setup issue. I do not feel that Ubiquiti needs to send out a response as it is negligence on the users part. This is a big risk with any networking gear not suited for the average homeowner whom is set and forget.
I could have a Palo Alto firewall and if I set it up incorrectly then it could easily have worse security then an ISP issued router.
I wasn’t suggesting that they needed to do it for that reason. I was just surpirsed that I heard about it from Willies video. I am in no way complaining about Ubiquiti. But if I were them I would want to put out a response if only to reassure users like me who know almost nothing about firewalls. To put it another way, if I hadn’t first heard about it from Willies video where he disagreed with what was written, then I would be quite worried.
A simple email to all registered users reminding them how to configure the Edgerouters would seem like good PR to me.
I only care to hear from them if there is a know vulnerability related to the their hardware or current firmware. That is just me. PR moves are not always black and white.
Well, a friendly reminder that their routers are being actively attacked and that you should change your default password if you haven’t already done so wouldn’t have hurt. But otherwise I agree with what you said.
However, to put the hole thing into perspective, the Edge Router X is almost 10 years old, and Ubiquity was by no means the only major vendor to use insecure default passwords back then. Fortunately, this practice has changed, and vendors who still use default passwords are now at least setting a random password and putting it on a sticker somewhere on the device, which should prevent such attacks, or at least make them more difficult even for lazy users who don’t change the default password.