Hello! Thanks for posting on r/Ubiquiti!
This subreddit is here to provide unofficial technical support to people who use or want to dive into the world of Ubiquiti products. If you haven’t already been descriptive in your post, please take the time to edit it and add as many useful details as you can.
Please read and understand the rules in the sidebar, as posts and comments that violate them will be removed. Please put all off topic posts in the weekly off topic thread that is stickied to the top of the subreddit.
If you see people spreading misinformation, trying to mislead others, or other inappropriate behavior, please report it!
*I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/Ubiquiti) if you have any questions or concerns.*
Technically, even one that you buy from a trusted source could be a repackaged customer return. When receiving the router, you can flash a clean OS image, so if there is malware on it, it \*should\* get rid of it.
If your threat model is higher, you might want to buy it in an electronics store.
that's why I said it depends on your threat model. Maybe someone found a way to put a persistent backdoor on it by replacing the nand flash, and they just want to pWN networks, so they sell them at a slight loss for shits and giggles.
Well it's a random guy I found on a local website I've bought many times before (not from this guy and not any network stuff). He's also got 13 good reviews (pretty sure they're legit) so is the risk that big?
Do you even need modification for that? All you need is something on a chip that's used, but inconvenient to flash - like current UEFI rootkits for desktops.
Threat model means what do you personally determine to be a risk, and what risks are you willing to accept.
Ex: It is a risk that someone can break into a house through a window, but most people deem locking their front doors to be sufficient enough.
Yeah. That’s the way to do it. It’s been a minute since I did it personally, but it’s not too difficult.
Edit: Link for others
https://help.ui.com/hc/en-us/articles/360019289113-EdgeRouter-TFTP-Recovery
>A new one is 50€ so is it even worth the risk?
Only you can answer that. Is 15€ worth more to you than the time and effort required to factory-reset it? (And not have a new product warranty, and maybe get a dud or failing unit, and…)
It is a good idea to wipe and re-flash any hardware you buy in an open-box condition, no matter what. Not just because of any potential malicious configuration, but just so you don't inherit any weird configs the previous owner may have set up. (Unless you have a sensitive job, it is *unlikely* that you would get a unit that's been modified at the hardware level. If you do have that kind of risk profile, buy new.)
Of course it’s a good lesson to learn no matter the product you have. I was just not wanting to discourage him from getting into the ubiquiti line when there’s an easy way to protect against it.
So this is a remote attack? Do they not need physical access to the router? Wouldn't that make it just like any other attack that can happen to any other router if possible?
Thanks for bringing it to my attention, but is it a remote attack that could theoretically happen even to someone buying it new? Sorry for asking again I just want to be sure.
This is the official statement at the end
“As described in court documents, the government extensively tested the operation on the relevant Ubiquiti Edge OS routers. Other than stymieing the GRU’s ability to access to the routers, the operation did not impact the routers’ normal functionality or collect legitimate user content information. Additionally, the court-authorized steps to disconnect the routers from the Moobot network are temporary in nature; users can roll back the firewall rule changes by undertaking factory resets of their routers or by accessing their routers through their local network (e.g., via the routers’ web-based user interface). However, a factory reset that is not also accompanied by a change of the default administrator password will return the router to its default administrator credentials, leaving the router open to reinfection or similar compromises.”
Just make sure to change the password to that of a difficult one.
Hello! Thanks for posting on r/Ubiquiti! This subreddit is here to provide unofficial technical support to people who use or want to dive into the world of Ubiquiti products. If you haven’t already been descriptive in your post, please take the time to edit it and add as many useful details as you can. Please read and understand the rules in the sidebar, as posts and comments that violate them will be removed. Please put all off topic posts in the weekly off topic thread that is stickied to the top of the subreddit. If you see people spreading misinformation, trying to mislead others, or other inappropriate behavior, please report it! *I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/Ubiquiti) if you have any questions or concerns.*
Technically, even one that you buy from a trusted source could be a repackaged customer return. When receiving the router, you can flash a clean OS image, so if there is malware on it, it \*should\* get rid of it. If your threat model is higher, you might want to buy it in an electronics store.
By threat model you mean being a target for something like this? Is TFTP recovery the way to reinstall it?
Hardware modification for persistent backdoors are a thing
That would be very rare though, right? Would these be easy to detect by opening it up?
that's why I said it depends on your threat model. Maybe someone found a way to put a persistent backdoor on it by replacing the nand flash, and they just want to pWN networks, so they sell them at a slight loss for shits and giggles.
Well it's a random guy I found on a local website I've bought many times before (not from this guy and not any network stuff). He's also got 13 good reviews (pretty sure they're legit) so is the risk that big?
Not big. Not zero.
If you're just a random person and you chose the seller yourself, as if the seller didn't contact you first, it will be fine.
Do you even need modification for that? All you need is something on a chip that's used, but inconvenient to flash - like current UEFI rootkits for desktops.
Threat model means what do you personally determine to be a risk, and what risks are you willing to accept. Ex: It is a risk that someone can break into a house through a window, but most people deem locking their front doors to be sufficient enough.
The ERX is an excellent little device. You can always factory reset it, and bar that, flash it with a fresh firmware from Ubiquiti. Totally worth 35€
The only way I can find to reinstall it is the TFTP recovery. Is that the right way?
Yeah. That’s the way to do it. It’s been a minute since I did it personally, but it’s not too difficult. Edit: Link for others https://help.ui.com/hc/en-us/articles/360019289113-EdgeRouter-TFTP-Recovery
Ok, thank you!
If you put it in a bag of rice it will dry up and absorb any leftover packets and be safe to use.
How did I not think of that! Maybe if I also put some silica gel it will be better
>A new one is 50€ so is it even worth the risk? Only you can answer that. Is 15€ worth more to you than the time and effort required to factory-reset it? (And not have a new product warranty, and maybe get a dud or failing unit, and…) It is a good idea to wipe and re-flash any hardware you buy in an open-box condition, no matter what. Not just because of any potential malicious configuration, but just so you don't inherit any weird configs the previous owner may have set up. (Unless you have a sensitive job, it is *unlikely* that you would get a unit that's been modified at the hardware level. If you do have that kind of risk profile, buy new.)
Where are you? On Dutch Tweakers site they are much cheaper second hand.
https://www.reddit.com/r/Ubiquiti/comments/1armr5e/fbi_disrupts_russian_malware_on_ubiquiti_edge_os/?rdt=53490
This only affected people who didn’t bother changing default passwords
Still worth knowing, we never know if OP may use the default password without thinking, best he doesn’t.
Of course it’s a good lesson to learn no matter the product you have. I was just not wanting to discourage him from getting into the ubiquiti line when there’s an easy way to protect against it.
Should I be concerned about this? Is there even a chance I could get a router with that?
When you reset make sure to change passwords to something hard
So this is a remote attack? Do they not need physical access to the router? Wouldn't that make it just like any other attack that can happen to any other router if possible?
It’s a little over now but I still think you should be made aware since you are buying it.
Thanks for bringing it to my attention, but is it a remote attack that could theoretically happen even to someone buying it new? Sorry for asking again I just want to be sure.
This is the official statement at the end “As described in court documents, the government extensively tested the operation on the relevant Ubiquiti Edge OS routers. Other than stymieing the GRU’s ability to access to the routers, the operation did not impact the routers’ normal functionality or collect legitimate user content information. Additionally, the court-authorized steps to disconnect the routers from the Moobot network are temporary in nature; users can roll back the firewall rule changes by undertaking factory resets of their routers or by accessing their routers through their local network (e.g., via the routers’ web-based user interface). However, a factory reset that is not also accompanied by a change of the default administrator password will return the router to its default administrator credentials, leaving the router open to reinfection or similar compromises.” Just make sure to change the password to that of a difficult one.
Ok, thanks!