HPE has confirmed that during the attack on the Aruba Central platform, from its subsidiary Aruba, detected on November 2, a cyber attacker had access to customer data. Of course, only what the company has called a “limited set.” According to HPE, an internet user who was not authorized to do so gained access to the platform through a private key to access customer data stored in its Aruba Central cloud. It is still unknown how he got access to this key, but thanks to it he had access to cloud servers in various regions, where he had stored customer data.
Through its control panel, Aruba Central, Aruba client companies can centrally control and manage their WiFI networks. And it is precisely the data from those WiFis that the attacker has accessed. According to HPE, two data sets were exposed: one from network analysis with information about the devices accessing the customer’s WiFi network, and another about the location data of the devices connected to the network. HPE has not provided further details on the level of detail of the exposed data, but has confirmed that this «could allow the surroundings of a user’s location to be specified«.
Specifically, the data included information and details about a device, such as its MAC and IP addresses, the device’s host name, its operating system, and, in some cases, the name of the user accessing the WiFI network. According to the company, user names are what customers choose, but when assigning them themselves, they could include their real name or an email address.
In addition, although the data was encrypted and mixed, the private key that the attacker had had permission to use the decryption key, and it is not clear if the data was decrypted, or not. HPE has indicated that if data was extracted from the platform, it was, if anything, very few, and it is not clear from which clients or specifically, or what files could have been extracted from the panel data.
This is because no individual file access records are kept. HPE purges data from its cloud servers every 30 days, so the compromised data is limited to records created after September 10 (the key was used for the first time on October 9).