• Encrypt-Keeper@lemmy.world
    link
    fedilink
    English
    arrow-up
    81
    ·
    edit-2
    9 months ago

    An important detail to mention is that every router involved were very old Ubiquiti EdgeRouters which were EOL’d like a year or two ago and they had remote administration enabled and were still using the default admin user and password.

    • Copernican@lemmy.world
      link
      fedilink
      English
      arrow-up
      18
      ·
      9 months ago

      I was running an edge router x until a few months ago. It was the cheapest set up to deploy a unifi wireless access point for my apartment. I was worried until I read:

      It affected routers running Ubiquiti’s EdgeOS, but only those that had not changed their default administrative password. Access to the routers allowed the hacking group to “conceal and otherwise enable a variety of crimes,” the DOJ claims, including spearphishing and credential harvesting in the US and abroad.

      Change you default passwords friends. Given that the edge router is not the most noob friendly device to set up, I’m curious how the user base of these devices is not changing the PW.

    • purplemonkeymad@programming.dev
      link
      fedilink
      English
      arrow-up
      10
      ·
      9 months ago

      Aka people who just plugged it in and left it as long as it works. These are not the kind of people who would have done anything if informed that they had an issue. On one hand I don’t like the idea of governments fixing private property, but they were never going to be fixed by the owner.

      • Encrypt-Keeper@lemmy.world
        link
        fedilink
        English
        arrow-up
        4
        ·
        9 months ago

        Well the government wasn’t “fixing private property”, as much as they were “expelling hostile foreign nationals from private property that were being utilized for malicious purposes”. They only acted in the case that one of these devices was an active participant in a botnet.

        I know the government touching your stuff is an icky thought, I agree. But the only alternative in this case is you being held personally liable for your devices being used to commit cyber crime by a hostile government entity, which is a much worse thought.

        Like if you own a gun and it’s stolen and you don’t report it, and a crime is committed with it, you can be charged with a crime in many states. It wouldn’t be the biggest leap for something like that to apply here, if not now then in the future. I think the government fixing the problem for us and leaving us alone about it is just about the best outcome we could ask for.