back to article You spoke, we didn't listen: Ubiquiti says UniFi routers will beam performance data back to mothership automatically

Ubiquiti Networks is once again under fire for rewriting its telemetry policy after previously changing how its UniFi routers collect data without telling anyone. These latest changes are mentioned in a new help document on the US manufacturer's website. The documentation differentiates between "personal data", which includes …

  1. Duncan Macdonald Silver badge

    Time to switch to Huawei !!!

    It seems that if you want networking gear that does not spy on you then choosing non-American equipment is the best choice.

    1. Chris G Silver badge

      Re: Time to switch to Huawei !!!

      I am not even remotely able to write software or design an app but I would imagine that anyone who could design a tool to disable or reconfigure any telemetry would be a seller.

      This entire culture of stealing data that is essentially my private property is intensely annoying to say the least,I have just discovered that when I use bluetooth to read the app that runs my PV system, it automatically turns on Google location and though I can limit what it sends, I am not sure how limited that is.

    2. southen bastard

      Re: Time to switch to Huawei !!!

      This made the decision for me – switching over to Cisco."

      "ya wa"?

  2. Spanners Silver badge
    Big Brother

    "This made the decision for me – switching over to Cisco."

    Does he really think that moving to a different US company, even one as good as Cisco, will stop his data being guddled through?

    You have a choice. You can either be monitored by US spooks and that will be then passed to US corporations or you can use Chinese stuff and possibly get monitored by their spooks but they are unlikely to sell it to US corporates to cover their costs.

    1. A Non e-mouse Silver badge

      Re: "This made the decision for me – switching over to Cisco."

      I've not used Cisco wireless in a while, but other Cisco products are starting to phone home to the borg mothership.

      All IT companies are moving towards a phone-home model - supposedly in the user/customer's interests.

    2. 0laf Silver badge
      Big Brother

      Re: "This made the decision for me – switching over to Cisco."

      That's the thing, if I'm getting monitored by the Chinese it's likely to be less obtrusive than monitoring by a US company. They're less likely to sell my data to advertisers and insurance companies.

      So to a significant degree if I must choose to be monitored (since my only non-monitoring option is to do without a router) then is seems Chinese monitoring is less onerous.

      I went through the same thought process when I got an Android phone and came to the same conclusion.

      1. K

        Re: "This made the decision for me – switching over to Cisco."

        My sentiments exactly... Even if I'm being spied on by a Chinese system, they've little use for my data. Where given how incestuous Western governmental agencies and companies, it's far more invasive and has a direct impact on me personally.

        1. TheMeerkat Bronze badge

          Re: "This made the decision for me – switching over to Cisco."

          If there is money in it, why do you think they won’t try to make it?

      2. Anonymous Coward
        Anonymous Coward

        Re: "This made the decision for me – switching over to Cisco."

        > since my only non-monitoring option is to do without a router

        Or your build your own router using PC hardware, and run something open-source. There are router bundles out there, but plain old Linux/FreeBSD will route happily.

        Mind you, you have to beware that some open-source stuff phones home, and you may need to configure it not to. Even Debian and Ubuntu have for years included mandatory installation of a package called "popularity-contest"; although it's disabled by default it's still lurking there.

        1. Anonymous Coward
          Anonymous Coward

          Re: "This made the decision for me – switching over to Cisco."

          That's what I've done, but I use a Unifi access point for Wi-Fi. Looking for alternatives at the moment, the firmware is going to stay non-upgraded.

  3. KittenHuffer Silver badge

    Time for a DD-WRT compatible router me thinks!

    1. EVP Bronze badge

      Yes. That’s the way to opt out from spying and snooping. No opt-out button needed.

      Spread the word. Despite that not many people will listen and will just reply ’I’ve got nothing to hide’, someone may get it.

      1. big_D Silver badge

        I blocked the trace.svc.ui.com domain on my firewall (ironically, an Ubiquiti Unifi Security Gateway) :-D

        1. PC Paul

          Well...

          You think you blocked it...

    2. Dolvaran

      Get a small mini-itx system and install pfSense. Best router I've worked with in the Soho space.

      1. Michael Wojcik Silver badge

        Thanks. Sounds like it's worth a try.

        1. Rainer

          APU2

          I use it on an embedded AMD Geode APU2 from PCEngines. This CPU only has one core and thus none of the Intel bugs of the last years.

          It's passively cooled and I get pfSense updates for a very long time.

          My access point is from Apple. I guess it does phone home a bit, but at least they don't sell to advertisers or hand it through to Facebook et.al.

          I hope it will be viable to run your own access point at some time (with open firmware).

    3. Michael Wojcik Silver badge

      I've been thinking the same thing, but navigating the DD-WRT Wiki page of compatible models is an exercise in frustration. That's largely the fault of the hardware vendors, of course, who release a bewildering array of short-lived landfill-destined models, often under similar names; but after an hour or so of research I still hadn't found one I could order online that I was reasonably sure I could flash with DD-WRT.

      Obviously it's possible - I know people running DD-WRT - but the handful of old routers I had lying around don't seem to support it, and I hate to buy something for the purpose and then discover it won't work.

      1. whitepines Silver badge

        Look at the TP-Link stuff. A lot of their gear has OpenWRT support; for example I just put OpenWRT on a TP-Link N450. Fast and painless.

        Yes, the rest of the low level firmware could probably phone home, but if I'm concerned about that in any specific application I just use OpnSense on old hardware free of the Management Engine and Platform Security Processor shackles.

  4. jake Silver badge

    "In other words, you ain't got no choice."

    Sure I have a choice. I simply don't do business with shysters.

    Home users: DD-WRT works a treat. Check 'em out :-)

    Business users: They can probably help you, too.

    1. Microchip

      Re: "In other words, you ain't got no choice."

      For business-grade tech, I can't recommend pfSense highly enough. Needs a PC of some sort to run it on though (or a pre-built box, low power ones with AES-NI acceleration work great including VPNs), I run it on low power i5 and i3 boxes myself that I picked up cheap on eBay. Absolutely rock solid, and far easier to work with than the likes of Cisco ASA kit that I've had to deal with in the past.

      DD-WRT works reasonably on consumer grade gear with built-in wifi etc though, it can just be a little quirky, especially if you want to do anything semi-advanced (like most Linux systems, get comfy with the command line if you do), though it does have a reasonable amount of power there when it actually works as documented. Do still have a Netgear R7000 AP running DD-WRT at work just for the wifi and a VLAN breakout though, does the job brilliantly, once I'd beaten it into submission for a couple of days to make it function as it was supposed to.

      1. msage

        Re: "In other words, you ain't got no choice."

        Or OPNSense.

        I was a long time user of pfSense, but was using it for customers sites, something their license began to restrict, we would sell hardware with pfSense installed on it, according to our interpretation of this https://www.netgate.com/blog/its-still-free-to-use.html that wasn't allowed. I haven't looked back at the project recently so this position might have changed, however, OPNSense which is a fork doesn't have the same restrictions. Also 3 years in I find the OPNSense GUI more usable and a regular release cycle is good too.

        Not trying to start a holy war, each to their own :)

        1. Mike Pellatt

          Re: "In other words, you ain't got no choice."

          Or OPNSense

          Came here to say that. OPNSense doesn't seem to be so well known, am spreading the word to everyone who says they use pfSense, and the general response is "hadn't heard of that ".

          The last person was well impressed with the improved GUI.

        2. Anonymous Coward
          Anonymous Coward

          Re: "In other words, you ain't got no choice."

          I looked at the link.

          How is that legal under their open source license?

      2. A Non e-mouse Silver badge
        Meh

        Re: "In other words, you ain't got no choice."

        ...far easier to work with than the likes of Cisco ASA kit that I've had to deal with in the past

        Is there anything that's worse than an ASA?

        1. big_D Silver badge

          Re: "In other words, you ain't got no choice."

          Just working out which licenses I needed was headache enough for me to avoid it like the plague!

        2. Jo_seph_B

          Re: "In other words, you ain't got no choice."

          Is there anything that's worse than an ASA?

          Firepower?

        3. Arbuthnot the Magnificent

          Re: "In other words, you ain't got no choice."

          "Is there anything that's worse than an ASA?"

          Yes, a PIX...

        4. Mike Pellatt

          Re: "In other words, you ain't got no choice."

          The FTD/FMC combo.

          Impenetrable and incomprehensible doesn't begin to cover it.

          Not to mention the speed(sic) of config change deployment.

      3. big_D Silver badge

        Re: "In other words, you ain't got no choice."

        Yes, I used pfSense at a previous employer. A nice, cheap solution. We used a pair of old Pentium D machines for failover. Great for the basics.

        My last employer used Palo Altos, excellent kit, but very expensive! It goes a lot deeper and blocks not just addresses, but it recognises data patterns and you block "by application", thousands of which are pre-defined. So, we could block cloud drives with a couple of clicks (DropBox, GDrive, OneDrive etc.).

        We are currently using ZyWalls.

        Ironically, at home I have a Ubiquiti Unifi Security Gateway and the first thing I did was block the trace.svc.ui.com domain to stop the telemetry.

    2. pLu

      Re: "In other words, you ain't got no choice."

      > Home users: DD-WRT works a treat. Check 'em out :-)

      Or OpenWrt, which the UniFi AP firmware actually is based on.

      1. johndoex

        Re: "In other words, you ain't got no choice."

        > Or OpenWrt, which the UniFi AP firmware actually is based on.

        No, it's not. It is based on Vyatta, which is based on Debian.

        OpenWRT is a different animal. The Turris series of routers ship with customized OpenWRT.

        1. Gronk

          Re: "In other words, you ain't got no choice."

          No, it is:

          BusyBox v1.25.1 () built-in shell (ash)

          ___ ___ .__________.__

          | | |____ |__\_ ____/__|

          | | / \| || __) | | (c) 2010-2019

          | | | | \ || \ | | Ubiquiti Networks, Inc.

          |______|___| /__||__/ |__|

          |_/ https://www.ui.com/

          Welcome to UniFi UAP-AC-Pro-Gen2!

          unifiapacpro-BZ.v4.0.80# cat /etc/openwrt_version

          r3979-2252731af4

          unifiapacpro-BZ.v4.0.80# cat /etc/openwrt_release

          DISTRIB_ID='LEDE'

          DISTRIB_RELEASE='17.01.6'

          DISTRIB_REVISION='r3979-2252731af4'

          DISTRIB_CODENAME='reboot'

          DISTRIB_TARGET='ar71xx/ubnt'

          DISTRIB_ARCH='mips_24kc'

          DISTRIB_DESCRIPTION='LEDE Reboot 17.01.6 r3979-2252731af4'

          DISTRIB_TAINTS='no-all mklibs busybox'

        2. rg287

          Re: "In other words, you ain't got no choice."

          EdgeOS on the EdgeMAX/EdgeRouter gear is forked from Vyatta.

          The Unifi stuff is OpenWRT.

  5. Mr Humbug

    Just to be pedantic...

    ... because the article confused me for a bit.

    The wireless UniFi devices this is talking about are access points, not routers.

  6. Anonymous Coward
    Anonymous Coward

    Will we see routers behind routers ?

    With the secondary router dumping all snooping packets to 127.0.0.1 ?

    1. johnfbw

      Re: Will we see routers behind routers ?

      But how will you stop the second router sharing your browsing

  7. dave 81

    Use a firewall

    Come on, what are the AP's doing that cannot be blocked with a firewall?

    1. Mr Humbug

      Re: Use a firewall

      That's not really the point. These are sold as business wireless infrastructure kit, to be managed either in-house or by a paid third party. In that scenario the person responsible for the kit should easily be able to find out what it does and choose what telemetry is appropriate in their environment. Turning off telemetry should not require you to create firewall rules.

  8. big_D Silver badge

    Blocking...

    In their defence, whilst they say that you can't disable it in the 4.1.x firmware at the moment, but there is a workaround.

    If you do not wish to participate/provide this data, we will add an opt-out button in upcoming versions that will make it easy to opt-out of providing this data. In the meantime, you can block traffic from UniFi devices to trace.svc.ui.com.

    I put a block on that domain at the firewall. Not ideal, but at least you can opt yourself out.

    It is a shame, they make great hardware and it is relatively easy to set up. I really like it, apart from this issue.

  9. Fazal Majid

    Not OK

    I use a Ubiquiti USG as my firewall for the convenience of a single management pane of glass. This is completely unacceptable.

    In the short term I am going to block them in DNS, and in the slightly longer term I am going to have to get another OpenBSD box with PF in transparent bridge mode to block them.

    1. big_D Silver badge

      Re: Not OK

      Just add a rule to the USG to block all traffic to trace.svc.ui.com. That and I blacklisted it on my Pi-Hole.

      1. whitepines Silver badge
        Big Brother

        Re: Not OK

        And if it does a DoH lookup to an ever changing set of cloud IP addresses, when it can't contact the central telemetry domain?

    2. Paul Eagles

      Re: Not OK

      You can also create a firewall rule within the controller to deny your access points having internet access.

      1. Jamie Jones Silver badge

        Re: Not OK

        A much better idea. The other solutions posted here rely on their dns name / ip addresses not changing between updates.

  10. Pascal Monett Silver badge

    Well it seems that Made In USA = spies on you

    That Ubiquiti made that decision in the current climate tells volumes about how much they care about their users' opinions (they don't).

    I think that that decision will come back to bite them, because awareness is growing on this issue. Companies that just Trump around with their own promises are going to find that the market will react more and more.

    And that is a Good Thing (TM).

  11. JohnFen Silver badge

    Of course I do

    > In other words, you ain't got no choice.

    Sure I do. I can choose to avoid the crap that Ubiquiti produces and use a router that's actually fit for purpose.

    1. Adam JC

      Re: Of course I do

      Article seems to skate around the fact this doesn't just affect their routers, but every single UniFi device. (Access points, mFi, UniFi switches, etc).

  12. Paul Eagles
    FAIL

    Ubiquiti are really doing their best to piss people off. I don't have an issue with them wanting to collect information but I have a huge issue with them enabling it silently. Twice. There was a lot of backlash when they did it first time around so it's mind boggling that they're doing it again.

    To stop them getting any data out of me I've blacklisted trace.svc.ui.com in Pi-Hole, added a firewall rule to block my access points internet access, turned off the analytics and improvements in the controller and further disabled things using config.properties. I shouldn't have to do that. If there were a toggle in the controller that disabled it then I'd be happy enough. Still pissed off that it was enabled by default but making it simple to disable it would stop me moaning.

    I like Unifi kit but I'm really beginning to dislike the people that make it.

    1. WHT

      Said by Paul Eagles

      "Ubiquiti are really doing their best to piss people off."

      They already did

      https://community.ui.com/questions/WHTs-Inspiration-and-Motivation/3fc1518a-a2ae-4eb8-9cfb-490a38b8a21f

  13. cdrcat

    Booo hiss to Ubiquiti

    A Venn diagramme of WiFi device purchasers and privacy geeks would have a large union set. And surely Ubiquiti sales depend upon nerdigensia influencers - why would they be so stupid to burn their goodwill? I found out about Unifi products via geek forums.

    They were my default supplier and I used to recommend them whenever WiFi discussions came up. They lose my voice, although I will probably grudgingly continue to buy their products because they are now the devil I know...

    1. fidodogbreath Silver badge

      Re: Booo hiss to Ubiquiti

      And surely Ubiquiti sales depend upon nerdigensia influencers - why would they be so stupid to burn their goodwill?

      It seems unlikely that home network nerds are a significant revenue source for Ubiquiti; how many APs do you need in a house, anyway? One large arena, stadium, or office campus project probably generates more money for them than all of the home nerds combined.

      1. jake Silver badge

        Re: Booo hiss to Ubiquiti

        They may not personally spend lots of dollars on the kit ... but did you see that word "influencers"? Methinks the OP placed it there for a reason.

      2. Anonymous Coward
        Anonymous Coward

        Re: Booo hiss to Ubiquiti

        The Ubiquiti gear is starting to get popular among the "prosumer" crowd, so it is probably larger than you suggest. But I imagine that the WISP market is their main profit source. You have all of the CPE kit, sector antennas and APs, and possibly some backhaul radios. Those airFiber radios aren't cheap.

  14. Kev99

    Doesn't that violate the GDPR and California privacy laws?

    1. Dolvaran

      For GDPR, probably not - provided they really don't collect personally identifiable data

      1. nagyeger

        IP addr, location, timestamp, hosts visited

        provided they really don't collect personally identifiable data

        They claim to record location data, IP address, and websites visited.

        Article 4 (1): 'personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

        It might depend on the time-windows for their anonymisation data. If it's once / year, they're probably OK, but the data is useless. If it's once / minute, then even in a corporate settings, if I'm in the only one on the wifi network, late at night, say, they are collecting personal data about me in near real-time.

  15. WHT

    UBNT How I Hate You

    From:

    https://www.dslreports.com/forum/r32565311-UBNT-phone-home-feature

    Let me count the ways I love hate you UBNT - Tips hat to Elizabeth Barrett Browning, Sonnet 43.

    1 Potentially exposing CPNI

    2 Borky FW upgrades

    3 Supply chain problems

    4 Newest forum format

    5 Tough Cable

    6 JAVA fetish

    7 Firing Mike Ford

    8 airView bricking Titaniums

    9 miFi

    -=World's First UBNT airMAX WISP=-

  16. Nicko

    Use Pi-hole. At least 4 of the blacklists I use have trace.svc.ui.com blocked by default.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020