HPE has announced that the data repository of Aruba Central, its network monitoring platform, has been compromised, allowing attackers to access collected data about monitored devices and their locations.
Aruba Central is a cloud networking solution that allows administrators to manage large networks and components from a single dashboard.
HPE has revealed that attackers were able to obtain an “access key” that allowed them to view customer data stored in the Aruba Central environment.
This was accessible for 18 days from October 9, 2021 until October 27, 2021 when HPE disabled the key
The public repository contains two data sets, one for network analysis and one for Aruba Central’s “contract tracing” feature.
One data set (“Network Analysis”) included most of Aruba Central’s customer network telemetry data for Wi-Fi client devices connected to the customer’s Wi-Fi network. It included telemetry data.
The second data set (“Contact Tracing”) contained location data about Wi-Fi client devices, including which devices were in proximity to other Wi-Fi client devices
The network analysis datasets published in these repositories include MAC addresses, IP addresses, operating systems, hostnames, and for authenticated Wi-Fi networks, personal usernames.
The contract tracing dataset also included the date, time, and Wi-Fi access point from which the user connected, potentially allowing an attacker to track the general whereabouts of the user.
The “data repository” also contained a record of the date, time, and physical Wi-Fi access point to which the device was connected, which allowed us to get a rough vicinity of the user’s location. This environment did not contain any sensitive or special categories of personal data (as defined by the GDPR)
Because the word “bucket” appears multiple times in HPE’s FAQ, it is likely that the attacker obtained the access key for the storage bucket used by the platform.
After conducting an investigation into the breach, HPE has concluded the following.
- Data from the Network Analytics and Contact Tracing functions in the Aruba Central environment is automatically deleted every 30 days, so there was always no more than 30 days of data stored in the environment.
- This environment contained personal data, but not sensitive personal data. Personal data includes MAC addresses, IP addresses, device operating system types and host names, and some user names. Contact trace data also included the user’s access point (AP) name, proximity, and the time they were connected to that AP.
- Based on our extensive analysis of access and traffic patterns, we believe it is highly unlikely that any of your personal information was accessed.
- Since no security-critical information was compromised, we do not believe it is necessary to change passwords, keys, or network configurations.
HPE will change the way access keys are protected and stored to prevent future incidents.
When we contacted HPE to find out how the access key was stolen, they sent us the following statement.
“We are aware of how the attackers gained access and are taking steps to prevent this from happening in the future. The access token was not tied to our internal systems. Our internal systems have not been compromised in this incident. – HPE
Comments