Ex Ubiquiti employee here. I barely recognize the company any more. The company always had problems but we had a lot of smart and hard working peopl in the early days. People are always amazed when I tell them how small the company was when we made Ubiquiti and UniFi into household names among nerds.<p>Some of those people remain. UI-Marcus in that link is a good person. The company went into a steady decline after the CEO started centering the company around the offices in Portland and China. Portland was home to the UX designers who wanted to redesign everything to look nicer but didn't understand how customers used our products. Portland was also home to Nick Sharp, the cloud lead who tried to extort the company and lied to the press about hacks. The favorite office in China made the FrontRow product, which failed so badly that I doubt anyone has heard of it. These people were supposed to be the future leaders of the company, but everything they did was a disaster. We could all see the writing on the wall and left. Well, almost everyone.<p>I don't even know which Ubiquiti office owns the cloud any more because everyone working on cloud at Ubiquiti either quit or was laid off after the cloud lead went to prison for extorting the company.<p>I hope the company can get back on track some day. It's sad to see all of our old work decay like this.
I built a UniFi network 6 or 7 years ago. I was pretty excited, as the hardware seemed properly solid. A touch expensive, but I was expecting it to run forever, essentially.<p>The hardware was actually really good from what I could tell. Not a single issue that wasn't caused by my own misconfiguration. But the software, woof. The software was designed to do exactly one thing: look impressive to execs in a board meeting. It was nearly unusable for me. I don't recall any specifics, but all you really need to know is that it took multiple days to get a simple home network with a single AP and a single router set up. It was so much effort just to log in to the damn thing.<p>I went into this project excited at the prospect of all the cool monitoring and analytics I could do. Fancy security and remote access and whatnot. After I finally got everything configured, I never touched it again. There were a few times when I needed or wanted to get into it, but I couldn't remember the specific incantation and combination of software needed to access it, so I just didn't.<p>I'd <i>love</i> to have a solid system built on quality hardware. UniFi is notionally exactly what I want, and exactly what a <i>lot</i> of hackers and tinkerers want. But the quality of your hardware is pretty much irrelevant if your software wasn't designed to be used by humans.<p>So I'm stuck using consumer routers with open firmware. It's fine I guess.
Also on r/Ubiquiti:<p><a href="https://old.reddit.com/r/Ubiquiti/comments/18hgpw1/security_problem/" rel="nofollow noreferrer">https://old.reddit.com/r/Ubiquiti/comments/18hgpw1/security_...</a><p><a href="https://old.reddit.com/r/Ubiquiti/comments/18hs684/no_official_announcement_on_security_breaches/" rel="nofollow noreferrer">https://old.reddit.com/r/Ubiquiti/comments/18hs684/no_offici...</a>
The cloud is like those portable toilets in public. They are private, but there are also people around you at all times. Sometimes you forget to lock the door and someone else opens it.
Do they by any chance use a CDN for their cloud console? This has burned organizations so many times before where they cache the dynamic data and not static data.
For anyone with a UDMP looking to disable remote access via UniFi servers, the setting isn't under the Network application, it's part of the higher level console management:<p>Console Settings (menu on left) -> Advanced (heading) -> "Remote Access (checkbox)"<p>Or via:
<a href="https://$UDMP_IP/console-settings" rel="nofollow noreferrer">https://$UDMP_IP/console-settings</a><p>(Hopefully the setting applies locally...)
The real question here for me is: why is my data not flowing through Ubiquiti's servers end-to-end encrypted?<p>They should be able to accidentally send my data to another user and have it merely result in a decryption failure.
I really wish there was an open source equivalent that’s user friendly. I run OPNSense but the learning curve is steep and I wouldn’t recommend it to family because of it. I’ve been debating Firewalla but this same issue can happen since the control panel is cloud based.
Put it on the cloud they say...<p>Reminds me of that time someone at Dropbox pushed a change onto production that ignored your password, so you could login as anyone with any password...
When people ask me why I don't use Ubiquiti products, and I tell them that I don't trust companies with closed/proprietary offerings with something as critical as this, I get a lot of skepticism and even eye-roll. Open source isn't a silver bullet, but if I were self-hosting my own "cloud" controls I wouldn't be worried about something like this.
Navigate to your router's IP, go to Console Settings, scroll to Advanced and un-check Remote Access:<p><a href="https://i.imgur.com/RzXpT6Q.png" rel="nofollow noreferrer">https://i.imgur.com/RzXpT6Q.png</a><p>After doing that, you can't access your router remotely from The Cloud, (well, you can log in over the VPN, remote into a computer on-site, and access the router from that computer) but you're secure against a whole class of bugs and errors in Someone Else's Computer.
Hmm I should upgrade my wifi next year. Right now I have an old ish Ubiquiti AP that does its job without bothering me, but it's from before the cloud insanity.<p>Have they seen the light and made their devices usable without ever logging into their servers? Last time I asked this question the 'cloud' was unavoidable during the initial set up but could be turned off later. This doesn't look like enough to me. I want a damn access point that doesn't talk to anything outside my network.
My parents live in another country, and I want to set up some network equipment at their house so that I can coordinate their network if they get into trouble, and to support cameras as one of them has become high-care. My dad also has some complex data. I intend to install a rackmount server for him so that I can help him with data problems from time to time.<p>For network equipment, I have a fair bit of experience with datacentre grade equipment, but none in the consumer space. I think I want this,
1. Good quality.
2. Fanless
3. Drives multi-node wifi APs
4. Control cameras
5. Web interface that parents can use.
6. Cisco-like CLI that I can use.
7. No cloud.<p>The unifi equipment seems to fit all criteria above except the last two points. Seems you cannot make permanent changes from the console, and their offering is oriented towards cloud configuration. Would someone who knows the segment be happy to offer advice? (thanks in advance)
One possible explanation for this can be a mistake in caching. While it is tempting to log in and see if you can see other people's consoles... that just might put you in the cache for someone else to see.<p>There is no way for us to know what is causing the bug and what will help without official word for Ubiquiti but logging in can only possibly hurt and won't help.
<i>Random fact</i>: Ubiquiti is publicly traded, yet Pera owns 90%+ of it, meaning shareholders virtually have no power to push for changes. You might as well call it a privately held company, lol.
Feels like the issue Steam had with caching <a href="https://securityaffairs.com/43189/security/steam-users-data-exposed.html" rel="nofollow noreferrer">https://securityaffairs.com/43189/security/steam-users-data-...</a>
Remote access anything should be banned. Just use a VPN/wireguard.<p>Reverse control is such a mess and the application is not the place to handle this
This place has quite a rap sheet.<p><a href="https://news.ycombinator.com/item?id=29411775">https://news.ycombinator.com/item?id=29411775</a>
<a href="https://news.ycombinator.com/item?id=9331512">https://news.ycombinator.com/item?id=9331512</a>
<a href="https://www.reddit.com/r/Ubiquiti/comments/t7br4a/since_the_software_update_at_4am_all_the_switch/" rel="nofollow noreferrer">https://www.reddit.com/r/Ubiquiti/comments/t7br4a/since_the_...</a>
Easy to host the console yourself: <a href="https://help.ui.com/hc/en-us/articles/360012282453" rel="nofollow noreferrer">https://help.ui.com/hc/en-us/articles/360012282453</a>.<p>There's even a docker image for those who have trust: <a href="https://github.com/linuxserver/docker-unifi-controller">https://github.com/linuxserver/docker-unifi-controller</a>
I have a few unifi things at home, and for the most part, they've been good, and work well together. But this sort of stuff is very concerning, and forcing the cloud account on everyone is really stupid.<p>But what are the alternatives. Firewalla seems to be a good alternative, but they don't do APs, leaving me with a mixed system.
Ubiquiti has always been pushing the remote management feature pretty hard. But recently they are also making some really nice VPN features. I hope incident like this would further change their standpoint and actually make local account access nicer.<p>There are tons of dark pattern in the Protect app that prevents you from using a local account. And when you finally learned to workaround all of them, you realized that there's no push notification without remote access. (I understand the difficulty to push message straight from console to mobile device, but many selfhostable software offer a centralized, managed push notification relay over internet. I am not sure if this is too much to ask for)
Ah the beauty of cloud connected networks management. A hackers delight...<p>And then I am the one that gets chastised for not wanting cloud connected router/switches in my networks.
I tried the AmpliFi mesh router several years ago and hated it. It didn't seem any better than the Arris gateway that ATT sent me.<p>Why would you have a central console that has the potential for accessing all the routers with a single login though? Why wouldn't this be just local to the network with remote access?
UI just can’t catch a break.<p>Earlier this year, some tech tabloid (krebsonsecurity?) reported how bad security was at UI. I think it was ultimately determined to be a bad story and UI sued for defamation.<p>Now we are here again with another possible leak.
It’s unlikely that simply seeing things in the main console means you’ll be able to change things if this is a caching issue. It can still expose passwords and other internal information you don’t want to get out.
Odd coincidence in that I had the same problem with Ubiquity the 401k provider several years ago. Could see most of my colleagues 401k accounts. Never good.
Does anyone have a recommendation for a replacement? After the requirement to create a cloud account on their so-called "Pro" Dream Machine I already felt something is wrong, and after "Please don't use shielded Ethernet cables with our so-called "Professional" WiFi Access Points, they can randomly reboot"[1] and now this nonsense, I'm just simply done with them.<p>But I really like the hardware of the Dream Machine Pro (Router, Switch with 10G uplink) and the overall view of clients and connected devices, so I don't just want to buy some random Router and pair it with random WiFi APs - though I guess that's the best choice?<p>[1] <a href="https://help.ui.com/hc/en-us/articles/8823742725015-UniFi-6-Access-Point-Professional-U6-Pro-Advisory" rel="nofollow noreferrer">https://help.ui.com/hc/en-us/articles/8823742725015-UniFi-6-...</a>
So the guy makes the initial post, within an hour UI team reaches out to him to gather more info and the next post is a criticism of their handling!<p>What’s wrong with people? I think 1 hour response to a forum post isn’t unreasonable or am I wrong?