from Hacker News

Ubiquiti Networks Breach

by ShaneCurran on 1/11/21, 7:36 PM with 467 comments

  • by ex_ubiquiti on 1/11/21, 8:31 PM

    As a former Ubiquiti employee, I'm sad to watch the slow decline of the company. There was a steady exodus of engineering talent through 2020. The CEO was focused on moving to countries where engineering was cheaper and employees complained less about constant crunch mode. If you search around, you can find interviews where he brags about closing the San Jose office because he thought everyone there was too entitled.

    The saddest part is that we had many good engineers who could have continued to do amazing things with the UniFi momentum. So much time was wasted on dead end products like FrontRow. Most everyone I know left for jobs where we were treated better and paid more.

  • by bacondude3 on 1/11/21, 8:37 PM

    PSA: with Mailchimp URLs, it's best to remove the `?e=xxx` URL parameter. That way, A) you can't be identified by the sender as the person who shared the email, and B) other people can't flood your inbox by clicking the "unsubscribe" link at the bottom of the email.

    In this case, the cleaned URL that should have been posted is https://mailchi.mp/ubnt/account-notification

  • by nh2 on 1/12/21, 1:07 AM

    Regarding authenticity, from the TechCrunch article about this:

    > The networking company quickly followed its email with a post on its community pages confirming that the email was authentic, after several complained that the email sent to customers included typos.

    Indeed: How am I supposed to know whether this email is really from Ubiquiti?

    * There was apparently no official press release.

    * All links in the email, including the "Change password" button, are to e.g. `https://ui.us8.list-manage.com/track/click?u=somehexnumber&i...`.

    * The delivering server is `mail42.atl11.rsgsv.net`, which the TLD of which doesn't seem to resolve in my browser to provide hints.

    * Various news sites that reported this either just referred to "emails people got", screenshots random people got via Twitter, or link to the Mailchimp site, for which I'm not sure how to verify whether the "ubnt" account actually belongs to Ubiquiti.

    Given this, how shall the normal affected user figure out that this isn't well-executed phishing?

    It seems companies could do a much better job making it obvious that their emails are legit. Especially if they were just breached, and "Change password" buttons are involved.

  • by 3guk on 1/11/21, 8:37 PM

    I must admit - Ubiquiti has lost some of it's shine in the last few years, whilst AP and routing hardware seems to still be very good in terms of pricepoint, it does feel like the software side of things has been going in a very strange direction for quite some time.

    I'm still quite annoyed by the fact that I was forced to migrate from Unifi Video to Unifi Protect - due to vendor lock in and the fact that the remote interface for Unifi Video was switched off this month.

    I guess on the plus side - no one who is still using Unifi Video has to worry all that much.....

    Hopefully it is just a case of resetting passwords and enabling 2FA if you haven't done it already - not entirely sure how much damage could be done otherwise, unless there is an undocumented backdoor into Ubiquiti products ?

  • by ziddoap on 1/11/21, 8:17 PM

    No specific comments to the breach... But, I couldn't help but chuckle at We Take Your Security Seriously™.

    Why does every company, after demonstrating a lack of security, like to say this exact line? I can just imagine the PR person hovering over the shoulder of whoever authored the post yelling "make sure you tell the victims of this breach that we care!"

  • by exabrial on 1/11/21, 8:18 PM

    Ubiquiti has typically been the "cloudless" provider which is why I've used their stuff. They've been sorta moving in a disturbing direction for cloud control. I don't want that risk.

  • by comboy on 1/11/21, 8:19 PM

    Argh, why do I learn about this from HN when they pretty much force me through the cloud login with UDM-Pro. Nothing in the dashboard. Also I think http://unifi/ is crap from a security standpoint. Their threat management also seems to be just some kind of a bad joke.They could for example do a nice hardware based honeypot that you have to untrigger with physical access. They could offer so much more for prosumers providing sane defaults for a common case of having multitude of devices at your home which can be categorized as intruder but expect to be on the same network as your phone.

    Is there a better alternative? When I tested multiple routers mostly regarding low latency, network stability and reliability a few years ago nothing came close, especially when having multiple access points.

  • by tiernano on 1/11/21, 8:05 PM

  • by ocdtrekkie on 1/11/21, 9:14 PM

    This is why cloud login for network devices is terrible. I use an EdgeRouter at home with no cloud connection and I'm quite happy with it, but I've used UniFi in another setting, and I am not thrilled at the ease of getting internal passwords and the like set on devices from any web browser, for instance.

    Another company's network products I work with technically has a self-hosted version of their management service, but it doesn't scale down well (it expects dozens of GBs of RAM and to be running on SSD storage or it's not supported). I've regularly felt pressured to move to the cloud just to avoid the jankiness.

  • by rsync on 1/11/21, 8:11 PM

    Ubiquiti is slowly becoming Sonos.

    The difference is, their potential for bad behavior, risks and attack surface is far, far greater.

  • by ashtonkem on 1/11/21, 8:48 PM

    As someone who was planning on buying Ubiquiti hardware for their house, this breach and a lot of the comments here are disconcerting. Are there any other alternatives that are more locally managed that people would recommend?

  • by emptybits on 1/12/21, 12:17 AM

    I followed the instructions in their email: 1. change password, and 2. enable 2FA (confirm enabled in my case).

    Password change went fine. I expected existing sessions to my controller login would be terminated upon a password change. I suppose that's not mandatory but it sure wouldn't be surprising behaviour for security software IMO. It's the conservative thing to do, no?

    Nope. Already logged-in sessions (web and iOS app) remained functional when I changed the underlying password. No need to re-authenticate.

    Before I received their breach email today, the past two days I have been unable to log into my controller at all. This was being reported by others through unofficial channels at the same time (Twitter, Reddit). Ubiquiti was silent until this morning. Maybe it's just a bad coincidence.

    I'm a new Ubiquiti customer. My gear is < 30 days old. Their UniFi Dream Machine seemed to be my "dream" for a home network (AP, VPN, notifications, guests, pretty dashboard). It's probably better than the alternatives. But I'm forming a less than stellar first impression of them after this. Honeymoon over.

  • by omni on 1/11/21, 7:54 PM

    Does anyone have a better link for this, preferably one hosted on Ubiquiti's own site somewhere?

  • by cutthegrass2 on 1/12/21, 9:52 AM

    Must admit to being disappointed with recent Ubiquiti developments. The requirement to 'Sync Local Admin with Ubiquiti SSO' for controller authentication is not great.

    At least as far as I can tell, this means your local controller account requires an internet connection to reach your UI.com account, so there is no local isolation of administrative accounts anymore.

  • by rangersanger on 1/11/21, 9:00 PM

    I did a double take after clicking through- when did Unifi change their URL to UI.com? I thought this was a clever scaled phishing attempt for a second.

    Come to think of it, how many times have they changed their URL/how many are there? feels like im being trained to do something stupid.

  • by yskchu on 1/11/21, 9:40 PM

  • by robertkluin on 1/11/21, 10:04 PM

    "We recently became aware of unauthorized access to certain of our information technology systems hosted by a third party cloud provider."

    Is this an attempt to shift blame? Using wording that implies it was someone else's fault is not confidence inspiring.

  • by bluedino on 1/11/21, 8:42 PM

    Ubiquiti is in a weird market, where they are better than Linksys/Netgear etc, but they are crap compared to something like Meraki.

    Their support isn't very good (they point you to a forum), their hardware replacement is spotty (sorry, out of stock, you'll have to wait!), and their hardware/software is buggy. We had 48 port switches that would randomly reboot, for example.

    They can be a decent solution for SMB wifi, but that's as far as I would go. Nothing mission-critical unless you are willing to make compromises you wouldn't have to with a bigger vendor.

  • by 29athrowaway on 1/11/21, 9:22 PM

    The Ubiquiti Cloud Key is the worst product I have ever purchased.

  • by teekert on 1/12/21, 9:25 AM

    I use the LinuxServer.io Unify controller docker container, it updates very often and everytime it asks me if I want to share data. It feels so dirty, my lan traffic is so personal and I meant to upgrade security and privacy by switching away from my ISP provided modem/wifi. I'm beginning to regret this decision and maybe should have chosen another solution.

  • by wnevets on 1/11/21, 8:49 PM

    I still haven't gotten an email, does that mean I'm not affected or just a delay in the queue?

    edit: I have since received the email

  • by ch0I9daAiO on 1/11/21, 9:50 PM

    There's a neat docker container you can run for their management application instead of using Cloud™.

  • by lkxijlewlf on 1/11/21, 9:49 PM

    Wish they would roll Wireguard up into the firmware distribution for the edgrouter-x.

  • by zaltekk on 1/12/21, 2:55 PM

    Does anyone know how to completely delete the Ubiquity account? I can't find an option anywhere on the website.

    For now I've renamed the username and put in a fake email address (sadly the username `deletemyaccount` was taken).

  • by alkonaut on 1/11/21, 9:33 PM

    Did they email everyone with an account this information? I.e., if I didn't get that email, I don't have an account?

    You can't check via a login page whether you have an account...

  • by turblety on 1/11/21, 9:31 PM

    That link looks awful on a mobile browser. Isn't MailChimp supposed to make responsive emails easy.

    It's so bad, they have disabled pinch to zoom, so I just horizontally scroll.

  • by p0p0bawa on 1/11/21, 8:52 PM

    ooooh, turn off "Remote Management" if you use Unifi products and are concerned

    https://help.ui.com/hc/en-us/articles/115012240067-UniFi-How...

  • by neonate on 1/12/21, 2:08 AM

  • by kelt on 1/12/21, 12:38 AM

    ...and password reset doesn’t work as expected now. Anyone manage to reset?

  • by myggan on 1/11/21, 8:14 PM

    At least we know third party have access to our salted passwords et. al?

  • by xvector on 1/12/21, 12:34 AM

    Can't even get a verification email sent to my address. Amazing.

  • by Paul-ish on 1/12/21, 1:36 AM

    Were any firmware updates pushed out? (To targeted users even)

  • by politelemon on 1/11/21, 8:57 PM

    This ought to be on their blog, rather than mailchimp, no?

  • by lpgauth on 1/11/21, 8:58 PM

    What systems were breached? I haven't received an email...

    Is UNMS ok?

  • by tolien on 1/12/21, 10:23 AM

    It's particularly annoying that these happen but UBNT won't let you delete your account without calling their help desk (?!) [1] or dropping some sort of GDPR bomb on their heads.

    1: https://community.ui.com/questions/How-do-I-get-my-account-a...

  • by rodgerd on 1/11/21, 8:08 PM

    This is a terrible public notification. What is the scope of the breach? Their forum software? The accounts Unifi customers can use for cloud-based admin of their private networks? Support tickets?

    It doesn't inspire one iota of confidence. Quite the opposite.

  • by based2 on 1/11/21, 8:10 PM