Whistleblower: Ubiquiti Breach “Catastrophic”

&gt; “The breach was massive, customer data was at risk, access to customers’ devices deployed in corporations and homes around the world was at risk.”<p>&gt; “They were able to get cryptographic secrets for single sign-on cookies and remote access, full source code control contents, and signing keys exfiltration,”<p>Maybe putting your network control plane in &#x27;the cloud&#x27; isn&#x27;t such a good idea after all...<p>Edit: Just re-read the article, this part stood out:<p>&gt; the attacker(s) had access to privileged credentials that were previously stored in the LastPass account of a Ubiquiti IT employee, and gained root administrator access to all Ubiquiti AWS accounts, including all S3 data buckets, all application logs, all databases, all user database credentials, and secrets required to forge single sign-on (SSO) cookies.<p>&gt; Adam says Ubiquiti’s security team picked up signals in late December 2020 that someone with administrative access had set up several Linux virtual machines that weren’t accounted for.<p>If this is true, and whoever breached them had full access to their AWS account, can we really trust them to clean up all their tokens and fully eradicate all forms of persistence the hackers may have gotten?

I am 100% not surprised. I spent a year working for Ubiquiti, running the Network Controller team.<p>Trust me, this whistle-blower &quot;Adam&quot; (I have a few suspicions of who it actually is), toned it down.<p>The reality is much much worse.

&gt; ”Ubiquiti had negligent logging (no access logging on databases) so it was unable to prove or disprove what they accessed”<p>Perversely, this is exactly the logging that you want to have in place in case of a breach.<p>You can then (factually) make the statement that ”we have no evidence any customer data was accessed.”

You are required to have internet access to setup something like the UDM-Pro. After it is setup you can create a local admin account and disable remote access.<p>Here is how:<p>1. Login with your online account credentials and password 2. Choose system settings 3. Choose advanced 4. Disable Remote Access 5. Confirm that &quot;Transfer owner&quot; won&#x27;t be available if you disable remote access.<p>The issue in general is that the UniFi stuff can be crappy and buggy, but it SUCKS LESS then any other complete solution for a home &#x2F; small enterprise there at the price point.<p>I personally used to given them a strong recommendation and even now that is a recommendation with some footnotes. They have been growing to fast and the SW quality has gone down. Being on the latest release is not always the best idea.<p>To be fair in my I have had many conversation with Cisco that started with &quot;no, not the latest GA, but what is the latest proven STABLE GA.&quot;

This company is a disaster it seems, and I have just setup my whole home infrastructure and home security aound their products... They where the most recommended brand when I was shopping for new stuff a year ago.

&gt; Adam says the attacker(s) had access to privileged credentials that were previously stored in the LastPass account of a Ubiquiti IT employee, and gained root administrator access to all Ubiquiti AWS accounts, including all S3 data buckets, all application logs, all databases, all user database credentials, and secrets required to forge single sign-on (SSO) cookies.<p>A root user user breach, seemingly on the organization main account. Ouch.<p>I wonder if MFA was set up, with the TOTP creds also kept in LastPass.

By the way, reporting to krebsonsecurity is a giant waste of potential income. This is what the SEC whistleblower program is for. You get paid for submissions there that lead to successful enforcement actions, and the payouts can be very substantial. Furthermore because payouts exist, there&#x27;s an industry of competent lawyers that will happily take cases with compensation coming exclusively from your payout.<p>Also, how is this a securities case? The company did not disclose the scale of the breach to shareholders.

The description of the incident in their quarterly financial statement seems to match this description. It doesn&#x27;t downplay it quite as much as the email they sent customers.<p>&gt; For example, in January 2021, we became aware that certain of our information technology systems hosted by a third party cloud provider were improperly accessed and certain of our source code and the credentials used to access the information technology systems themselves had been compromised. We received a threat to publicly release these materials unless we made a payment, which we have not done. As a result, it is possible that the source code and other information could be publicly disclosed or made available to our competitors. Due to the nature of the source code and the other information that we believe was improperly accessed, we at this time do not believe that any public disclosure will have a material adverse effect on our business or operations, but it is impossible to gauge the precise impact of any such disclosure. We have taken, and will continue to take, steps to remediate access controls to our information technology systems.<p><a href="http:&#x2F;&#x2F;ir.ui.com&#x2F;sites&#x2F;default&#x2F;files&#x2F;2021-02&#x2F;ui-10q-12-31-20.pdf" rel="nofollow">http:&#x2F;&#x2F;ir.ui.com&#x2F;sites&#x2F;default&#x2F;files&#x2F;2021-02&#x2F;ui-10q-12-31-20...</a>

&gt; Adam wrote in his letter. “Legal overrode the repeated requests to force rotation of all customer credentials, and to revert any device access permission changes within the relevant period.”<p>tsk.

The plot Thickens: &quot;SHAREHOLDER ALERT: Ubiquiti, Inc. Investigated for Possible Securities Laws Violations by Block &amp; Leviton LLP; Investors Should Contact the Firm&quot;<p><a href="https:&#x2F;&#x2F;finance.yahoo.com&#x2F;news&#x2F;shareholder-alert-ubiquiti-inc-investigated-184800904.html" rel="nofollow">https:&#x2F;&#x2F;finance.yahoo.com&#x2F;news&#x2F;shareholder-alert-ubiquiti-in...</a>

It is interesting to do a search of HN for past references to &quot;Ubiquiti&quot;. Whenever the topic of routers came up, many comments followed that recommended them above any alternatives. Commenters seemed proud to tell the world they were using Ubiquiti, as if the &quot;HN concensus&quot; for home routers was to choose Ubiquiti.<p>It seemed to me Ubiquiti would never allow customers the option to install their own OS (e.g., BSD) or boot from external media containing a non-Ubiquiti OS, without sacrificing the benefits of hardware specs that were likely deciding factors in selecting the Ubiquiti hardware above existing alternatives. The intent was clearly to have Ubiquiti retain control over the hardware after purchase. The customer effectively remained tied to Ubiquiti forever, so if the company started serving ads, using AWS unnecessarily, etc., there&#x27;s no way to opt out. Customer is compelled to accept all updates.<p>Specs are important, but maybe not as important as control.<p>Reliance on third parties necessarily increases potential risk. Unnecessary use of third parties is, IMO, poor decision-making. This is of course rampant in &quot;tech&quot; and, IMO, marks a triumph of the salesforce for those third parties over common sense, possibly assisted by network effects. Further, I dislike products where there is a heavy focus on opaque &quot;updates&quot;. Again, many customers have been trained to believe that not updating is always the wrong decision. (Meanwhile they have no idea what is in each update.)<p>As stated in one of the blog post comments:<p>&quot;It is even worse: Ubiquiti forced all users to use cloud-based authentification even for accessing your controller software on a local network with a local client. This was not even properly communicated but deployed by one of the regular maintenance updates.&quot;

Cloud managed anything has a giant red target painted on it. Especially infrastructure equipment. I&#x27;m still surprised anyone think&#x27;s it&#x27;s ok to use their ISP provided router and wifi, let alone having it be managed remotely by the manufacturer.

&gt; Ubiquiti’s stock price has grown remarkably since the company’s breach disclosure Jan. 16. After a brief dip following the news, Ubiquiti’s shares have surged from $243 on Jan. 13 to $370 as of today. By market close Tuesday, UI had slipped to $349.<p>Aaannd this is why we can&#x27;t have nice things. Like trust in our vendors. Or security. Or consequences.

&gt; the attacker(s) had access to privileged credentials that were previously stored in the LastPass account of a Ubiquiti IT employee<p>The interesting part of this story is how the employee&#x27;s LastPass got popped. My guess is their local workstation was compromised, and their LastPass was either not logged out in a browser plugin, or they didn&#x27;t have 2 factor auth required for each login and a keylogger got the password. In either case, it&#x27;s a good reminder to be paranoid about your password manager, make sure it&#x27;s got a logout timer, and use 2 factor auth.<p>I also don&#x27;t let my cloud password managers touch a mobile device. It&#x27;s fairly inconvenient, so I hesitate to recommend this to others. But I don&#x27;t trust mobile devices very much. Anyone have thoughts on this?

Should have blown the whistle to the SEC instead. SEC whistleblowers get paid. Up to 30% of eventual penalties paid by the company with no upper limit. Lying about a breach could be securities fraud.

Well this absolutely sucks :(. I&#x27;ve been a huge supporter of Ubiquiti ever since I was buying mini their PCI cards and sticking them into soekris engineering boards (ubiquiti started out as a hardware company).<p>The magic thing that absolutely sold me on their equipment was the ease with with you could provision and mesh new gear. Does anybody have anything that compares with that ease of use?<p>To explain what I mean: I recently had a buddy move into our guest house&#x2F;apartment. While we waited for the ISP to come out and hook up his internet, I just put an AP on his counter, powered it up, and meshed it into our home network. The whole process took less than a minute and didn&#x27;t require any running of ethernet.<p>(Maybe that&#x27;s a common feature nowadays and I&#x27;ve just been out of the industry for so long?)

There was just a thread[1] yesterday about them starting to serve ads in their UI. It seems this company is rapidly losing credibility.<p>I have had plans kicking around for a bit over a year to do a full build out using their products, and just within that time it seems like they&#x27;ve gone from a glowing reputation to severely tarnished. Unfortunate, as it seems like they once had great products.<p>1: <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=26628198" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=26628198</a>

It really doesn&#x27;t get worse than this. But isn&#x27;t Ubiquiti more of a prosumer company, like MikroTik? MikroTik does get a lot of heat when they have a security vulnerability and get downranked for it as if it were far, far away from Ubiquiti&#x27;s security profile (something like &quot;US vs. some east EU country&quot;), but this event tells a lot about Ubiquiti&#x27;s upper management and their internal security practices.

Yikes. I have a (Ubiquiti) EdgeRouter X that I previously used for a fiber setup (and it&#x27;s shelved now because it doesn&#x27;t like this ISP&#x27;s modem), had planned to get a ER-4 later down the road. Been on the fence for any of their APs for months upon months, now I&#x27;m glad I bought neither.<p>Technically EdgeRouter gear is unaffected as it&#x27;s very cloud-optional, but I can&#x27;t bring myself to trust any firmware from them at this point. It supports OpenWRT so I guess I&#x27;ll install it and go back to OpenWRT.<p>I see this thread already has people discussing alternatives, so I won&#x27;t ask for ones -- just had to put it out there that if you own an EdgeRouter, chances are that OpenWRT has a build for it.

Why do people trust <i>any</i> IoT devices these days? Shouldn&#x27;t we be trying to <i>reduce</i> our exposure to (inevitably insecure) software? What benefits does it provide that are worth the unbounded risks?

<i>&quot;Adam says the attacker(s) had access to privileged credentials that were previously stored in the LastPass account of a Ubiquiti IT employee, and gained root administrator access to all Ubiquiti AWS accounts, including all S3 data buckets, all application logs, all databases, all user database credentials, and secrets required to forge single sign-on (SSO) cookies.&quot;</i><p>Holy...<p>Wow. That is catastrophic. Everything is compromised. That&#x27;s a complete rebuild.

A potential option for anyone wanting to avoid buying new hardware to move away from Ubiquiti management software: <a href="https:&#x2F;&#x2F;openwrt.org&#x2F;toh&#x2F;start?dataflt%5BBrand*%7E%5D=Ubiquiti+" rel="nofollow">https:&#x2F;&#x2F;openwrt.org&#x2F;toh&#x2F;start?dataflt%5BBrand*%7E%5D=Ubiquit...</a>

&gt; Ubiquiti’s shares have surged from $243 on Jan. 13 to $370 as of today.<p>How are we ever going to solve security as an industry against this? Again we&#x27;re told that security isn&#x27;t important. Being the first to market and insecure is the winning play and that&#x27;s just fucked.

At least for home networking, I&#x27;ll always pick something I can throw OpenWRT on over a managed service, subscription or closed-source option.<p>In the 15 years I&#x27;ve been using OpenWRT, I have never been disappointed with it, and I don&#x27;t have to worry about some company&#x27;s &quot;secure&quot; backdoor into my network being exploited.

Well, guess I won&#x27;t be about to drop a few thousand on Ubiquiti gear anymore until we get some more details. Hopefully this account isn&#x27;t fully truthful, otherwise Ubiquiti has really screwed up.

Ubiquiti is another one of these companies where if you did nothing but read about them on HN, Reddit, et al, you would think they&#x27;re filing for bankruptcy tomorrow, set orphanages on fire, kill puppies, etc. The negative hyperbole around this company is something else, hack or not. And yet, all they do is thrive...

Interesting to see what Troy Hunt does next considering they send him free stuff[1] and he speaks highly of them. He&#x27;s so far only said it&#x27;s &quot;obviously a <i>really</i> bad look&quot;[2]<p>1. <a href="https:&#x2F;&#x2F;www.troyhunt.com&#x2F;friends-dont-let-friends-use-dodgy-wifi-introducing-ubiquitis-dream-machine-and-flexhd&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.troyhunt.com&#x2F;friends-dont-let-friends-use-dodgy-...</a><p>2. <a href="https:&#x2F;&#x2F;twitter.com&#x2F;troyhunt&#x2F;status&#x2F;1376998711318863880" rel="nofollow">https:&#x2F;&#x2F;twitter.com&#x2F;troyhunt&#x2F;status&#x2F;1376998711318863880</a>

I&#x27;ll change my forum password and continue to avoid UBNT&#x27;s cloud features like always.<p>I&#x27;m still happy with the value, stability, and security updates (!!) of my UBNT hardware.<p>I still won&#x27;t buy gear from another vendor that wants $$$&#x2F;device-year in support contracts and have unavoidable cloud controllers.

I’m willing to see what Ubiquiti will do to make it right before I switch away, because I have a local-only setup of EdgeRouter and UniFi APs that’s been absolutely great in the years I’ve had it, but this is really last chance saloon stuff now.<p>I’m looking for a proper post-mortem and the steps to make sure it can’t happen again, recommitment to local-only users and respect of the customer, and a step back from the push to cloud everything.

I looked into Ubiquiti years ago while trying to find a decent access point. Couldn&#x27;t stand the thought of having to configure stuff &quot;in the cloud&quot; or running the then giant Java based controller locally.<p>Floundered some with random enterprise access points used off of ebay that either drew too much power or was still buggy (netgear was the worst).<p>Then I came across Mikrotik. Their hardware and conformance is somewhat dated, but I&#x27;ve never had anything run so stable. Haven&#x27;t looked back and been going on 4 years now.

I wonder why their legal department would PREVENT them from saving their users.<p>What legal reason would exist for that? I thought legal would instead force them to save their users, since otherwise they would risk getting sued by all of them by all the damages caused or something.

I wonder how difficult it would be to implement a rudimentary controller for their APs. The WLAN configurations are just text files in the &#x2F;etc directory. Getting feature parity would be a lot of work, but I bet the bar isn&#x27;t too high for simple functionality. Most of the &quot;magic&quot; is happening in hostapd on the APs anyway.

If they would have stayed with the on-premise model, this would have never happened.

The most disconcerting part for me is the fact that the attackers gained full access to one of the administrators’ LastPass account. I would love to know how that happened.

Don’t have time to dig into this right now, but I have a Ubiquiti WiFi AP at my home behind a NAT; does this breach mean my home network is vulnerable&#x2F;effectively exposed to the Internet? Do I need to log off HN and deal with this now, or can it wait?

Ran into this [1] issue with Ubiquiti and Stripe integration. Short story Ubiquiti integration insist on sending credit card numbers directly to Strip (vs using more secure method).<p>The issue has been there for 2 years -- which is beyond odd. When I&#x27;ve reached out to tech support the issue was effectively closed as known issue.<p>[1] <a href="https:&#x2F;&#x2F;community.ui.com&#x2F;questions&#x2F;Tokenization-for-Stripe-IS-A-MUST&#x2F;c8683590-23d0-4395-acef-072cd06ea456" rel="nofollow">https:&#x2F;&#x2F;community.ui.com&#x2F;questions&#x2F;Tokenization-for-Stripe-I...</a>

I was looking at upgrading my home networking equipment with Ubiquiti, but with the breach and the hidden advertisements in their products. I have ultimately decided against it. They have lost $1000s of dollars in potential sales (from me anyways).<p>Guess I will just have to go bargain hunting on the used enterprise market, or just ask my BigCorp networking team to see if they sell or give away any of their equipment and try to repair it myself. My only concern would be noise generation and power consumption since they were built for use in data centers.

Wow went from probably not buying their hardware again to immediately needing to remove it in like a single day!

I wish I could say I was surprised :(. Along with a bunch of other people who&#x27;ve used their products for a decade or more now, I&#x27;ve been watching the ever steepening downward spiral of the company really becoming noticeable over the last 3-4 years. In an academic way, it&#x27;s actually been kind of fascinating to watch happen in real time over the course of years with fairly front room seats. Seeing the deepening technical debt (lots of <i>very</i> old hardware still sold as new with no replacements in sight, inability to migrate their frameworks or keep their sources up to date and more), bikeshedding ramp up and up, the forums start to fall apart, marketing starting to write more and more checks development couldn&#x27;t keep up with and then that getting brushed under the rug (the SHD and it&#x27;s dedicated security radio comes to mind), the forums getting nuked entirely in favor of a horrible New Web thing with even worse bug&#x2F;feature tracking then before and there wasn&#x27;t any proper one before, ever worsening stability, universally hated UI changes that would just get shoved through anyway, and on and on. It&#x27;s been everything one reads about, &quot;Ubiquiti&#x27;s Burning Platform&quot; and all that, and in turn seems like it should be avoidable. Yet on it ground with sickening inevitability. It&#x27;s just now finally starting to reach critical mass and become visible to the more general public, spreading through the same tech grapevine that gave them such a boost in the first place.<p>But less academically it&#x27;s depressing as hell too, because the grapevine liked them for good reason and there still isn&#x27;t any drop in replacement. Their p2p&#x2F;p2mp gear is still solid. And UniFi was a wonderful concept solidly executed. It also eschewed the subscription&#x2F;cloud bullshit so many other players are chasing, which indeed is something of a saving grace here. While there is a cloud option, lots (if not most) people can and do run their UniFi networks completely self-hosted even for remote sites. The single pane of glass, ease of provisioning and recovery, etc made sense and saved time. And they had an incredibly enthusiastic and supportive community, like when they asked about moving L3 switching way back on the old forums (back when the rot was in its earliest stages and not clear yet) they got huge amounts of feedback, their beta testing had many people putting in a lot of good work.<p>Such a damn stupid waste. And the nature of the beast for tech infrastructure is that market signals are always behind the curve and thus muted until things are already getting to be too late. Robert Pera also owns the majority of their stock IIRC so there isn&#x27;t any way to effect an outside management change there either. It is odd to me that nobody has sought to go after them directly and aggressively, though I heard rumblings late last year that Cisco was giving a go at something clearly aimed right at the UniFi market (no subscriptions like Meraki)?<p>At any rate, final straw for me on routing was the flop their &quot;UXG&quot; has been, I finally gave up at long last and began migrating everything to OPNsense a month back. And once the single pane of glass is broken, the barrier to start moving more drops in turn and network effects (harhar) begin to go into reverse. I&#x27;d still be happy if they somehow recovered, but if they do I think it&#x27;ll be a long time. Problems that build for years tend to take years to reverse too, if they can be. I hope we get some stories someday internally on how it all went down.

I am extremely relieved none of our Ubiquiti devices are set up for this cloud shit. (We use the PtP stuff, not the APs, the cloud bits are optional there.)<p>Then again we have a &quot;clear skies&quot; policy &amp; wouldn&#x27;t have bought anything that requires cloud blah. (Which covers a whole bunch of other vendors too, looking at you Cisco &quot;SmartLicense&quot;)

It&#x27;s not just incompetency, it&#x27;s malice, to treat your own customers in this fashion. But this is what happens when there is consistently no consequences for these kinds of breaches. Neither government nor market punishes these kinds of events in any meaningful (cost penalty) way. All the cost is shouldered disproportionately by victims.

&gt; According to Adam, the hackers obtained full read&#x2F;write access to Ubiquiti databases at Amazon Web Services<p>Not good!

I have some unifi camera and unified video on a Linux box, and they are phasing out unified video. I don&#x27;t want to move to the cloud offering. Is there a way to use the hardware with open source software?

Also interesting and noteworthy is it appears that today, just 7 hours prior to this Krebs article, an investigation was launched into Ubiquity for potential securities fraud.<p><a href="http:&#x2F;&#x2F;www.globenewswire.com&#x2F;news-release&#x2F;2021&#x2F;03&#x2F;30&#x2F;2201903&#x2F;23044&#x2F;en&#x2F;SHAREHOLDER-ALERT-Ubiquiti-Inc-Investigated-for-Possible-Securities-Laws-Violations-by-Block-Leviton-LLP-Investors-Should-Contact-the-Firm.html" rel="nofollow">http:&#x2F;&#x2F;www.globenewswire.com&#x2F;news-release&#x2F;2021&#x2F;03&#x2F;30&#x2F;2201903...</a>

How can you see whether you have been effected or whether they have poked around your setup and maybe even left something behind? Theoretically you can’t really trust anything on your network anymore.

For those using OpenWRT looking for a central controller which can be installed on-premise: <a href="https:&#x2F;&#x2F;openwisp.org&#x2F;" rel="nofollow">https:&#x2F;&#x2F;openwisp.org&#x2F;</a>

It seems naive to want to talk to the press under a pseudonym — <i>Adam</i>, in this case.<p>When looking for leakers internal security auditors don’t need proof you are <i>Adam</i> in order to fire you. They just put enough pressure on the most likely Adams such that they quit.<p>You will be one of them. If another Adam does so, so be it. Your actions likely flushed the other leaker when you thought you were the only one. You won’t be able to handle the pressure. Neither could she.<p>Adieu, <i>Adam</i>, et al.

Verkada, now Ubiquiti, yikes. Also according to this leaker, it seems like they tried to cover it up before letting the public know. They are on my blacklist now.

&gt; Ubiquiti’s stock price has grown remarkably since the company’s breach disclosure Jan. 16. After a brief dip following the news, Ubiquiti’s shares have surged from $243 on Jan. 13 to $370 as of today. By market close Tuesday, UI had slipped to $349.<p>Until these companies are held massively accountable for such negligence, nothing will change. Similar to what happened to Facebook and all they had to do was pay chump change fines.

For those who don&#x27;t remember, this is the same company that was bilked $46 million in an email spoof attack.<p><a href="https:&#x2F;&#x2F;www.theregister.com&#x2F;2015&#x2F;08&#x2F;09&#x2F;ubiquiti_stung_by_email_spoofing_fraud&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.theregister.com&#x2F;2015&#x2F;08&#x2F;09&#x2F;ubiquiti_stung_by_ema...</a><p>They&#x27;re used as a bad example in my annual corporate infosec compliance training.

This, plus the advertising thing, plus their weak firewall &amp; wan feature set means they&#x27;ve lost me as both a customer and an advocate.

Wow, this is huge. I wonder if the attacker was a state actor, and if so, what their intended mischief is.

DrayTek!! why haven&#x27;t they been mentioned yet? All the comments are openwrt, Mikrotik, Linksys...

&gt;Adam says the attacker(s) had access to privileged credentials that were previously stored in the LastPass account of a Ubiquiti IT employee.<p>So the laptop probably had some malware&#x2F;keylogger on it that was able to pick up some data in the lastpass browser extension or something?

What is good cheap consumer gear for putting OpenWRT on? Similar to WRT54G was, back in the day.

Thank you Adam. You saved me thousands, I was seriously considering a network upgrade.

Is there a market for good networking equipment? If Ubiquiti was it and it&#x27;s gone, and reading this thread there are no good alternatives, then it sounds like there is an opportunity for a new company.

&gt; Ubiquiti’s stock price has grown remarkably since the company’s breach disclosure Jan. 16. After a brief dip following the news, Ubiquiti’s shares have surged from $243 on Jan. 13 to $370 as of today.<p>Why? Coincidence?

This whole thing shows how tech such as passwordless, device trust, approval flows, should be in place at basically any company. And your cloud accounts need to be hooked up to your SSO with said features.

IMHO there should be a default paragraph text font size specified in the browser settings and all the other styles should be derived from it given just coefficients specified in the page CSS.

I reached out to Ubiquiti because we never got an email to rotate our passwords, and they told me I wouldn’t get an email unless I was using “Ubiquiti verified SSO.”

Yeah my few Unifi devices (and the controller SW instance) are already restricted to their own VLAN, but I&#x27;m going to disable outgoing internet access as well.

The scope of this breach is frightening.<p>Would be great to better understand how the Lastpass credentials got leaked in the first place.<p>Anyone found any comment on that?

Are you affected even if you never pressed the &quot;Add to UNMS Cloud&quot; button?<p>I never did because I thought it looked like asking to get pwned.

I just wanted to replace all my UniFi APs at home with the new UniFi-6 series. But this won’t happen after reading this article.

Is internet of things useful for anything except being a major security vulnerability you could trick an enemy into installing?

Was days away from refitting my home out with £2,000 of gear. Any other recommendations for routers, wifi and security cameras?

Wow I&#x27;m glad I&#x27;m not using their cloud option at all. I still have one of the old USGs. So I never had to.

Is there any reason to worry if you run a local controller that doesn&#x27;t have any connection to a cloud account?

OK, well ubiquiti is dead to me now. Good news for me, their unifi line of aps is supported by openwrt... :)

Is it just me or are you no longer able to avoid the cloud with the latest software updates for unifi?

Kinda strange that they&#x27;d ask for a ransom in Bitcoin and not something fully anonymous..

Shit, I had plans to refresh the network infrastructure in my parent&#x27;s place with a full ubiquiti setup to replace the years of added on junk.

How many of you would be surprised to hear that 99% of companies have similar security gaps? These problems happen literally everywhere.

Say what you want but my cheap old Linksys router never leaked my passwords.

What&#x27;s your exposure if you had a cloud key enabled for remote access, but now disabled? Sounds like anything is possible if they compromised the cloud key (which is a device, not a &quot;key&quot;)

But the routers have a nice user interface!

Why is the blog not adopted to mobile screen readability?