This company is a disaster it seems, and I have just setup my whole home infrastructure and home security aound their products...
They where the most recommended brand when I was shopping for new stuff a year ago.
I picked up an EdgeRouter and none of the cloudkey/unifi stuff. I initially felt like maybe I should have picked the unifi gear and maybe a dumb switch, but now I don’t regret the EdgeRouter. Couldn’t be happier with it.
I don’t trust anything that tries to solve the “firewall problem” by setting up a cloud service for what should be a local appliance.
I always thought that the main selling point of their devices was that you can run your own Ubiquiti server at home and keep everything local? They are always portrayed as the not-so-shitty IoT company.
If you don't have remote access enabled and aren't running their surveillance camera software, it is not clear to me that there is any risk to the customer from this event (outside of the source code being used to generate new exploits). It doesn't sound like the attackers were able to abuse automated firmware update functions, and losing credentials to a UI account has no impact on users running cloud key locally without remote access enabled.
Right. I would never have any device like a camera be directly connected to the internet and instead cut off that device from the internet in my router software and only access it from outside via a VPN.
Not that this whole screw-up should be excused in any way or downplayed.
I bought one of their security cameras to act as a nursery cam last year, which I could later convert into a home security camera.
The 'in house' software, unifi-video, was discontinued 3 months after I got it set up. All of the apps I use to connect to the system have been pulled from the app store, and you now have to use their camera controller for the one camera, vs the software Im running on my linux box.
Their controller is much more limited, and many, many security camera installers were caught off guard with no path forward for their customers. It's a nightmare of a shitshow and I would never in a million years recommend Ubiquiti as a company at this point.
I now use the camera in direct rtsp mode. This way it can be used by any rtsp tool including video recording and the lot. For the nursery camera I just use IPCams on iOS on an iPad.
Yep, I also use their cameras as baby monitors. RTSP mode to VLC on an old chromebook as an always-on monitor.
The Protect app works pretty well now assuming you have a controller to connect to, but the time between the Video app shutting down and Protect actually working properly was very frustrating. I would never trust the Protect app to stay connected while I'm asleep, though. It's definitely not stable enough for that.
The very first night I got the camera set up was the night that there was a level 3 outage and major internet snafu, making it so that I couldnt actually get into the app to view the camera. RTSP mode sounds pretty good at this point with only one camera.
(Ignoring the fact that Ubiquity marketed these cameras as having a speaker, when, in fact, you cannot send audio to the camera, only that it makes noise on its own)
I guess the concern here is if your VPN was provided by Ubiquiti then you might have an issue.
My approach has been an isolated (read basically no internet) LAN, bridged by a small PC running hardened and locked down Linux. There's no egress from the LAN. VPN access to this LAN goes via the PC under my control, which itself has access to the wider internet via its second interface.
This approach is nice as I don't have to trust any router vendor or proprietary software vendor to be competent, by relying on their equipment to control internet access for devices. Although I recognise this is probably inconvenient for users, none of this is really too impractical - a bit of adverse publicity for cloud and "internet connected", and I could see properly firewalled, egress blocked networks taking off...
(I am more concerned about egress than ingress, because it's the biggest gap most people forget about, and most people just rely on NAT to stop ingress, forgetting any device can phone home anywhere, and they're not monitoring... I don't even allow DNS on that network. IoT that can't handle this just doesn't get in the door)
I can't speak to the newer UniFi garbage, but the selling point for their Edge network products was that you could have Cisco-ish managed switches and routers without paying the absurd prices for ASICs, licenses, ios upgrades, parasitic middleman distributors, etc.
Just finished setting up my Ubiquiti-based home network that includes a dream machine, 6 access-points, and a wireless bridge to an outbuilding. All told about a $1,500 investment I made because I thought I was investing in "best-in-class" hardware and software.
I've done the same, with the only difference being that I bought the stuff a few years back. I never enabled cloud management nor remote access though so I think I'm OK for now.
Not buying any more hardware from them though, unless things significantly change.
I almost did the same thing, but it was clear a year ago that they were moving towards "cloud based" services, something I didn't want to participate in. Looks like it was a good decision, in retrospect.
Ended up with some used Cisco equipment aimed at the small business segment. Similar-ish price to new Ubiquiti gear, and I've spent essentially 0 time maintaining the stuff beyond initial setup. Still don't have APs set up though, I've just been making do with what I had laying around.
We should be clear here that there are multiple types of "self-hosted". Ubiquiti makes essentially little (weaker) Raspberry Pi devices with PoE that are dedicated to just the controller, and a few years back they also forced their (garbage) "Protect" onto their hardware only. They (confusingly) call these "Cloud Keys", though they have nothing to do with the cloud. However, you can also get 100% standalone versions of the Controller that will run on any server or VM you've got, Linux, Windows, or Mac. This is just the Java 8-based controller software and that's it, and you can lock those down arbitrarily hard for any WAN access same as any other LAN network software, no general internet access is needed at all and no firmware is involved.
A lot of people quite reasonably got CKs seeing them as very easy ways to have a low power always on local controller since they didn't have some other server running 24/7 already. If the firmware on those was updated to require tie-in to Ubiquiti's SSO that's a horrible betrayal. But I'm confident in saying the full standalone Controller doesn't since I have mine locked down from any general net access, remote L3 management was done to IP only at the firewall and I've been switching to just putting it all through WireGuard.
I have a few Ubiquiti devices I haven't updated in months, that don't use any cloud accounts, and I used to run their controller software in a container that I only started when I needed to administer something. But now I guess I'm never updating and will be looking to get rid of all their equipment.
What an incredibly consumer hostile and incompetent company. Shame, because the hardware pretty much works reliably.
Im a bit confused by this. I run a UniFi Controller in a docker container, have a few APs and a router, and everything works fine. No cloud stuff going on here.
Am i just lucky or something that i havent been forced to the cloud yet, or is it something i am missing here?
I have a cloud key with no cloud access. It's just that cloud access is the user directed workflow for sure. Setup without cloud access was not clear at all [1].
[1]: I don't even remember the steps, to be honest!
Hmm, even the self-hosted SW can use SSO from cloud... so I'm now worried that our equipment is still vulnerable by whatever system allows cloud logins.
It’s increasingly hard to find providers that don’t though. The advantages to global management software is pretty high & the easiest way to implement that is the cloud.
Wasn't really a "cloud" hack so much as a hack of a root user. How they accessed that root user's credentials is not detailed. Phishing? Hardware hack? Dumb root user and it was possible to guess his/her credentials? Could even be, that particular root user was in on it with them for all we know?
In any case, this sort of a hack of any other company's root users would result in the same spectacularly catastrophic pwnage. That your root users have root access on your own machines won't help you.
What they need is to structure their security properly. I'm not sure why this user needed root access to everything globally for instance? That seems wrong to me at first blush, but it could be a matter of me not understanding their business model.
The reason people are bringing up cloud is because it's what effects them. If you have (cloud) access through a company to local devices and that company is hacked then that could be a very wide pathway into your local set up. The company being hacked and related implications is still not great for a huge list of reasons but it's the possible local breaches that are more of a worry for a lot of us.
Ubiquiti has recently been pushing there cloud set up (to the point that you can't set up a local controller with out setting up a cloud account) that's why it's so annoying.
*There is probably a way but the last time I tried I couldn't find it in setup and so installed using a previous version.
Our "CTO" was told only last week by someone from the company that helps us with ISO 27001 that we shouldn't use whatever we've got, but get Ubiquity instead, because it was safer...
