back to article Ubiquiti iniquity: Wi-Fi box slinger warns hackers may have peeked at customers' personal information

Networking vendor Ubiquiti has written to its customers to advise them of a possible leak of their personal information. “We recently became aware of unauthorized access to certain of our information technology systems hosted by a third-party cloud provider,” the email opens, before adding: “We have no indication that there …

  1. Mike 137 Silver badge

    "“As a precaution, we encourage you to change your password"

    Your data have been exfiltrated by an adversary, so you should change your password? Will that delete the adversary's copy of your data? As usual, they "take your security seriously" after the fact, not before.

    It's a common fantasy that putting your data in the 'cloud' eliminates your need to exercise common sense. But engaging a subcontractor does not devolve your governance onto that subcontractor, nor does it absolve you if the subcontractor screws up.

  2. Piro Silver badge

    I'm getting further disillusioned with Ubiquiti. Why does the newest firmware on their devices require a cloud login for first set up? Huge, amateur mistake.

    I like their kit, but they're moving further away from their "enterprise on the cheap" roots towards something more displeasingly consumer orientated.

    1. John H Woods Silver badge

      Fabulous hardware at the price point. Ruined.

      1. Norman Nescio Silver badge

        Avoiding negative added-value cloud encumberments

        Well, I think Ubiquiti make some nice hardware for installing OpenWrt on.*%7E%5D=Ubiquiti

        To be fair, the installation process may be non-trivial.

        (Don't all click at once, I think the OpenWrt web-server is a bit of a frayed-shoestring operation.)

  3. arachnoid2

    Changing password

    Totally pointless as in many cases its not your password that was compromised and led to the data loss in the first place and even if it was its because of the way it is stored on their server so nothing you as a user can fix. If the initial attack vector is not patched they may just visit again and take more data so the problem is ass covering host not the user.

    1. Korev Silver badge

      Re: Changing password

      I guess the risks are that people tend to reuse passwords and also many people use their cloud-based solution to run their networks.

      It took me quite a bit of hunting on their website to change mine (even though the old one was randomised in a password manager and I never used the cloud stuff for this reason)

  4. Korev Silver badge


    I've been using Ubiquiti gear for a while and I'm getting increasingly pissed off with it. In recent times I also had a switch crap itself when I changed the setting on a port, a nightmare trying to sort my Sonos gear and the "Cloud Key" is notorious for dying when it loses power).

    What alternatives are people using, I'm thinking of going for PFSense for the firewall/router. I'm a home user with three switches and a couple of APs and I use things like VLANs and various firewall rules.

    1. Anonymous Coward
      Anonymous Coward


      I'm running pfSense for my home / office and it works very nicely. I've got it running on a PCEngines APU2 4d4 board ( as that's low power (a few watts), has no spinning disks and has four NICs (one is used for WAN).

      1. Anonymous Coward
        Anonymous Coward

        Re: pfSense

        "PCEngines APU2 4d4 board"

        I have around 50 of those (APU1+) running across the UK with several 100's of Unifi APs behind them. Those are Intel NICs too.

        My one controller is running 5.13.x on top of Ubuntu LTS and does not need any cloudy logins to function.

      2. Biggus Dickus

        Re: pfSense

        Yep, same here, it's been working faultless for a number of years.

    2. Amjad

      Re: Alternatives

      OPNSense might be better alternative than pfSense now. I think netgate are moving away from community/free editions, there hasn't been an update to pfSense since 28th May 2020.

      1. thondwe

        Re: Alternatives

        pfSense 2.5 is about to be released based on BSD 12.3 - which is why things are quiet I think - for an idea of activity check the pfsense redmine site.

    3. Muppet Boss

      Re: Alternatives

      >What alternatives are people using, I'm thinking of going for PFSense for the firewall/router. I'm a home user with three switches and a couple of APs and I use things like VLANs and various firewall rules.

      It really depends on what functionality you require: basic functionality, including firewalling, NAT, port forwarding and basic IPSec is well covered by many home networking products. Some people mention that ZyXEL Keenetic products work well for them in the prosumer range and have an easy-to-master UI.

      In the professional range, there is Mikrotik, of course, which is provider-grade networking on the cheap. Mikrotik has a very steep learning curve, and their CLI/UI is unlike anything else on the market. When mastered, it is extremely powerful. You need to check carefully for what SoC features are supported for a particular model: e.g. some models have hardware IPSec and others do not even if the SoC supports it. Hardware L3 VLAN interfaces and hardware VLAN switching may be a problem, need to choose and test carefully. The software is generally very stable and the hardware is supported for ages. The devil is in the details though, e.g. you can purchase a 72-core CCR1072 as we did once only to discover that the IKE daemon is single-threaded and can only handle around 2-4 new VPN connections per second. Not too fast when thousands of VPN clients are trying to connect simultaneously. Again, the learning curve is very steep and the UI is sort of love or hate.

      PFSense is generally very good for simple tasks and easy to manage. The web UI is imho not very stable after 2.0 (so for a very long time) and the platform tends to have various issues when the system is under load (which should probably not trigger at all for a simple home setup). There is a lot of software packages/add-ons available for various all-in-one solutions. My personal opinion is that the software quality is going down for the last 5-6 years (still very usable) because Netgate is rather interested in developing and marketing its cutting-edge commercial TNSR platform (Linux+DPDK+VPP, it must take a lot of effort to develop a stable networking platform using this cutting-edge stack). On an ancient home PC running PFSense with a reasonably complex firewall rulebase you can still expect multi-gigabit throughput though.

      Then there's Vyatta/VyOS for a nice software router/firewall. But it might be more practical to simply purchase Ubiquiti Edgerouter, EdgeOS is basically a Vyatta fork on a custom hardware with an optional slick GUI and is imho a very very nice platform (I understand that you are trying to migrate from Ubiquiti but EdgeOS is a completely different thing). I've got a "preloved" EdgeRouter Pro8 for very cheap and it is quite a beast.

      And of course you can always buy a used Cisco router. 29xx is all the rage on eBay now and something like 2951 will get you around 200-300Mbps symmetric real-world throughput, if you do not mind some noise. Some learning curve might be required as well, of course.

      Hope it helps. Cheers!

    4. FIA Silver badge

      Re: Alternatives

      What alternatives are people using, I'm thinking of going for PFSense for the firewall/router. I'm a home user with three switches and a couple of APs and I use things like VLANs and various firewall rules.

      It depends what level of config vs what level of pissing around you're willing to tolerate. I used NetBSD for years, and have moved to FreeBSD recently. Both times using pf as the firewall for nat/routing.

      This has served well for years, currently running PPPoE to an old style VDSL modem on Plusnet. (so the server gets the external IP).

      However, all the config is done on the command line (I expect there's web options, I just don't use them), and as I've used it for years I probably have a level of acrued knowlage that I'm not considering.

      It runs all the services I need on the network (It does all home servering duties, eg media via plex, files via samba), gives me nice, configurable firewalling and is flexible. (eg, I have pihole running in a small debian VM, and another windows VM running a minecraft server for the small person). It allows me to support 3 people and a gob load of devices without issues.

      I don't use the server for WiFi however, I have a TP-Link and an old repurposed plusnet homehub doing wifi duties (seperate SSIDs, but on the same network), these are just acting as bridges though, things like DHCP is disabled in the wifi kit, all handled by the server.

      After home office requirements for stupid stupid covid I am now also running 3 switches, and 2 APs. I've not made any use of VLANs though.

    5. Snar

      Re: Alternatives

      Another +1 from me for pfsense.

      I had a Netgate SG-3100 for about 4 years which ran out of puff when I upgraded the broadband service to 1Gbps/50Mbps and is now running on a Dell R210 Mk2 with an Intel i340 NIC and a 120GB SSD and it cost me £100 to put together. Faultless. Machine is pretty much silent and lives in my home office next to my desk although Mk1's are more noisy AFAIK.

    6. thondwe

      Re: Alternatives

      Just switched Firewall to PFSense on a "Nano PC" - was running "Sophos XG" home but switched due to lack of proper IPv6 support on the later. Both good Firewalls though. My Unifi Controller is a old PI model B running Debian. Switches are NetGear - cheap, but the GUI is so bad!

  5. krakead

    FFS - I bought some new Ubiquiti wifi kit for home an hour before this announcement. Before I send it back does *anyone* do a decent mesh kit that is reasonably priced (under £500), suitible for a large, old house and doesn't either rely on cloud accounts and isn't ridiculously overcomplicated to set up? Oh, and isn't from Netgerar.

    1. ahnlak

      If the only reason you're sending it back is because they had a data breach, I've got bad news for you - whatever other vendor you go to will *also* have a data breach at some point. At least the hardware is pretty reliable.

      1. krakead
        Big Brother

        This is why I asked for recommendation for kit that isn't reliant on cloud accounts. Aside from convenience and ease of use, there's no valid reason for a LAN router to require an externally hosted service to configure it.

        1. Down not across

          None of my Ubiquiti kit is dependent on cloud. I run the controller for APs locally, Edgerouter (when I was running it worked fine without any cloudy things).

    2. anothercynic Silver badge

      The hardware's good. Just use a password for your UBNT account that you don't use for anything else.

    3. BitGin

      If you're prepared to run cables for backhaul you can use mikrotik and their "CAPsMAN" system. I'm pretty sure it does count as ridiculously overcomplicated but the APs start from about £20 so it is cheap.

      Or you can just buy a bunch of powerline ethernet adaptors and a bunch of cheap standalone access points and build your own. Just set all the APs to use the same ssid, wpa psk but different channels and your devices should automatically hop between them as you move around the house.

      The only real advantage to something that calls itself a mesh network is that it has that backhaul stuff built in, you have a single management console so changing your psk / ssid is a lot easier and you might get some help picking the channels for the various APs. Some mesh stuff helps move devices between APs but not all and I'm not convinced it's that important on a home network.

    4. Muppet Boss

      >Before I send it back does *anyone* do a decent mesh kit that is reasonably priced (under £500)...

      It depends on what you purchased. Unifi APs + software controller or CloudKey do not require cloud access to be installed and/or configured. Just do not enable cloud login and there is no cloud dependency. Disable telemetry and [most of] it will not be sent - or you can block controller access to the Internet to be 100% sure it does not upload anything (you will lose software auto updates and update notifications).

      There is virtually no alternative for new hardware in this price range. From what you write (a large old house) you will likely require multiple APs and a controller to manage client roaming. Unifi used to have sh**ty roaming in the past but now it is quite decent. Without assisted roaming, the WiFi reception will suffer as you move a WiFi client around the house. If you ordered a hardware controller, it better be CloudKey Gen2 (Gen1 does not survive power outages; Gen2 has a built-in battery and shuts itself down nicely on power loss - read 'when someone unplugs the cable'). Dream Machine as a WiFi controller requires cloud access.

      If you are open to used gear, there's Cisco, Ruckus and Aruba (and other enterprise gear but these are the market leaders) to choose from but they require specialist knowledge to set up and configure and you might have technical and legal difficulties when updating them.

      I would say, stay with Unifi as long as it is AP-PRO, AP-AC or better (more expensive :) access points and Cloud Key Gen2 controller or a software controller on a dedicated PC or virtual machine that operates 24x7 (there is no assisted ("smart") roaming without the controller running).

      P.S., I would not recommend Mikrotik that BitGin advised as it is extremely complicated for a non-professional to set up and even more complicated to set up correctly. Starting with WiFi channels identified by frequency and not by channel numbers, and this is just the beginning ;)

      1. Korev Silver badge

        Thank you all for your suggestions, a virtual pint for the suggestions -->

    5. Maventi

      It works fine without a cloud account - I set it up at home for the first time (I'd deployed it to other environments years ago) and was able to run it entirely cloud free.

      For the really paranoid block outbound; there doesn't currently appear to be any other phone home happening except for firmware update checks.

  6. Version 1.0 Silver badge

    Easy to use means easy to abuse, "security" is a marketing term these days.

  7. tin 2


    Is that "hosted by a third-party cloud provider" or actually "hosted by us using a cloud provider"?

    I'd be willing to take a bet that it's the latter and some crap blame shifting. Which if the case, demonstrates continued bad faith.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon