back to article Sure, we made your Wi-Fi routers phone home with telemetry, says Ubiquiti. What of it?

Ubiquiti Networks is fending off customer complaints after emitting a firmware update that caused its UniFi wireless routers to quietly phone HQ with telemetry. It all kicked off when the US-based manufacturer confirmed that a software update released this month programmed the devices to establish secure connections back to …

  1. JohnFen

    Once more, with feeling

    Don't use devices that phone home and/or automatically apply updates. The security risk is simply too great.

    Beyond that, specifically don't trust Ubiquiti. They've just proven that they're untrustworthy.

    1. Butler1233

      Re: Once more, with feeling

      Unifi hardware doesn't auto install updates. I've the hardware has been adopted you can happily not update your devices as long as you like.

      So if you don't want to have your devices phone home, just don't install the updates. When they allow users to disable phoning home, sure, continue updating.

      1. john.jones.name
        Mushroom

        speed test

        they ship with a speed test built in... that pretty much gives the game away...

        1. Dolvaran

          Re: speed test

          Which you can choose not to enable...

      2. Joe W Silver badge

        Re: Once more, with feeling

        Sure, that would have worked if they had disclosed the data gathering when downloading or installing the update . They did not.

        1. James 139

          Re: Once more, with feeling

          Exactly, its the horse meat lasagna again.

          It was only a problem because it didn't say "horse meat" on the list of ingredients.

        2. A.P. Veening Silver badge

          Re: Once more, with feeling

          "Sure, that would have worked if they had disclosed the data gathering when before downloading or installing the update . They did not."

          FTFY.

      3. deive

        Re: Once more, with feeling

        And what about the security holes that the same update also patches? At my workplace here we use them, and they are pretty damn good - until this.

      4. JohnFen

        Re: Once more, with feeling

        "Unifi hardware doesn't auto install updates."

        I never said it did. My comment was addressing the world beyond Ubiquiti.

    2. Anonymous Coward
      Anonymous Coward

      Re: Once more, with feeling

      Yes it's annoying. Ubiquiti, justifiably, have a great following. It is probably the only product in this price range that offers the massive number of features that it does.

      I've used them at a number of sites if you wish to have an extensive wifi footprint all centrally managed with 'full fat' APs and great monitoring. They are much better than a Cisco set up in some circumstances. The fact that for an SME you can add another 10 APs to improve coverage for the cost of a single AP from many other providers.

      However, when they do things like this and some of their other, interesting but half baked, features I wonder if they really think things through properly.

      I would still recommend them, and hopefully they will learn from this (unlike Microsoft with their insistence on telemetry) but I would always avoid running the latest updates and let any issues filter though others bleeding edge adopters first.

      1. Anonymous Coward
        Anonymous Coward

        Ubiquiti, the wannabe Apple of networking...

        ... is having a Google/Facebook moment?

      2. Captain Scarlet Silver badge
        Trollface

        Re: Once more, with feeling

        I prefer Symbol, wait I mean Motorola, wait Zebra, oh wait currently Extreme Networks.

        (Still very solid controllers and AP's)

      3. JohnFen

        Re: Once more, with feeling

        "hopefully they will learn from this"

        I was looking at the more general history of the behavior of this company, and it looks like they've long been sketchy. I personally doubt that they will learn the sort of lesson we would all hope they'd learn. Because of that history, more than this particular instance, I have them on my "never do business with" list.

        1. Kiwi
          Mushroom

          Re: Once more, with feeling

          Because of that history, more than this particular instance, I have them on my "never do business with" list.

          A house-wirer acquaintance of mine uses them, and from his talking I'd been interested but not looked. I don't think I'll bother looking any further without putting them behind some serious firewall. Might just stick with no-name-brand repeaters and my dogged preference for wired networks wherever possible.

          (I refuse to call him an electrician because if it's not 240V mains sockets/lighting or deep fryers, he doesn't have a clue. I doubt he could fix a 1980s torch with a flat battery! Once refused a customer request to have 10A breakers installed in a fusebox because "The standard is 20a for safety, therefore 10A must be more dangerous" (the request was made because the customer wanted the circuits limited to 10a absolute max, not 10.005 and --> definitely not 20! -->)

          1. JohnFen

            Re: Once more, with feeling

            "I refuse to call him an electrician [...] "The standard is 20a for safety, therefore 10A must be more dangerous""

            Anyone who can say that with a straight face is absolutely not an electrician. An electrician would understand what those ratings actually mean.

            1. Kiwi
              Pint

              Re: Once more, with feeling

              "I refuse to call him an electrician [...] "The standard is 20a for safety, therefore 10A must be more dangerous""

              Anyone who can say that with a straight face is absolutely not an electrician. An electrician would understand what those ratings actually mean.

              Yup.

              The customer didn't really know, but did know enough to know that at 20a there is quite a bit more available energy than at 10a, and while the wiring etc was plenty up to it they did not wish for devices to be able to draw more than their rated 10a (in fact I believe 5a breakers would've sufficed as they had lots of separate sockets and would at most run a basic computer and LED monitor off them).

              (Apparently it is so you can have 2 10a sockets on the same breaker drawing near 10a each and not trip the breaker. Me? I'd put in 2 breakers if I wanted both to be able to draw that, as a lot of things like multiboxes, extension leads, various devices are only rated for 10a and if something goes haywire and starts pulling 19a through a 10a rated plug box... (NZ ratings are often 250V 10A for many things, though our actual power is generally around 230v)

          2. Alan Brown Silver badge

            Re: Once more, with feeling

            > the request was made because the customer wanted the circuits limited to 10a absolute max, not 10.005 and --> definitely not 20!

            In which case the customer understands even less what fuses/breakers are there for than your wiring fiend.

            The sole function of circuitbreakers or fuses is to protect the WIRING from burning up beyond the point at which they're installed. (earth leakage detection is a different function) and if you need more fine-grained protection than that, then you don't do it with circuit breakers or fuses.

            (aka, "a $20 power transistor will destroy itself to protect a 20c fuse")

            On a steady load, a standard fuse or breaker will "pop" nearly instantly at 2x the rated current, hold indefinitely at the rated current and take 8-12 hours to let go at 1.5x the rated current.

            What that means is if you have a circuit that's regularly tripping out or which trips when the TV/kettle/other load is switched on, it's _already_ significantly overloaded and you'd best be sorting it out before the electrical gods seek to exact retribution by burning your house down.

            Quick or slow blow refers to SURGE current characteristics, as do the various "curves" in breakers.

            1. Kiwi
              Pint

              Re: Once more, with feeling

              > the request was made because the customer wanted the circuits limited to 10a absolute max, not 10.005 and --> definitely not 20!

              In which case the customer understands even less what fuses/breakers are there for than your wiring fiend.

              No.

              Many power supplies and plug boxes and other things have a rating for V and A. They are built so that at the max of those they should be able to cope, but they don't have to cope above those levels. Most have a safety/fudge factor built in, so a 10A 250V plug box could survive happily at 11A. Few would survive at 15A though.

              I have watched transformers in TV's melt down and some actually get hot enough to catch fire, I recall some cheap Chinese[1] import TV's (at a time when the Phillips "Griax" (GR1AX) 14" TV was popular but suffering a "go to full volume when a bright white screen was displayed" fault - same chassis was in their 'space helmet' tv around '91/'92) that had a 10a fuse in them, but no thermal fuse in the under-rated and poorly made transformers. Even worse, when you turned the TV "off" the power was shunted through some hefty ballast resistors instead of actually turning the supply off, IE the PSU of the TV was always running at 'full noise'. Some of these transformers would literally have a melt-down, and some of them could be sending out flames while still well below 10a. I cannot recall any more on the brand details above what is in here (did fix many of the GRIAX's, fitting 2 diodes on the board where they should be but the factory had cheaped out and used wire links instead).

              Many other people have had experiences of stuff catching fire while drawing a lower current than the fuses or breakers would trip at, and some people know that they can protect themselves better by using a lower-rated breaker, within the confines of the ratings of attached devices rather than twice the confines.

              Your reply only shows you completely missed the point of the exercise, and why the customer wished to significantly reduce the available energy to the 'threat', hence vastly reducing the risk of a fire :) Sometimes personal safety means slowing way down and 'driving to the conditions', not blundering along at the legal limit.

              [1] I'm quite certain they were Chinese-made but may've come from elsewhere. One of the larger store chains sold hundreds of them, which gave the starting-to-die repair industry a big boost for a while.

    3. Anonymous Coward
      Anonymous Coward

      Winter has arrived...

      ...the snowflakes are falling again.

      If there’s outrage to be had, some snowflakes will ensure they’re outraged.

      1. Kiwi
        Trollface

        Re: Winter has arrived...

        ...the snowflakes are falling again.

        Ahem..

        You call those upset at the intrusion into their networks and the risks that causes them (those under GDPR rules for example), yet you're too chicken to post under your normal handle?

        Guess we know who the real soft-cock snowflake is!

  2. Ugotta B. Kiddingme

    another workaround to this

    per this Reddit thread was to downgrade to older firmware.

    "The only surefire ways to avoid this is to either downgrade switches and AP to a pre-4.0.60 version. 4.0.51 is stable for me. Some of the later .5x versions were a bit broken. Or block all WAN traffic to/from AP's and switches (which is best practice anyway). They don't need any external access, just the gateway and controller."

    However, be advised that later in the thread someone stated that blocking WAN traffic to/from APs was problematic.

    "The kicker being that if you did isolate them so that they could not phone home there was a memory leak bug that released with this “feature” that meant they would become unusable very quickly due to repeat retries."

    1. Thomas Kenyon

      Re: another workaround to this

      There's also an annoying problem that if you trigger a firmware update from the controller, their access points don't update and just stay disconnected until you reset them if they don't have a NATed connection on their default (not VLAN) interface.

      Discovered this the obvious way.

      1. Roland6 Silver badge

        Re: another workaround to this

        Been playing around with Draytek equipment and am of the opinion that they also reserve the default interface and VLAN for special largely undocumented behaviours.

        Yes it may mean that stuff works out of the box, however, it can take a while to understand why that new VLAN isn't behaving in the same way as the default out-of-the-box configuration.

    2. big_D Silver badge

      Re: another workaround to this

      The blog piece linked to in the Register article states:

      If you do not wish to participate/provide this data, we will add an opt-out button in upcoming versions that will make it easy to opt-out of providing this data. In the meantime, you can block traffic from UniFi devices to trace.svc.ui.com.

      A bit late, but at least they admit it and have a workaround until the new update is released - more than can be said of Microsoft and its Windows 10 telemetry.

      1. Pascal Monett Silver badge

        Re: at least they admit it

        Yeah, just like a guy getting caught running a red light admits it to the cops who caught him red-handed.

        Sorry bud, but admitting it in this case is not getting them any brownie points. It would have been simple to include a question at install time, collecting performance data is not something new and a lot of programs and other things offer to participate, so why did they think they were above that ?

        They're not, and they deserve the fallout.

        1. big_D Silver badge

          Re: at least they admit it

          I don't say they don't have any blame. In fact, I think it stinks. But at least they are reacting quickly to the problem, which a lot of companies don't do.

          I'm not giving them a pass, especially as a customer, I am not happy at all with the situation. But at least I have a workaround to deal with the problem.

    3. Cederic Silver badge

      Re: another workaround to this

      Failing to keep router firmware updated introduces a significant network threat vector, so although your workaround addresses one issue it leaves you painfully vulnerable to any security threats addressed in subsequent firmware patches.

      Better by far for Ubiquiti to have made the telemetry opt-in from the outset, if they really need it at all. (They don't).

      1. Roland6 Silver badge

        Re: another workaround to this

        >Failing to keep router firmware updated introduces a significant network threat vector

        It doesn't introduce it merely doesn't mitigate an existing threat vector that has been known about for many years.

        As a previous commenter has noted, auto-update of network infrastructure firmware introduces a new threat vector. Personally, I have devices download updates and then message me so that I can control when the updates are applied. This is particularly useful when you are running dev/beta firmware to see whether it has fixed the fault you reported.

    4. Crypto Monad Silver badge

      Re: another workaround to this

      A better solution IMO is to use VLANs.

      With unifi APs, the management IP address is always on the native (untagged) VLAN - and you can assign the wireless SSIDs to other (tagged) VLANs.

      Therefore: put the management IP on a separate device management subnet that has no external Internet access - and no outbound access to any of your other networks, for that matter.

      Then there's the question of what you do with the management software, which isn't currently implicated in phoning home. I'd suggest you stick that on the same untrusted device network and then you don't have to worry about it. If it's a Debian/Ubuntu box, you can give it access to an apt-cacher proxy so that it can download software updates when you choose, but nothing else.

  3. Anonymous Coward
    Anonymous Coward

    A lot of pissed-off people

    Though I have no interest in Ubiquiti products, I've been following the complaints for a couple of days, just to see if Ubiquiti reverses course.

    No sign of that yet, and the story has now hit Hacker News, Reddit and El Reg. I suspect Ubiquiti won't reveal the existence of the Rogue Engineer until they've suffered a serious dose of Twitter Outrage.

    1. flatline2000

      Re: A lot of pissed-off people

      Was looking at Ubiquiti devices just this week, who do you suggest instead?

      1. Anonymous Coward
        Anonymous Coward

        Re: A lot of pissed-off people

        I still reckon they are unmatched in the price/feature range and I would wait to see how this blows out. But otherwise you'd be looking at Meraki, Ruckus or an AP from your UTM firewall provider.

        1. A.P. Veening Silver badge

          Re: A lot of pissed-off people

          For some things I would recommend TP-Link, using some myself.

          1. Roland6 Silver badge

            Re: A lot of pissed-off people

            At the price point Draytek aren't bad either, but I understand the attraction of Ubiquiti AP's but not necessarily their switches and routers. I would have used them on a recent project if the total cost for a pure Ubiquiti network infrastructure was within the client's budget.

        2. sthen

          Re: A lot of pissed-off people

          If you don't want the vendor to have crash dumps etc as Ubiquiti are sending, you certainly aren't going to want Meraki and their cloud based controllers.

      2. big_D Silver badge

        Re: A lot of pissed-off people

        I installed a USG and 2 APs about 3 weeks ago at home. Very happy, apart from this bit.

        I've used them in the past and we have 2 large crates of Unifi gear at work, which needs to be installed...

        With the relevant block as suggested by Ubiquiti (see my other post), there shouldn't be a problem.

        They screwed up by not making it opt-in and not clearly informing people. But at least they are reacting responsibly. I'll blacklist the trace.svc.ui.com address in my DNS server and on my USG, that should deal with the problem, for now.

        1. Kiwi
          Pint

          Re: A lot of pissed-off people

          They screwed up by not making it opt-in and not clearly informing people. But at least they are reacting responsibly. I'll blacklist the trace.svc.ui.com address in my DNS server and on my USG, that should deal with the problem, for now.

          Very brave... Not in a GDPR-type area?

          Me... I'd have a lot of trouble trusting them given their past practice (just these events alone, not making opt in AND not informing the customers) and past behaviour can be a good indicator of future behaviour. Would you give a known fraudster the job of managing your accounts? Especially without careful oversight? It's trivial to set up a new domain, or put something on another domain requesting/sending to a specific path (eg "ui.com/spyondumbcustomers.html"), or another port. I think if I wanted to hide something, I could have the router send a specific string as part of the update check which would let it send the pilfered data during that process (although HTTPS urls wouldn't be easy for you to read anyway).

          I take protecting my data and the data of those I do stuff for very seriously. And I know full well companies work on the principle of "They didn't mind us pointing at them and laughing a little bit, so we should be fine to tie them up and beat the shit out of them" - IOW if they get away with a little they'll go for a lot. If this lot had gotten away with sending a little data, next thing you know your usage rates would've been doubling as every packet was copied to them "just for quality control purposes" - same as with MS/your documents.

      3. Michael Wojcik Silver badge

        Re: A lot of pissed-off people

        Apparently FlashRouters will sell you a router with DD-WRT already installed. I've never used them myself, and have no idea what the quality of the hardware is.

        I've been meaning to get a couple new routers with decent hardware (as far as I can determine from reviews) and put DD-WRT on them. That seems like a reasonable approach for tech folks who can afford the time. But the fact that I haven't gotten to it yet suggests I can't...

        1. tgoltz

          Re: A lot of pissed-off people

          Ah yes...DD-WRT....the package that at one time came with a hard-coded opening in the firewall for an IP address in Germany. No real explanation as to why it was there or what it was enabling the DD-WRT people to do to your router.

          Personally, I'll take UBNT's telemetry.

          1. Kiwi

            Re: A lot of pissed-off people

            Ah yes...DD-WRT....the package that at one time came with a hard-coded opening in the firewall for an IP address in Germany.

            Do you have a citation for that please? Genuine interest, especially as this is the first time I've come across the claim (but not deeply looked at DD-WRT yet, as not had routers on their support list and not had an overwhelming desire to change the router I had :) )

    2. big_D Silver badge

      Re: A lot of pissed-off people

      They will be making it opt-in and they have released a workaround for those affected, which is in the link in the article, although El Reg didn't mention it and just mentioned blocking all IPs for Ubiquiti...

      If you do not wish to participate/provide this data, we will add an opt-out button in upcoming versions that will make it easy to opt-out of providing this data. In the meantime, you can block traffic from UniFi devices to trace.svc.ui.com.

      1. JohnFen

        Re: A lot of pissed-off people

        They're not talking about opt-in, they're talking about opt-out. Opt-out is better than nothing, but it's not wonderful.

        Also, El Reg linked to their statement where they said this.

        1. NATTtrash

          Re: A lot of pissed-off people

          What puzzles me a bit is how opt-out can be GDPR compliant...

          1. Roland6 Silver badge

            Re: A lot of pissed-off people

            >What puzzles me a bit is how opt-out can be GDPR compliant...

            Because as far as Ubiquiti are concerned the data has been anonymised in compliance with GDPR (I wonder who signed it off) and thus the data is now effectively outside of GDPR...

  4. NoneSuch Silver badge
    Mushroom

    Common Sense

    Put a listening device on my gear without telling me and watch how fast I never buy your products again.

    1. Kiwi
      Pint

      Re: Common Sense

      Put a listening device on myanyone's gear without telling me and watch how fast I never buy your products again.

      FTFY.

      YW.

      HANW.

  5. a_builder

    I have been removing these for a while now for other reasons

    TBH I have been removing these for a while as the performance is not that fantastic.

    It is rather odd that the range on these is quite good but the throughput is pants.

    I also really seriously don't like the controller system at all. It all feels rather well........yesterdays news.

    1. JohnFen

      Re: I have been removing these for a while now for other reasons

      "It is rather odd that the range on these is quite good but the throughput is pants."

      I don't know the details of how these devices are implemented, but generally speaking this makes sense. If you reduce the transmission rates, then you increase the ability to deal with radio noise. That means that the radio signal can be usable at lower power levels, which means that the radio signal is usable at a greater distance.

      1. Wellyboot Silver badge

        Re: I have been removing these for a while now for other reasons

        Yup indeed, simply put it's 'Go fast' or 'Go long'

        To extend the speed/coverage bubble you could splash out on some higher gain antenna if that's legal where you are.

        1. Roland6 Silver badge

          Re: I have been removing these for a while now for other reasons

          >you could splash out on some higher gain antenna if that's legal where you are.

          The legal limit is on transmitter/radio output power.

          The way to extend the speed/coverage bubble is to use the highest legal spec. radio's in the AP's combined with directional aerials/beam formers which effectively direct all that power in a single direction. Then you need high gain antennas to receive the much lower power return signal from client devices.

          The other way is get a licence and use more pricey equipment...

          1. Alan Brown Silver badge

            Re: I have been removing these for a while now for other reasons

            "The legal limit is on transmitter/radio output power."

            Nope

            The limit EVERYWHERE in the world is on Effective Isotropic Radiated Power (EIRP) - power emission from the antenna - meaning that if you put a 20dB gain directional antenna on a 100mW radio that's legally running max power on a 3dB omni antenna, congratulations you're now illegally running an effective 10W transmitter - and likely wiping out every AP for 3-4 miles in the direction the antenna is pointed as well as doppler radar for 10-20 miles if it's 5Ghz - This is _exactly_ what a number of FCC prosecutions over 5GHz interference in the USA have been about. European authorities have tended to issue warnings before prosecuting but they have gone after illegal setups too.

            (a huge chunk of interference issues are down to idiots doing _exactly_ what I've just described)

            For Wifi use in buildings the best policy is "as little power as you can possibly use".

            I've got 120 APs deployed and doing very well (800Mb/s throughput on each) at 1-5mW (1-7dBm after antennas) in 5GHz and 1mW (300Mb/s) on 2GHz thanks to the simple expedient of one in every office and a couple of larger ones in public spaces (outdoor units run higher power with range limits dialled in)

            There is absolutely zero point in any given network AP being detectable beyond the next AP in the same SSID and turning up the power just makes for an unholy co-channel mess with very unhappy users.

    2. Anonymous Coward
      Anonymous Coward

      Re: I have been removing these for a while now for other reasons

      Wifi devices are seen as simple consumer type devices as everyone has them in their home. However for a proper installation you do need to understand the technicalities a little - they are RF devices after all and RF engineering is quite a complicated subject.

      Anytime you are hit the extents of range you will have issues as then it becomes as much about the client as the AP. Just because you can see the AP with 1 bar, doesn't mean the AP can see your device. Also the speed gets negotiated right down. The LR version of the APs aren't worth it in the UK as the extra range won't be used with clients.

      The most practical thing outside of proper channel mapping and reducing the number of SSIDs on each channel is to kick clients off (or not allow connection) if their signal strength drops below a certain level. Use the Minimum RSSI setting well can make connections very solid and make for a much better roaming experience (between APs).

      1. sthen

        Re: I have been removing these for a while now for other reasons

        The LR versions can be worth it, you won't legally get any extra transmit power in the UK with them, so you won't get a stronger signal reported on client devices, but the extra gain helps with the signal received from the client devices.

    3. big_D Silver badge

      Re: I have been removing these for a while now for other reasons

      I put them in at home, because I had given up on trying other domestic mesh solutions, which have pants throughput. I had tried 2 or 3 different solutions, none got over 50mbps mesh link over the 10M between the base station and the APs (all current 1.5gbps AC kit).

      I had had good experience with Unifi at a previous employer and like the configuration controller. With the Unifi mesh, I get around 110mbps over the same distance. Not brilliant, but better than the domestic stuff. It also adds full VLAN support into the mix, which is a great bonus.

  6. Andy Mac

    Given that my Unifi access points wouldn’t work without an internet connection, I always assumed they were sending something back.

    It’s a sad indictment of the modern world of technology that I made that assumption.

    1. JohnFen

      "It’s a sad indictment of the modern world of technology that I made that assumption"

      It's really the only reasonable conclusion, though. There is nothing about WiFi that inherently requires the internet to be involved, so there must be another reason.

    2. Old Shoes

      There's an option

      This annoyed me because while my network setup here is quite resilient, after a short Internet outage the WiFi will disappear.

      Turns out there is an option: "Uplink Connectivity Monitor"

      I thought this was just to rearrange the network topography in case the WiFi mesh was having issues, but I was wrong.

      1. jezbod

        Re: There's an option

        I just checked my console and it has a description that appears when you switch the option on:

        "Connectivity monitor will disable broadcasting of the SSID when the AP does not have connectivity to the gateway."

        So it appears it is working by design....

        1. Roland6 Silver badge

          Re: There's an option

          >So it appears it is working by design....

          A bit basic.

          I would expect the connectivity monitor to have a selectable action, the most basic being to just log the event to SysLog.

  7. FozzyBear
    Mushroom

    so what you gonna do?

    Directly affect your bottom line and market share by not even considering your products, now or in the future.

    Did i hurt widdle feelings and bonuses? Tossers!!!

  8. jake Silver badge

    "One mitigation is to use DNS or IP address filtering to block connections from the devices to Ubiquiti's servers"

    A better mitigation is to not use their products. Ever. History has shown that any company willing to cross the privacy line once will cross it again and again, whenever they think they can get away with it.

    1. Anonymous Coward
      Anonymous Coward

      re: History

      History has shown that any company willing to cross the privacy line once will cross it again and again, whenever they think they can get away with it.

      Yet... we still use a plethora of products from Microsoft, search using Google, use GMail and GoogleDocs, spend hours drooling over Facebook and other (anti)Social Media services.

      Well... some of us don't but we are in a real minority. We are the refuszniks of 2019/20/21/22/23... etc

    2. Anonymous Coward
      Anonymous Coward

      Cisco baked backdoors directly into some of their products.

      I presume you are saying to never use Cisco products again, what company would you suggest for switching gear?

      1. Roland6 Silver badge

        >what company would you suggest for switching gear?

        Enterprise grade: HP Aruba - more performant at the price point than Cisco (as are the other majors); Internet core: there is more of a choice which includes Huawei...

    3. Anonymous Coward
      Anonymous Coward

      Cisco Meraki have access to all you data directly as it is all managed from their cloud service. They also partner with a number of organisations such as Amazon, Google, Microsoft, Salesforce, Twilio ...

      They are open and honest about this, as long as you spot the link. Although they don't readiyl tell you what they collect and what everyone processes exactly.

      https://meraki.cisco.com/trust#subprocessors

  9. msage

    Unifi video / protect

    And this just on the back of the great advert fiasco. They released an upgrade to the unifi video controller that advised customers to "upgrade" to unifi protect that has nowhere near product parity with video. They reversed that one, but to do something worse less than a month later... Not good news

  10. Matt_payne666

    I'm a fan, find performance good and the controller head and shoulders above ruckus, trapeze and Aruba...

    I'm also not totally against phoning home with performance and diagnostic data... BUT I like to know and make the choice... hiding the fact is a bit naughty

  11. ExampleOne

    I have always been dubious about their products for not really fitting the way I want to manage my network devices. Now it seems that my concerns were entirely justified.

    For my home usage I will never tolerate or accept a network device that in anyway depends on anything outside the network for any aspect of its operation.

    1. Leedos

      Limits to your madness.

      How do you connect to the internet? There's always that one pesky device that really does need to talk to the rest of the world.

      1. Kiwi

        Re: Limits to your madness.

        How do you connect to the internet? There's always that one pesky device that really does need to talk to the rest of the world.

        When the internet drops off (as it does from time to time where I live), I don't expect my WiFi, DHCP, switch etc to stop working. I only expect to not be able to contact machines outside of my home network.

        Why does WiFi functionality require internet access?

  12. Doctor Syntax Silver badge

    "Ubiquiti told customers all of the information is being handled securely, and has been cleared to comply with GDPR"

    By whom?

    And did nobody think of what might happen when this hit the fan? Actually, it's quite possible somebody did and were told to stop being negative.

    1. Anonymous Coward
      Anonymous Coward

      "By whom?"

      At best by a consultant who got handsomely paid to tick some boxes and print a report. Just the very fact that the user can't opt-out and wasn't informed raises some suspicion about GDPR compliance - unless they are really, really sure they can't capture personal data.

      1. tiggity Silver badge

        Re: "By whom?"

        It does potentially capture personal data if IP address gathered.

        If your ISP gives you a fixed IP address then IP address identifies a household so narrows it to a small number of people - and in 1 person household identifies a single individual.

  13. Kevin McMurtrie Silver badge

    Cloud product talks to cloud

    Don't all Ubiquiti products require a Ubiquiti cloud account and a local or cloud controller to work? I've avoided them because this seems like complexity I don't want or trust.

    1. petur

      Re: Cloud product talks to cloud

      No, not at all

    2. Anonymous Coward
      Anonymous Coward

      Re: Cloud product talks to cloud

      So you've avoided something because you thought it did something that it didn't?

      Great research.

    3. Thomas Kenyon

      Re: Cloud product talks to cloud

      You can run a controller locally. It's a freely available application on their website. (Written in Java). They even maintain repositories for various Linux distributions.

      Their mobile App will also talk to this happily.

      1. nichomach

        Re: Cloud product talks to cloud

        True, but be aware it uses MongoDB as its back-end. Just ripped out Unifi from here and replaced with Aruba, not least because of the controller's propensity for periodically crapping itself and leaving the database corrupted.

        1. Anonymous Coward
          Anonymous Coward

          Re: Cloud product talks to cloud

          Well never had DB corruption myself with a few thousand APs, so can't comment directly on that.

          However the Unifi solution doesn't rely on the backend to function. If something happens to the controller the APs will continue to work, but you'll lose some of the monitoring and ongoing management.

          As the controller can be run in a VM it is very easy to snapshot it, create redundant VMs, Backup the config and recover very quickly if you have an issue with a very simple change management and backup routine. The fact that the individual APs have full functionality and the controller is not a single point of failure makes it more useful than most where loss of controller or communication with it can brick the APs.

      2. Alister

        Re: Cloud product talks to cloud

        We run our controller on a Raspberry Pi. Very happy with our Unifi installation, we picked them after trialing a number of other manufacturers solutions.

  14. LeoP

    This comes at a good point in time

    A few days ago I was asked by a client (for whom we normally don't do any networking, but hey there is the water-cooler/coffee-maker/whatever talk) to help them think how to expand their (currently Ubiquiti) WLAN - stay with Ubi, roll their own or go "Enterprise". I forwarded them a link to this article at ca. 11 p.m., and got a reply along the lines of "so one possibility just dropped" within 5 minutes.

    This tells me, that they are quite serious in both ways.

  15. cb7

    After getting fed up with unreliable performance from a BT-Hub5 re-purposed as a WAP, I recently dipped my toes into the dedicated WAP world with a Ubiquiti Unify AP.

    I was a bit disappointed at having to use Java to run the local controller, but this is only needed to get the AP up and running or if you want to tweak settings or monitor performance etc.

    Once the AP was up and running satisfactorily, I've not had to run the controller again. The AP just sits there doing its job, so I'm happier with it than I was with the old BT Hub.

    But now this.

    So what other well performing, reliable, industrial strength alternatives are there?

    1. Olivier2553

      Open source solution like DD-WRT or I think something called tomato and openwrt.

      1. Microchip

        DD-WRT is good, until you come across something that should work and blatantly doesn't - e.g. multiple VLANs split out into multiple WiFi SSIDs - something I ended up head on up against, and it turned out it was a bug in some of the accompanying software on the Linux distribution. It's good until it's not.

        Tomato is pretty solid, if a little limited. OpenWRT is the most flexible, but also seems to lack wireless drivers for a lot of common AP hardware, due to binary blob requirements. Shame, as it seems to be the best out of all three, as far as functionality and customisability goes.

    2. AndyFl

      Alternatives?

      Mikrotik, about the same price or slightly cheaper and much more configurable. The management app Winbox runs under Windows or without problems on Wine with Linux.

      1. Roland6 Silver badge

        >Mikrotik

        From the reviews and the equipment spec's and their EU27 location (Latvia), definitely one to watch...

    3. Dvon of Edzore

      I've been happy with the Zyxel USG-40 and USG-60W in some offices I shepherd. Good wireless range in the 60W (skip the 2.4-only 40W) and multiple port-based LANs on all USG models allow segregating traffic by sensitivity of content, keeping guest WiFi, payment card services, and protected identity info on separate subnets. (Yes I know what a VLAN is. The Zyxel way isn't as flexible but also isn't as prone to erorr after a long night installing and configuring.)

      Can save money if you avoid the annual license for the security services and reporting. Haven't tried their cloud products and likely won't because cloud.

    4. Kevin McMurtrie Silver badge

      Maybe EnGenius. They seem to work well and they support both central and independent management. Their product lineup is confusing as hell, though.

    5. Anonymous Coward
      Anonymous Coward

      I guess, just don't bother to update it? I haven't updated mine for months...

  16. Anonymous Coward
    Anonymous Coward

    Meh. It could be worse....

    Some Asus routers phone home to TrendMicro servers where a rouge employee has been caught selling users data.

    And according to some reports hackers may have had access to Trends source code.

    An excellent website that is a must read before setting up a home WiFi router is:

    https://routersecurity.org/

    1. The Oncoming Scorn Silver badge
      Pint

      Re: Meh. It could be worse....

      Caught red handed was he?

      1. Anonymous Coward
        Anonymous Coward

        Re: Meh. It could be worse....

        "Caught red handed was he?"

        I gotta admit that was pretty funny.

        (And also pretty embarrassing)

        Cheers!

        ~OP~

  17. Dvon of Edzore
    Unhappy

    Jerks caught being jerks.

    I had already stopped looking at new Ubiquiti equipment due to their consistent failure to get tested for commercial use (OSHA law in the US) and overheating, dropped out of their forums after they spent their resources to make the forum "pretty" instead of something radical like getting the long-promised IPv6 support out of beta, and now this. The two pieces I had (gateway and one access point) were promptly disconnected and software uninstalled; replaced with a Netgear WiFi router I had in reserve. It will be replaced with a more industrial choice soonish, but it gets me to El Reg until then.

    Expect a flood of Brand U on flea-bay in time for Xmas.

  18. JanCeuleers

    GDPR compliant?

    Since GDPR requires "informed consent" from people before their data is processed (gathered, transmitted, analysed, acted upon, ...), whether it is anonymised or not, it is not possible for Ubiquiti's data gathering to be GDPR-compliant without people having given that consent.

    1. GordonD

      Re: GDPR compliant?

      Informed consent only applies before their personal data is collected, so that doesn't rule out GDPR compliance.

      Doesn't matter though, GDPR compliance is a red herring. The problem is that "trust me" isn't a valid approach to any network security issue.

      The main problem is that Ubiquiti management doesn't see (or is being paid/told not to see) how wrong this is.

      1. yoganmahew

        Re: GDPR compliant?

        Your IP address is personal data if there is other corroborating data that can link you to it. If, for example, your email address is present in the device and captured, or if your personal data is in a packet that is captured during a crash event.

        So Ubiquiti are sure they never catch anything that could be linked to the IP address to give personal identification??

        https://www.whitecase.com/publications/alert/court-confirms-ip-addresses-are-personal-data-some-cases

        1. Roland6 Silver badge

          Re: GDPR compliant?

          >So Ubiquiti are sure they never catch anything that could be linked to the IP address to give personal identification??

          Whilst I get your question, which does need an answer, I think we should be asking ourselves: do the URL's and IP addresses of the Internet destinations we access, in themselves (ie. without an associating source IP address) constitute personal identifiable information.

    2. Mike 137 Silver badge

      Re: GDPR compliant?

      Consent is only one of the lawful bases, and it's only effectively mandatory where the data processed fall within the scope of Article 9 (the 'sensitive' data categories) . "Legitimate interest" can be used (and is over-used) in almost any other case in the commercial context.

  19. Dwarf

    Opt in vs opt out

    Hey, manufacturers. If you want to do this sort of thing, it has to be opt in, not opt out.

    Yes, that might mean you get no data, but then you will understand your users requirements far better

    If you need info on crashes and the like, then get a test team in your company and test the devices yourself. Good testers are worth their weight in gold.

    The current approach being taken by certain manufacturers will only ever erode trust and adversely affect your bottom line. Once trust is gone it’s probsbly never coming back.

  20. Anonymous Coward
    Anonymous Coward

    WIFI keys

    "Any data collected is completely anonymized"

    Including WIFI keys ? I'd like to see evidences of this, since I don't believe it a single second.

    "transmitted using end-to-end encryption and encrypted at rest"

    This does nothing to make me confident. Once someone breaks your front end, it's all exposed.

  21. ZappedC64

    I use a Ubiquiti UniFi Cloud Key Gen2 Plus to manage my UniFi networks. It's cloud enabled and lets me manage my customer UniFi installations from my phone or from my computer, remotely. I guess I'm not really worried because the Ubiquiti UniFi Cloud Key Gen2 Plus is registered on Ubiquiti's network and I can pull statistics as well. Being able to remotely manage a UniFi network 500 miles away is a big time saver for me. The telemetry data has helped me on many occasions diagnose various issues.

    If you think about it, don't all "cloud enabled" devices have to phone home and report something to the mothership?

    1. Anonymous Coward
      Anonymous Coward

      I can easily manage my network remotely just VPN-ing into it... no vendor lock-in, no cloud account, no cloud services or apps disappearing and making devices useless, no data going to third parties...

      It's incredible how people overlook the simplest solution and just bite the decoy hung in front of them, usually because of a flashy UI.

      1. AJ MacLeod

        It's not clear from your comment whether or not you know this already, but UniFi networks don't require vendor cloud services, mobile apps or cloud accounts either to configure or operate.

        You can just run your own controller within your network (their software runs on a commendably wide range of platforms) and that's it - if you want to manage it from outside your network you can just forward the relevant ports or use a VPN.

        I am dead against devices which require ongoing vendor support or licensing just to operate normally and was wary of UniFi with all the talk of "cloud" features but overall I've been pretty impressed over the past few years.

        1. Anonymous Coward
          Anonymous Coward

          My comment was about managing the setup from outside using the cloud service and the mobile apps.

          It's clear you can still VPN into your network and access the controller - I would never forward the very network management ports, too risky.

          Anyway the controller is still a kind vendor lock-in since, as you can't easily access and manage UniFi systems without it, and it's a way to lure you into buying more of their products. I understand that for larger deployments it is a useful feature if fully optional, but IIRC you can do little without it - maybe some CLI, but little more, but I may be wrong since it has been some time Ubiquiti is no longer in any of my shopping lists.

  22. pigdog234

    If you're upset at Ubiquiti

    You better get awfully pissy with every other major consumer vendor out there. They ALL call home. That includes Apple, Android, your HP printer, much home automation, Ubuntu, Redhat, you name it. And let's not even start with the massive fingerprints people leave on their favorite web sites.

    What's more important is what information is being carried. Here it's relatively innocuous. That could change.

    1. Pascal Monett Silver badge

      Re: Ubuntu, Redhat

      Only if you enable it, which is just like Firefox asking you if you want to participate.

      In other words, do not confuse the Linux world with Windows or IoT shite. They're not the same . . . yet.

      1. Anonymous Coward
        Devil

        "Only if you enable it"

        Is Android not Linux, now? <G>

        1. JohnFen

          Re: "Only if you enable it"

          Don't confuse Google's stuff with Android. I run an phone with Android that doesn't engage in this stuff at all -- because it omits Google's software.

          1. Anonymous Coward
            Anonymous Coward

            Re: "Only if you enable it"

            Oh, I don't know, when people speak about OS market share Android becomes Linux, when it's about slurping Android becomes not Linux - just take a single, coherent position, please....

            And I'm sure there are a lot more products built on Linux that do slurp any data so unlucky to pass close to them. Most IoT device often run some form of Linux too.

            1. JohnFen

              Re: "Only if you enable it"

              My position is coherent and consistent -- Android is an OS that uses Linux. Linux is just the kernel, after all.

              But my point is that even if we (incorrectly) call Android "Linux", it's still true that the parts that are slurpy are the applications and services that Google layers on top of that. You can absolutely have a non-slurpy Android installation.

      2. Roland6 Silver badge

        Re: Ubuntu, Redhat

        >do not confuse the Linux world with Windows or IoT shite. They're not the same . . . yet.

        As Linux increases its market share, expect that differentiator to erode, as both Google and Facebook have demonstrated, you can build a very large profitable business on top of free (to the consumer).

    2. JohnFen

      Re: If you're upset at Ubiquiti

      "They ALL call home."

      This is not true in the sense that you're implying, and even if it were, it's beside the point. A lot of those do, of course, but a lot of them do the right thing and get your informed consent first. Mobile devices aside, very few of them engage in sneaky and mandatory reporting.

      "What's more important is what information is being carried"

      What's even more important than that is getting informed consent before doing data collection. I don't care if the data collected is actually 100% innocuous, if you're doing it without my informed consent, you deserve to be widely condemned.

      1. pigdog234

        This bunch really needs to grow up

        And I would like a pony.

        Consumers have no option to give meaningful consent. A vast number of products simply won't function if you do not agree to the shrink wrap. To prove the point a study was done years ago that had a shrink wrap where at the bottom there was a number you could call to claim $100. I think only one person called it.

        And what's more, for most of these devices, you would WANT them to call home, if for no other reason, then to get upgraded. And maybe you would like to be asked, but your family and friends who AREN'T geeks wouldn't otherwise upgrade, the result being that they are vulnerable to far worse things than exfiltration of crash information.

        1. JohnFen

          Re: This bunch really needs to grow up

          "Consumers have no option to give meaningful consent."

          It depends on the device and manufacturer, but yes, this is often true. Which is the exact problem that I'm complaining about.

          "And what's more, for most of these devices, you would WANT them to call home, if for no other reason, then to get upgraded"

          If by "you", you mean the ordinary person, this is probably true. If by "you" you mean me personally, or literally everybody, this is emphatically not true. I don't want any of my devices doing this.

        2. Kiwi
          FAIL

          Re: This bunch really needs to grow up

          And what's more, for most of these devices, you would WANT them to call home, if for no other reason, then to get upgraded.

          Aside from auto-upgrades having their own sets of risks (eg W10/Hardware and software disappearing) - though I do admit much of the time it is preferable for the general populace, you still miss the point.

          "Hi, Upgrade server, my version is 10.077, is there an upgrade?" is perfectly fine.

          "Hi, Upgrade server, my versions is 10.077, in the last 24 hours I have uploaded 24738465 bytes and downloaded 8461085732 bytes, until 0245 GMT my ip was 8.8.8.8, from 0247 to 1552 it was 203.96.152.4[1]. I have the following data on MAC addresses...." is not at all fine, especially without consent.

          Yes, your current IP has to be given to download an update, the running version is not actually necessary (the requesting device can simply be told the latest version # and if it is higher than what the device has the device downloads it), and what ever other data is not necessary and should not be sent without express consent from the user. The reason 'opt out' is considered bad is it is not consent.

          [1]Long-disappeared paradise.net's primary DNS server IIRC (sold off to vodafone, subsequently destroyed due to incompatible levels of service and competence (ie Paradise's people knew what those words meant!) - dang, still remember that after all these years???? And secondary was .12...

    3. Michael345

      Re: If you're upset at Ubiquiti

      I have tested Peplink routers and they do NOT phone home.

      Also tested a Synology RT2600ac and it phones home ALL the time. See the Spying on the Router section here https://www.routersecurity.org/synology.php

  23. scasey

    Remember OpenMesh?!

    I used Ubiquiti a fair bit, until I tried Open Mesh, which was fantastic for my purposes. It's interesting that (I think) nobody has suggested Open Mesh (or Datto, as they are now) as a potential alternative. It was such a terrible shame that Datto purchased them. I haven't bought a single one of their products since the Datto announcement, and neither has anyone I encounter. I pretty much universally hear that people are ripping out their Open Mesh gear, and going to, or back to, Ubiquiti. This current issue is worrying, but I hope they learn from it.

    There's nothing else on the market that hits as many of my requirements as Ubiquiti. I suppose I could be called a fan.

    1. The Average Joe

      Re: Remember OpenMesh?!

      OpenMESH, same here several local businesses use it, I have it at home and at my parents and in-laws and now I have to rip-and-replace as I do not have the funds to pay per month for this clown wifi controller, when it was free for 30 days it was good enough. I do not want to pay full price for the access point and then pay every month. the access points never fail and datto is not cisco and I am not using cisco features or have the cisco staff to run the WLC/WCS - Cisco Prime.

  24. kpuk

    Just imagine this was a Chinese company selling in the US...••••••••

  25. Reg T.

    Working firewall?

    Do you trust folk like this for your security? This a scant 4 years past apparently.

    https://fortune.com/2015/08/10/ubiquiti-networks-email-scam-40-million/

  26. philyboy1

    Unifi Vs EdgeMAX

    Would like to know if this affects the more enterprisey EdgeMAX line (which I am running) vs the Unifi line. The EdgeMAX line recently had a fork in software releases (kinda like VMWare 6.5 vs 6.7!) where the modern fork allows the routers and switches to be managed by Ubiquiti cloud and the older fork does not, but still received updates etc. I am on the 'legacy' fork still but would be interested to know how this played out on the EdgeMAX line.

  27. Anonymous Coward
    Anonymous Coward

    Linksys WiFi Router (Retail Product)

    Last year I bought one of these. The ONLY EASY WAY to configure the thing was to set up a "cloud account" on a Linksys server, an account embedded in the router. The rational for this arrangement (from Linksys) was that the "Linksys App" would allow the proud owner of this kit to manage their router from the beach in Brazil. I wondered at the time if this arrangement also allowed Linksys to monitor the LAN.

    *

    As it happens, I did find a way of configuring the device the old fashioned way - laptop, ethernet cable, router....AND NO INTERNET CONNECTION.

    *

    Then I did a factory reset on the router, packed it into the original box and gave it to my local charity shop! SEP!

    1. JohnFen

      Re: Linksys WiFi Router (Retail Product)

      Yeah, I recommend against using Linksys products unless you're replacing the firmware with something trustworthy (like dd-wrt or equivalent). Even then, Linksys hardware tends to be pretty bad.

  28. Marty McFly Silver badge
    Flame

    Unhappy customer

    UBNT needs to fix this immediately. A product update, followed by a formal executive level communication apologizing for the fiasco. Not some marketing drivel spit out by the neo-maxi-zoom-dweebies. Trust can only be earned, and once lost is difficult to restore.

  29. Bronek Kozicki

    You do not need Ubiquiti

    By some interesting engineering and good marketing they have placed themselves as "the solution" for managing multiple WiFi access points, but there are simpler and cheaper solutions, which also work perfectly well without an extra PC or "the cloud". For example, I am using TP-Link AC50 for the few APs at home, while a slightly larger AC500 could be used for decent sized network.

  30. Someone Else Silver badge

    Oh-comma-really?

    Ubiquiti told customers all of the information is being handled securely, and has been cleared to comply with GDPR, Europe's data privacy rules.

    Now I (like Ubiquiti) am a left-ponder, and therefore (like Ubiquiti) may not understand GDPR in all its intricacies. But IIRC, GDPR had something about end users having to opt-in in order for their data to be appropriated. This doesn't sound like opt-in to me.

    Is Donald Trump running this company?

  31. Paul

    Outbound firewall?

    So there are people in enterprise IT who don't put third party devices into a sandbox where they have restricted access? Who are these people and who let them loose in the network?

    1. Kiwi

      Re: Outbound firewall?

      So there are people in enterprise IT who don't put third party devices into a sandbox where they have restricted access? Who are these people and who let them loose in the network?

      1) Build a great product that people will want to use.

      2) Be a very trustworthy company and do everything right, with "our users security/privacy at the foremost of our decisions"

      3) Wait till you have a large number of users loving your product and trusting your exceptional service, reliability and security.

      4) Slip in an update that steals all their data

      5) Profit!

      (Somehow MS managed to skip 1 & 2...)

      Besides, given that so many places still run Windows and use cloud products (O365/G-Docs etc), I don't think as many there give a stuff about who has their data as you'd imagine :(

  32. Anonymous Coward
    Anonymous Coward

    Synology is *much* worse. Their RT2600ac phones home for many reasons to many different servers. They do not explain what or why and you can not stop it either. Details here in the section Spying on the Router

    https://www.routersecurity.org/synology.php

    1. Anonymous Coward
      Anonymous Coward

      Synology

      "Synology is *much* worse. Their RT2600ac phones home for many reasons to many different servers. They do not explain what or why and you can not stop it either. Details here in the section Spying on the Router

      https://www.routersecurity.org/synology.php"

      I'm a bit baffled Syno is so bad TBH. In their core NAS market, they are probably the best security aware maker !

      My venerable DS411, bought 7 years ago, still gets security updates, those days. Which other manufacturer is doing that ?

      Also, seems bizarre they are going into the crowded and indeed quite messy home router business, now. Not sure they'll get there ...

  33. Anonymous Coward
    Anonymous Coward

    Lots of manufacturers do this :) you don't have to allow it on your network.

    1. Kiwi

      Whether or not they do it is not an issue in its own right. Lots of us allow some stuff to report back (I often turn on crash/usage data for some progs in the interest of helping the devs).

      What is the issue is they pushed out a security update and changed all the affected systems to a opt-out send-data setting without forewarning.

      Not only is that a nasty and untrustworthy thing to do, it's probably illegal in many places.

  34. Jeffrey Nonken

    Opt out?

    Sorry, you've misspelled "opt in". This should not be a default setting.

  35. Kenny_10_Bellys

    Nope

    After a couple of recent foul ups and their controller software getting more and more needy we're switching to Aruba during our hardware refresh. I've tossed 110 Ubiquiti AP's in the skip in the past month. They're great value for the features they have, but you can only push your luck so far.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like