Is this a situation where one company decides to break from the pack and care a little about security and then social media dogpiles them for not doing more?
> Is this a situation where one company decides to break from the pack and care a little about security and then social media dogpiles them for not doing more?
I believe they did something like force cloud-login with some software update a few years back.
I have some Ubiquiti stuff, and it works fine, but I've been meaning to look deeper into all this, but I just haven't had the time. I just stopped updating the controller software (none of their gear is external-facing, and IIRC it's only needed for configuration/management) because cloud login is an absolute dealbreaker for me.
> I believe they did something like force cloud-login with some software update a few years back.
No, what they did was update the software to prefer cloud-login and push you to set it up during onboarding for new products because they use cloud-login for remote management and anti-theft/device tracking.
It's always been entirely optional. I just set up a new network because I moved and gifted my previous network to the buyer's of my prior home. I'm still using local accounts only with no remote management, and it works perfectly fine on the latest generation of Ubiquiti gear with the latest firmwares. The only thing I login to my UI account for is to use the store and buy hardware.
The other thing with Brian Krebs was a faked security incident by an insider who was trying to extort money from Ubiquiti and Brian Krebs played the fool by assisting them.
Granted, there are /many/ issues I have with Ubiquiti, but generally speaking if you use local accounts and keep the firmware updated it is no worse than any other edge networking device exposed to the Internet.
> No, what they did was update the software to prefer cloud-login and push you to set it up during onboarding for new products because they use cloud-login for remote management and anti-theft/device tracking.
Was that all? Did they add telemetry or something else? I had read that I'd need to edit some text config file or something to opt-out of something I didn't want, because they provided no option in the UI.
> I just stopped updating the controller software (none of their gear is external-facing, and IIRC it's only needed for configuration/management) because cloud login is an absolute dealbreaker for me.
Yeah. Updates used to be a nightmare. I had to worry about Windows updates, Java updates, and of course Unifi updates.
I have 21 APs all controlled by the container on a Raspberry Pi 4. It's not even breaking a sweat. When I want to upgrade the Unifi application, I stop the container, and re-run the command to use the newer Unifi version. Three minutes later, it's back on the air.
You can turn off the remote login. It's encouraged as the default, but not necessary.
Even the local login, from a device on the network, can be set up to require two-factor auth. That alone makes it more secure than a lot of consumer-grade stuff which only requires a password, which is often never changed from the default.
I'm happy with my Unifi Dream Machine as a one-device home network. I thought about getting rid of it a while back when some bad press about Unifi security was published, but it turns out it was fake news and Brian Krebs has lost all credibility in my eyes for continuing to promote it even after it was debunked.
No, I think GP is referring to their big data breach last year[0]. From TFA linked in that discussion:
> the attacker(s) had access to privileged credentials that were previously stored in the LastPass account of a Ubiquiti IT employee, and gained root administrator access to all Ubiquiti AWS accounts, including all S3 data buckets, all application logs, all databases, all user database credentials, and secrets required to forge single sign-on (SSO) cookies.
It has shaken a lot of people's confidence in Ubiquiti's internal security practices.
I wonder if you saw the update to the article in the discussion you linked? The attacker was a software engineer who worked at Ubiquiti. I think it's fair to criticize any internal controls that allowed a single engineer to have this amount of access, but from other discussions[1] it sounds like he was unique in this organization.
I think the mixed reviews are from HN where people are complaining about their security posture (for good reason).