Worm infects unpatched Ubiquiti wireless devices

The vulnerability has been known for almost a year, but many users haven't applied the patches

Routers and other wireless devices made by Ubiquiti Networks have recently been infected by a worm that exploits a year-old remote unauthorized access vulnerability.

The attack highlights one of the major issues with router security: the fact that the vast majority of them do not have an auto update mechanism and that their owners hardly ever update them manually.

The worm creates a backdoor administrator account on vulnerable devices and then uses them to scan for and infect other devices on the same and other networks.

"This is an HTTP/HTTPS exploit that doesn't require authentication," Ubiquiti said in an advisory. "Simply having a radio on outdated firmware and having its http/https interface exposed to the Internet is enough to get infected."

The company has observed attacks against airMAX M Series devices, but AirMAX AC, airOS 802.11G, ToughSwitch, airGateway and airFiber devices running outdated firmware are also affected.

The vulnerability was reported privately to Ubiquiti last year through a bug bounty program and was patched in airMAX v5.6.2, airMAX AC v7.1.3, airOS 802.11G v4.0.4, TOUGHSwitch v1.3.2, airGateway v1.1.5, airFiber AF24/AF24HD 2.2.1, AF5x and AF5 2.2.1. Devices running firmware newer than those versions should be protected.

For airMAX M devices, the company recommends upgrading to the latest 5.6.5 version. However, this version removes support for rc.scripts, so users relying on that functionality should stick with 5.6.4 for the time being.

Using firewall filtering to restrict remote access to the management interface is also highly recommended.

According to researchers from Symantec, after the worm exploits the flaw to create a backdoor account, it adds a firewall rule in order to block legitimate administrators from accessing the Web-based management interface. It also copies itself to the rc.poststart script in order to ensure that it persists across device reboots.

"So far this malware doesn’t seem to perform any other activities beyond creating a back door account, blocking access to the device, and spreading to other routers," the Symantec researchers said in a blog post Thursday. "It’s likely that the attackers behind this campaign may be spreading the worm for the sheer challenge of it. It could also be evidence of an early, exploratory phase of a larger operation."

Ubiquiti Networks has also created a Java-based application that can automatically remove the infection from affected devices. It can be used on Windows, Linux and OS X.

Router security is particularly bad in the consumer market, where large numbers of routers can remain vulnerable to known vulnerabilities for years and can be compromised en masse to create distributed denial-of-service (DDoS) botnets or to launch man-in-the-middle attacks against their users.

In the past, attackers have managed to hijack hundreds of thousands of home routers by simply trying out default or common usernames and passwords. Users should always change the default administrator password when installing their router and should disable remote access to its management interface unless this functionality is needed.

Join the PC World newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest News Articles


GGG Evaluation Team

Kathy Cassidy


First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni


For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell


The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi


The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott


My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?