[HN Gopher] Whistleblower: Ubiquiti Breach "Catastrophic" ___________________________________________________________________ Whistleblower: Ubiquiti Breach "Catastrophic" Author : parsecs Score : 919 points Date : 2021-03-30 18:11 UTC (4 hours ago) (HTM) web link (krebsonsecurity.com) (TXT) w3m dump (krebsonsecurity.com) | noinsight wrote: | > "Ubiquiti had negligent logging (no access logging on | databases) so it was unable to prove or disprove what they | accessed" | | Perversely, this is exactly the logging that you want to have in | place in case of a breach. | | You can then (factually) make the statement that "we have no | evidence any customer data was accessed." | hn_throwaway_99 wrote: | Better solution: never store unencrypted PII/PCI/PHI/etc. in | the database. There are loads of tokenization solutions (Very | Good Security got a bunch of buzz a couple years back) that do | this, or alternatively all of the big cloud providers have key | services (KMS on AWS and Google, Key Vault on Azure) so that | you can ensure that every decryption attempt is tracked and | logged. | | If you need to search on some of this data you should use blind | indexes (Google blind index for more info). | toyg wrote: | Aka plausibile deniability | jasonhansel wrote: | "We believe that the hackers obtained read-write access to our | database, but we also believe that they were too polite to | actually use it for anything." | samstave wrote: | "Hacker came in through the server hard-line" <-- HollyWoods | favorite Hacker Trope. | tinus_hn wrote: | Why, they also have no evidence now! | Traster wrote: | That works for exactly as long as the data hasn't come out. | Once the data comes out... well, you've got questions to | answer. | [deleted] | williamsmj wrote: | Reminds me a little bit of Adverse Event Reporting in pharma. | If a drug manufacturer finds out about an adverse event (i.e. a | bad reaction) to a drug, it kicks off all sorts of obligations | that have the potential to be time-consuming and expensive. So | pharma is the one sector you won't see with a "social media | listening/analysis" department in marketing. They actively | avoid tracking or learning about discussion of their products | on social media. | baaym wrote: | Ironically they can factually make that statement now as well. | meepmorp wrote: | > Adam says the attacker(s) had access to privileged credentials | that were previously stored in the LastPass account of a Ubiquiti | IT employee, and gained root administrator access to all Ubiquiti | AWS accounts, including all S3 data buckets, all application | logs, all databases, all user database credentials, and secrets | required to forge single sign-on (SSO) cookies. | | A root user user breach, seemingly on the organization main | account. Ouch. | | I wonder if MFA was set up, with the TOTP creds also kept in | LastPass. | isclever wrote: | This boggles me when I see this option in any password manager | (and I think every single one has this 'option'). | | Why do password managers let people store TOTP next to the | password, this completely invalidates the 2FA of TOTP if your | password manager get broken into. | Marsymars wrote: | > Why do password managers let people store TOTP next to the | password | | One absolutely invaluable use-case is that it lets multiple | employees share access to an account with 2FA enabled. | | Many systems don't have appropriate role/permission systems | to allow for 2FA otherwise. | mdavidn wrote: | The alternative is to navigate 100 separate token reset | processes if you ever lose your phone and all of its TOTP | tokens. | nucleardog wrote: | Or just keep them somewhere that isn't directly beside the | password? | | I have my password in a password database, and my TOTP | tokens on my phone and a Yubikey. | | I have a second "break glass in case of emergency" password | database that contains TOTP secrets for all my most | essential accounts and a backup of the key loaded on my | Yubikey. | artful-hacker wrote: | Because I already use MFA to access my password manager in | the first place, and don't want to deal with managing backups | for each flavor of MFA app that is pushed on me. | nightpool wrote: | How do you manage MFA for encryption-at-rest? None of the | common TOTP systems do this. LastPass and 1Pass have built- | in "local encryption keys", but they're stored in the same | place as the store and only protected by your password. I | think theoretically you could set this up with Keepass | using a Composite Master Key (combining a password- | protected key and a certificate-protected key, storing the | certificate separately, ideally in an HKM), but I don't | know anyone who does this. | Xavdidtheshadow wrote: | > this completely invalidates the 2FA of TOTP if your | password manager get broken into | | I think that's the big "if". If you assume the password | manager is secure (which something clearly wasn't in this | case, but that seems like an outlier), TOTP secret in the | password manager still secures the account. | | Is such a setup as protective as a separate storage method? | No, but it's leagues more convenient. A cloud-based PW | manager also solves the problem of a lost/broken/new phone | causing you to lose all of your 2FA setups. Some 2FA apps do | as well (Authy, iirc), but trust me when I say people lose | 2FA codes _all the time_. And then 2FA needs to be disabled | by support, which is its own can of worms. | | The best security measures are the ones people actually use. | If not having to use a separate app is the convenience people | need, then I think it's totally worth it. | liaukovv wrote: | What is the right way store credentials to something like this? | | Hardware keys? | NovemberWhiskey wrote: | For AWS root account? | | Generate a long random password, print it out and then lock | it in a safe without allowing anyone to see it. | | Turn on 2FA and then lock the second factor in a different | safe. | | There's virtually never a need for the root account and it's | impossible to attenuate (by design). | dmlittle wrote: | This is a lot harder to do if you have lots of AWS accounts | and create new ones over time on-demand (e.g. AWS account | per team). | NovemberWhiskey wrote: | Use Organizations. If you're creating new standalone | independent accounts for teams you're just seeking | yourself up for some kind of billing/security/governance | catastrophe down the road. | dmlittle wrote: | I was referring to the root accounts in your | organization. The blast radius is more limited, but still | a root account that has access to everything within that | AWS account. | time0ut wrote: | You can restrict what the root account can do in a member | account using SCPs as an additional safeguard as well. | ak217 wrote: | The root account credentials should be used to create a | privileged IAM user and then physically locked away in a box | after setting up a hardware MFA device (plus a backup MFA) | for the root account: | https://docs.aws.amazon.com/IAM/latest/UserGuide/best- | practi... | | The privileged IAM user should then be used to administer | other IAM users and roles. All IAM users should be required | to have hardware security keys like Yubikey. | liaukovv wrote: | But how fast a determined attacker will be able to utilize | acquired physical key? | | Is something like kidnapping in the threat model for | companies like ubiquiti? | mywittyname wrote: | > Is something like kidnapping in the threat model for | companies like ubiquiti? | | I doubt it. That's going to raise some blinking red flags | on the radar of organizations you don't want to be on the | radar of. Not just three-letter federal organizations, | but three-letter news organizations too. The current | situation is Yet Another Security Breach that will be | forgotten about in 15 minutes. But a kidnapping is | interesting! People will be making documentaries and shit | about that. | | It's so much easier and cheaper to bribe people than it | is to kidnap them. | ak217 wrote: | Those kinds of fanciful things are not commonly in threat | models because they don't happen. The threat models | address things that are likely to happen, which are all | variations of someone's device getting compromised. | the8472 wrote: | > (plus a backup MFA) | | IAM doesn't even let you register more than 1 MFA device. | ryan29 wrote: | I have accounts for personal use and what I did was set | up TOTP for the root account(s) and a U2F (YubiKey) | device for the admin account(s). I use 2 YubiKeys; one | primary, one spare. The YubiKey has limited TOTP space, | but they're perfect for those types of high value | accounts. You store the TOTP on both, so if you lose one | you can use the root account to fix the admin account. | ak217 wrote: | If I were a CISO solving this problem today, I would just | use TOTP instead of U2F, and store the secret in two | places. | | Longer term I expect AWS will add this capability. | jrudolph wrote: | AWS root user accounts are kind of an achillis heel in every | enterprise setup using AWS. What you typically do is MFA | (bare minimum) + sharded secrets. This means you need | multiple people to use the root user account. You can also | hook in additional audit controls eg by automating cloud | watch and sending notifications about any root user login. | Alternative is that you throw away the password and vow to | never use it, or set up an account recovery process (all of | this may not be a great idea as it can fail when you need it | most). | | The situation is somewhat more relaxed with GCP Billing | Accounts and Azure EA Accounts, though they have better | separation of concerns than AWS (billing vs. workload | access). Nonetheless, never give these passwords to finance | department lest they store it in an excel sheet on a | SharePoint. Access to these credentials allows anyone to | suspend billing for an entire enterprise... not sure what | controls the providers have in place to verify any of this | before initiating automated shutdown of all workloads. | aaomidi wrote: | Hardware keys should be used to store stuff like: | | - private keys for ssh, gpg, vpn auth | | - 2fa for sudo access, password manager access, etc | meepmorp wrote: | I use a Yubikey, personally. | Arrath wrote: | Shit, I had plans to refresh the network infrastructure in my | parent's place with a full ubiquiti setup to replace the years of | added on junk. | Terretta wrote: | Parent's place? | | Go Eero Pro. | | Your future time management self will thank you. | Arrath wrote: | I'll take a look at it, but also note that I need in total: | | Router, Wifi AP (probably two to get full coverage), | Powerline extender, Point-to-point extender with a switch on | the other end. | | Stupid outbuildings. Anyway, thanks for the tip! | Terretta wrote: | Decent chance you don't need all that. | | Eero Pro (not standard) kit comes with 3 identical boxes, | each with a third radio band for backhaul mesh, each can be | wired or wireless as well. | | https://evanmccann.net/blog/eero-vs-eero-pro | | See comparison table illustration here: | | https://evanmccann.net/blog/2021/2/eero-6-vs-eero-6-pro | | Not sure if still the case, but last time I dug into it, | eero was also the only consumer grade software-defined- | radio router/ap, allowing them to rapidly patch for various | vulns that others couldn't necessarily or took much longer | for. | cced wrote: | Does their gear have any cloud offerings? | pseudalopex wrote: | Eero is cloud managed too. And reports MAC addresses and | network usage to Amazon. | xoa wrote: | I wish I could say I was surprised :(. Along with a bunch of | other people who've used their products for a decade or more now, | I've been watching the ever steepening downward spiral of the | company really becoming noticeable over the last 3-4 years. In an | academic way, it's actually been kind of fascinating to watch | happen in real time over the course of years with fairly front | room seats. Seeing the deepening technical debt (lots of _very_ | old hardware still sold as new with no replacements in sight, | inability to migrate their frameworks or keep their sources up to | date and more), bikeshedding ramp up and up, the forums start to | fall apart, marketing starting to write more and more checks | development couldn 't keep up with and then that getting brushed | under the rug (the SHD and it's dedicated security radio comes to | mind), the forums getting nuked entirely in favor of a horrible | New Web thing with even worse bug/feature tracking then before | and there wasn't any proper one before, ever worsening stability, | universally hated UI changes that would just get shoved through | anyway, and on and on. It's been everything one reads about, | "Ubiquiti's Burning Platform" and all that, and in turn seems | like it should be avoidable. Yet on it ground with sickening | inevitability. It's just now finally starting to reach critical | mass and become visible to the more general public, spreading | through the same tech grapevine that gave them such a boost in | the first place. | | But less academically it's depressing as hell too, because the | grapevine liked them for good reason and there still isn't any | drop in replacement. Their p2p/p2mp gear is still solid. And | UniFi was a wonderful concept solidly executed. It also eschewed | the subscription/cloud bullshit so many other players are | chasing, which indeed is something of a saving grace here. While | there is a cloud option, lots (if not most) people can and do run | their UniFi networks completely self-hosted even for remote | sites. The single pane of glass, ease of provisioning and | recovery, etc made sense and saved time. And they had an | incredibly enthusiastic and supportive community, like when they | asked about moving L3 switching way back on the old forums (back | when the rot was in its earliest stages and not clear yet) they | got huge amounts of feedback, their beta testing had many people | putting in a lot of good work. | | Such a damn stupid waste. And the nature of the beast for tech | infrastructure is that market signals are always behind the curve | and thus muted until things are already getting to be too late. | Robert Pera also owns the majority of their stock IIRC so there | isn't any way to effect an outside management change there | either. It is odd to me that nobody has sought to go after them | directly and aggressively, though I heard rumblings late last | year that Cisco was giving a go at something clearly aimed right | at the UniFi market (no subscriptions like Meraki)? | | At any rate, final straw for me on routing was the flop their | "UXG" has been, I finally gave up at long last and began | migrating everything to OPNsense a month back. And once the | single pane of glass is broken, the barrier to start moving more | drops in turn and network effects (harhar) begin to go into | reverse. I'd still be happy if they somehow recovered, but if | they do I think it'll be a long time. Problems that build for | years tend to take years to reverse too, if they can be. I hope | we get some stories someday internally on how it all went down. | outerspace wrote: | The most disconcerting part for me is the fact that the attackers | gained full access to one of the administrators' LastPass | account. I would love to know how that happened. | smileybarry wrote: | Yikes. I have a (Ubiquiti) EdgeRouter X that I previously used | for a fiber setup (and it's shelved now because it doesn't like | this ISP's modem), had planned to get a ER-4 later down the road. | Been on the fence for any of their APs for months upon months, | now I'm glad I bought neither. | | Technically EdgeRouter gear is unaffected as it's very cloud- | optional, but I can't bring myself to trust any firmware from | them at this point. It supports OpenWRT so I guess I'll install | it and go back to OpenWRT. | | I see this thread already has people discussing alternatives, so | I won't ask for ones -- just had to put it out there that if you | own an EdgeRouter, chances are that OpenWRT has a build for it. | lazyweb wrote: | Yeah my few Unifi devices (and the controller SW instance) are | already restricted to their own VLAN, but I'm going to disable | outgoing internet access as well. | gorgoiler wrote: | It seems naive to want to talk to the press under a pseudonym -- | _Adam_ , in this case. | | When looking for leakers internal security auditors don't need | proof you are _Adam_ in order to fire you. They just put enough | pressure on the most likely Adams such that they quit. | | You will be one of them. If another Adam does so, so be it. Your | actions likely flushed the other leaker when you thought you were | the only one. You won't be able to handle the pressure. Neither | could she. | | Adieu, _Adam_ , et al. | heavyset_go wrote: | At least for home networking, I'll always pick something I can | throw OpenWRT on over a managed service, subscription or closed- | source option. | | In the 15 years I've been using OpenWRT, I have never been | disappointed with it, and I don't have to worry about some | company's "secure" backdoor into my network being exploited. | christophilus wrote: | I'd like to know what you recommend. I'm running asus routers | at home, but would like an option that's easier to upgrade. | vorpalhex wrote: | What prosumer level OpenWRT devices do you recommend? I don't | want to flash a subpar consumer router. | rubatuga wrote: | I'm using an WRT1200ac to great success. Just make sure to | set your 5GHz network to a non-DFS channel. | eutropia wrote: | > Ubiquiti's stock price has grown remarkably since the company's | breach disclosure Jan. 16. After a brief dip following the news, | Ubiquiti's shares have surged from $243 on Jan. 13 to $370 as of | today. By market close Tuesday, UI had slipped to $349. | | Aaannd this is why we can't have nice things. Like trust in our | vendors. Or security. Or consequences. | eqvinox wrote: | I am extremely relieved none of our Ubiquiti devices are set up | for this cloud shit. (We use the PtP stuff, not the APs, the | cloud bits are optional there.) | | Then again we have a "clear skies" policy & wouldn't have bought | anything that requires cloud blah. (Which covers a whole bunch of | other vendors too, looking at you Cisco "SmartLicense") | vageli wrote: | What is a "clear skies" policy? | remir wrote: | I'm guessing clear sky as in no clouds, meaning stuff should | like AP/network management must remain on premise. | H8crilA wrote: | By the way, reporting to krebsonsecurity is a giant waste of | potential income. This is what the SEC whistleblower program is | for. You get paid for submissions there that lead to successful | enforcement actions, and the payouts can be very substantial. | Furthermore because payouts exist, there's an industry of | competent lawyers that will happily take cases with compensation | coming exclusively from your payout. | | Also, how is this a securities case? The company did not disclose | the scale of the breach to shareholders. | seneca wrote: | There was just a thread[1] yesterday about them starting to serve | ads in their UI. It seems this company is rapidly losing | credibility. | | I have had plans kicking around for a bit over a year to do a | full build out using their products, and just within that time it | seems like they've gone from a glowing reputation to severely | tarnished. Unfortunate, as it seems like they once had great | products. | | 1: https://news.ycombinator.com/item?id=26628198 | dandare wrote: | Why is the blog not adopted to mobile screen readability? | markwillis82 wrote: | Was days away from refitting my home out with PS2,000 of gear. | Any other recommendations for routers, wifi and security cameras? | ruph123 wrote: | For router check out the Turris Omnia [0]. Seems to be a good | choice. | | [0]: https://www.turris.com/en/omnia/overview/ | pkaye wrote: | That looks pretty nice. Too bad I didn't see this a week | earlier since I just upgrade my home network last week. | aborsy wrote: | For firewall, I suggest an OPNSense box. You could run it on a | thin client, a Protectli etc. | | For AP, OpenWRT seems decent. | pseudalopex wrote: | Mikrotik is the most common recommendation probably but wifi | speed is a problem apparently. | | There were some other suggestions in yesterday's Ubiquiti | discussion.[1] | | [1] https://news.ycombinator.com/item?id=26628198 | tecleandor wrote: | I use Mikrotik (or OpenWRT) for routers, but Mikrotik is not | that good on WiFi. Peeople recommend Ruckus, but it's pretty | expensive (and not that easy to get second hand in Europe, or | Spain at least). | | Is there any (good) brand with pricing between Mikrotik and a | Ruckus that doesn't need a cloud connection? | mr_woozy wrote: | Is it not possible to just add in a separate WAP to the | MikroTik device ? | ghostpepper wrote: | Can you elaborate on your experience with Mikrotik wifi? What | don't you like about it? | stevenjgarner wrote: | I have happily upgraded several homes from Mikrotik and/or | Ubiquiti to Eero mesh - https://eero.com/ | Haemm0r wrote: | "an amazon company" already makes some warning lights blink | in my head. Do they have cloud integration of any kind? | pseudalopex wrote: | It's cloud managed and sends network information to Amazon. | dataminded wrote: | Thank you Adam. You saved me thousands, I was seriously | considering a network upgrade. | whereis wrote: | The simple interpretation is that lawyers know that the law | offers no consumer protections in these scenarios, and tried to | use that to protect the corporation. Morals aside, and assuming | their assessment about such legal boundaries was correct, they | were simply doing their jobs. | | The system may be broken, but a patch is necessary, and that is | only going to arise via legislation. Sadly, the system of | governance is also broken, so I expect this will be closed with | status "WONTFIX". | myrandomcomment wrote: | You are required to have internet access to setup something like | the UDM-Pro. After it is setup you can create a local admin | account and disable remote access. | | Here is how: | | 1. Login with your online account credentials and password 2. | Choose system settings 3. Choose advanced 4. Disable Remote | Access 5. Confirm that "Transfer owner" won't be available if you | disable remote access. | | The issue in general is that the UniFi stuff can be crappy and | buggy, but it SUCKS LESS then any other complete solution for a | home / small enterprise there at the price point. | | I personally used to given them a strong recommendation and even | now that is a recommendation with some footnotes. They have been | growing to fast and the SW quality has gone down. Being on the | latest release is not always the best idea. | | To be fair in my I have had many conversation with Cisco that | started with "no, not the latest GA, but what is the latest | proven STABLE GA." | tenacious_tuna wrote: | Just verifying my understanding: this will make it impossible | to reach the device from ui.com or otherwise off-network, but | an attacker could: | | 1. use leaked SSO keys to forge an SSO token | | 2. craft a malicious webpage | | 3. get an unsuspecting UDMP user (e.g., me) to navigate to that | page | | 4. run scripts on that page that would access & interact with | the UDMP from the browser within the network, using the forged | SSO | | Is this still a possible vector? Presumably UI would have | rotated their SSO keys by now, but since there's no way to | disable SSO-based login to the UDMP.... | myrandomcomment wrote: | So SSO is disabled here. You just use a local account. IE, I | go to https://192.168.27.1 to get to my UDMP and the account | to auth is locally stored. | TimTheTinker wrote: | The difference is that the attack you suggest has to be | _targeted_ | rgharris wrote: | I just did this for a controller that is hosted on a VM (via | the new controller UI), I went through a couple of additional | steps. | | 1. Disable "Enable Remote Access" | | 2. Setup SMTP (since disabling remote access stops routing | emails through Ubiquiti's backend) | | 3. Create a new admin not tied to a cloud Ubiquiti account (via | "Administrators") | | 4. Disable "Sync Local Admin with Ubiquiti SSO" (the older UI | says "Enable Local Login with UBNT Account") | | 5. Delete the old admin account | | Steps 3 and 5 may not really be necessary, but I did to be | safe. | dec0dedab0de wrote: | Cloud managed anything has a giant red target painted on it. | Especially infrastructure equipment. I'm still surprised anyone | think's it's ok to use their ISP provided router and wifi, let | alone having it be managed remotely by the manufacturer. | zerkten wrote: | The problem is that on-prem isn't much better in many cases. | Only the largest organizations have the capability to operate | deep defenses against these threats whether it's the cloud, or | the on-prem. | | If you and your team have the skills you can operate fairly | effectively on a small scale, but that's a pretty luxurious | situation. Most home users can't tell the difference between a | router and cable modem hence it's in the interest of cable | providers to lower support costs by providing a managed | offering. It's terrible from a security perspective, but | customers have signed that away. | | The common theme running through these breaches is that the | organization isn't necessarily small, but they aren't | Google/Apple/Microsoft-size either. Those companies have | multiple layers of expertise and the cash flow to hold up | development of anything in order to make sure things are | secure. It's hard to wing stuff once the bureaucracy | understands security is needed. They even start pushing their | product security initiatives outside of product development to | mundane departments because they get attacked by very smart | actors. You can see from the news it's still far from perfect. | | Once you get to companies the size of Ubiquiti, you start | having challenges with implementing close to the same degree of | security because you don't have float in the system to allow | for additional costs, delays, etc. on top of the lack of | expertise. Apparently Ubiquiti have been hemorrhaging expertise | in other areas due to opportunistic cost-cutting, so it isn't a | surprise that they suffer and respond in this way given that | culture. A bad security decision by one exec in companies of | this size can cut across many departments which doesn't happen | in the behemoths. | dec0dedab0de wrote: | on-prem is much better in most cases because if there is a | bug an attacker would have to scan the internet and find you | before a patch is released and you update. If that bug is | only accessible from inside of your network to begin with, | then that means the attacker would already have to be inside | your network. | | As far as the team having skills, there is not much that | ubiquity does that can't be handled on prem, I mean you're | already installing physical devices, how much more effort is | it to install a controller? Sure, that means you're on the | hook for upgrades, but in most cases you're better off not | getting them instantly anyway. | | And to clarify my point about ISP gear, I agree that the | average user can't be expected to understand or care. I meant | so called technical users. | pseudalopex wrote: | The problem isn't Ubiquiti using AWS. It's Ubquiti forcing | customers to use cloud authentication. | arbitrage wrote: | Let's be honest, there are a lot of problems here. | xoa wrote: | > _The problem is that on-prem isn 't much better in many | cases. Only the largest organizations have the capability to | operate deep defenses against these threats whether it's the | cloud, or the on-prem._ | | One of the truly sad things about all this though is | precisely that UniFi made this a lot easier for small orgs | and even individuals (and could have gone even farther). | Stuff like VLANs and RADIUS became dramatically more | accessible "for free", using just what was built-in to a | UniFi stack someone might get anyway. Back when they were | still more competent Ubiquiti added management VLAN support | across the lineup, and the setup is fairly intuitive and then | just works. At one point I'd hoped they'd continue in that | direction much more. It's not some impossible thing, it | mainly just needs better UX putting the pieces together in a | graspable way. Graphical VLAN topologies and point-and-click, | automating all the certificate authentication/signing stuff, | the generation of profiles for onboarding, all the components | for this stuff exist right now just not, well, unified. | | I think a lot of places don't _want to_ in fact, because they | 'd rather push cloud ties since that can yield subscription | revenue. | tjoff wrote: | Is there any reason to worry if you run a local controller that | doesn't have any connection to a cloud account? | exabrial wrote: | If they would have stayed with the on-premise model, this would | have never happened. | 1vuio0pswjnm7 wrote: | It is interesting to do a search of HN for past references to | "Ubiquiti". Whenever the topic of routers came up, many comments | followed that recommended them above any alternatives. Commenters | seemed proud to tell the world they were using Ubiquiti, as if | the "HN concensus" for home routers was to choose Ubiquiti. | | It seemed to me Ubiquiti would never allow customers the option | to install their own OS (e.g., BSD) or boot from external media | containing a non-Ubiquiti OS, without sacrificing the benefits of | hardware specs that were likely deciding factors in selecting the | Ubiquiti hardware above existing alternatives. The intent was | clearly to have Ubiquiti retain control over the hardware after | purchase. The customer effectively remained tied to Ubiquiti | forever, so if the company started serving ads, using AWS | unnecessarily, etc., there's no way to opt out. Customer is | compelled to accept all updates. | | Specs are important, but maybe not as important as control. | | Reliance on third parties necessarily increases potential risk. | Unnecessary use of third parties is, IMO, poor decision-making. | This is of course rampant in "tech" and, IMO, marks a triumph of | the salesforce for those third parties over common sense, | possibly assisted by network effects. Further, I dislike products | where there is a heavy focus on opaque "updates". Again, many | customers have been trained to believe that not updating is | always the wrong decision. (Meanwhile they have no idea what is | in each update.) | | As stated in one of the blog post comments: | | "It is even worse: Ubiquiti forced all users to use cloud-based | authentification even for accessing your controller software on a | local network with a local client. This was not even properly | communicated but deployed by one of the regular maintenance | updates." | myrandomcomment wrote: | I do not understand this comment. | | Ubiquiti sells turn key HW and there never was any hint that | this was HW you could roll you own on. | | I could buy APs that I could install OpenWRT. I could setup an | OpenBSD firewall. I could run my own DNS. I have done all this | in the past. The point is I do not want to anymore. I have | better things to do with my time. So as a turn key solution | that is "prosumer" their kit works and I think you will find | that is why most people here have recommend it. | | You can disable the Cloud connection and I posted how in this | thread. People on HN are tech savvy enough I sort that part. | | The fact of the matter is they had a bad security breach and | they have a cloud connected platform. Ops. That sucks. But the | reality is that market forces have pretty much tied evaluations | to cloud connections and telemetry gathered from it. That is | the part that REALLY sucks. I do not blame them for trying to | make money. I am angry if they were less then truthful in the | details of the breach and I am sure both the SEC and the court | of public option with punish them. | | For my part, I have no plans to replace the 4 switches in my | house with boxes running SONiC nor the 4 APs with OpenWRT or my | firewall with OpenBSD because I just really do not care to have | to maintain it, and if I drop dead tomorrow my wife can likely | sort the UniFi stuff (as I have documentation on the setup) but | there is no way could she sort the roll you own. | tjoff wrote: | _" It is even worse: Ubiquiti forced all users to use cloud- | based authentification even for accessing your controller | software on a local network with a local client. This was not | even properly communicated but deployed by one of the regular | maintenance updates."_ | | Uh? that is demonstrably not true. Any more details? | robbiet480 wrote: | > According to Adam, the hackers obtained full read/write access | to Ubiquiti databases at Amazon Web Services | | Not good! | jbm wrote: | Say what you want but my cheap old Linksys router never leaked my | passwords. | caseysoftware wrote: | _" Adam says the attacker(s) had access to privileged credentials | that were previously stored in the LastPass account of a Ubiquiti | IT employee, and gained root administrator access to all Ubiquiti | AWS accounts, including all S3 data buckets, all application | logs, all databases, all user database credentials, and secrets | required to forge single sign-on (SSO) cookies."_ | | Holy... | | Wow. That is catastrophic. Everything is compromised. That's a | complete rebuild. | jandrese wrote: | Or they'll just change their passwords and pretend to have | solved the problem. | EvanAnderson wrote: | I wonder how difficult it would be to implement a rudimentary | controller for their APs. The WLAN configurations are just text | files in the /etc directory. Getting feature parity would be a | lot of work, but I bet the bar isn't too high for simple | functionality. Most of the "magic" is happening in hostapd on the | APs anyway. | abledon wrote: | >Adam says the attacker(s) had access to privileged credentials | that were previously stored in the LastPass account of a Ubiquiti | IT employee. | | So the laptop probably had some malware/keylogger on it that was | able to pick up some data in the lastpass browser extension or | something? | hedora wrote: | _previously_ stored. They probably made a csv backup of the | lastpass database. Those aren't encrypted. | Quarrelsome wrote: | > Ubiquiti's shares have surged from $243 on Jan. 13 to $370 as | of today. | | How are we ever going to solve security as an industry against | this? Again we're told that security isn't important. Being the | first to market and insecure is the winning play and that's just | fucked. | genmud wrote: | I don't think that it is a solvable problem if the economics | stay the same. | | SolarWinds is actually trading almost $2/share _more_ than it | did 1 year ago today ($15.67 v $17.23). Sure, it is down from | its 52 week high ($24.34). | | I would argue that SolarWinds should not be allowed to be in | business in its current form, considering what a threat they | have been to themselves and others in their mis-handling their | software practices and subsequent breach. If an individual did | what they did as an employee of the government, they would | currently be in jail. | | It is probably one of the most impactful national security | events in our lifetimes and the impact of this event will be | felt in certain areas for years or even decades. | Quarrelsome wrote: | I feel like we have to regulate this at a governmental level | to get anywhere. We keep automating more and more of our | society and its clear we're unable to protect it but the | casuals don't get that and keep charging ahead and we enable | them. The amount of power we gift to a given attacker seems | to just grow and grow. | | But how do we achieve political intervention when | technologists and politics appear to be completely | incompatible? The closest I've seen is the Pirate Party which | never get more than a few percent or that democratic | candidate (Yang was it?) and he was pretty fucking clueless | on the tech when poked with any significant vigour. | genmud wrote: | It is certainly a difficult problem and as such, like most | difficult problems, it will likely not be fixed in any | meaningful manner. We will likely be talking about this | exact issue in 5 years, 10 years, and 20 years from now. | | Cyberspace Solarium Commission [1] created a robust and | well documented roadmap for the Biden transition team to | address some of these fundamental problems. IMHO, it is one | of the better policy documents and has a number of really | good recommendations that I believe would be extremely | helpful. The #1 thing I think we could do is address | accountability, who is responsible for the security of | devices/software and what legal recourse should people have | if the vendor doesn't adequately secure or support their | products. | | I think that there are a bunch of issues and one of the | biggest ones is that what we say vs what we do are 2 | different things. We also have issues where many of the | core business practices that are commonly accepted are | incompatible with building a secure and resilient | infrastructure. | | [1] https://www.solarium.gov/public- | communications/transition-bo... | spockz wrote: | How can you see whether you have been effected or whether they | have poked around your setup and maybe even left something | behind? Theoretically you can't really trust anything on your | network anymore. | jeffhodge wrote: | Kinda strange that they'd ask for a ransom in Bitcoin and not | something fully anonymous.. | surfsvammel wrote: | The plot Thickens: "SHAREHOLDER ALERT: Ubiquiti, Inc. | Investigated for Possible Securities Laws Violations by Block & | Leviton LLP; Investors Should Contact the Firm" | | https://finance.yahoo.com/news/shareholder-alert-ubiquiti-in... | hpkuarg wrote: | This type of solicitation is a dime a dozen, but I do find the | name of the firm hilarious. Anyone who's had to make patch | cables would recognize the name... | rossipedia wrote: | I am 100% not surprised. I spent a year working for Ubiquiti, | running the Network Controller team. | | Trust me, this whistle-blower "Adam" (I have a few suspicions of | who it actually is), toned it down. | | The reality is much much worse. | ex_ubiquiti wrote: | I worked at Ubiquiti while you were there. I can confirm that | the company was going downhill fast. | | The US offices were starting to feel empty because so many | people were leaving the company. Only place I've ever worked | where engineers would quit before they got another job. | | Saddest part was all the wasted potential. There were good | engineers making good products at Ubiquiti only a few years | ago. Once UniFi exploded in popularity the CEO started trying | to micromanage everything and it all started falling apart. | Silhouette wrote: | It's unfortunate what seems to have happened to Ubiquiti. The | idea of decent network hardware with a good UI that can | support the prosumer to small business segment of the market | has a lot going for it. | | In the early days, it seemed like Ubiquiti was going to nail | it and was building up a strong, loyal following as a result. | Then came all the reports of quality problems, promised | features never delivered, phoning-home, ads in UIs, the not | just security breaches but cover-ups... | | How the brand hasn't become toxic already is a mystery to me, | yet look at the stock price tracker. It's been trending up | for years and it has well over doubled in the past six months | alone. Apparently investors aren't too worried about any | potential consequences of all these reported problems. | fossuser wrote: | I think the brand isn't toxic because of the state of the | competition. | | Even with this hack, their stuff is still the best | available for home use. Netgear or Linksys consumer routers | are awful. The mesh devices are okay, but serve of a | different market. | | The other stuff people recommend is often 2-3x the Unifi | price and 2-3x more complicated to setup and configure. | | Any ex-employees want to start a company making this stuff | that doesn't suck? | Silhouette wrote: | _The other stuff people recommend is often 2-3x the Unifi | price and 2-3x more complicated to setup and configure._ | | I don't know about 2-3x the price, at least not here in | the UK. We looked into this when fitting out a new office | with the networking essentials a couple of years ago, and | Ubiquiti wasn't particularly attractive on headline | prices compared to the other typical brands that get | mentioned in that space (Microtik, DrayTek, etc.). | | However, the ability for non-networking experts to set | something up quickly that does the job and doesn't have | glaring security problems is definitely a competitive | advantage in that prosumer to small business market. None | of those other brands has a great UI that I've seen and | they all tend to assume that anyone who wants to set up a | couple of extra APs for a small office WiFi and a | standard firewall for the Internet connection will be a | pro-level network expert. | | I think it would help a lot of people if better | products/companies started to compete seriously on that | front, and I have to think that with the SME market to | fight for there is room to compete with the established | names. After all, that is largely how Ubiquiti themselves | broke into the market, or at least that's the perception | I had at the time. | ex_ubiquiti wrote: | The early days at Ubiquiti were good. I worked with a lot | of good engineers and we shipped good work. The decline is | a recent problem. | | > How the brand hasn't become toxic already is a mystery to | me, yet look at the stock price tracker. It's been trending | up for years and it has well over doubled in the past six | months alone. | | This is your answer. No incentive to change. All of the bad | engineering decisions have been rewarded by increasing | stock price and continued sales. | | Most of the original engineers have quit by now. I lost | track of how many UniFi engineering leads joined and then | quit after it started falling apart. Before I quit, I heard | rumors that the CEO was making two separate teams work on | the Dream Machine project separately, competing against | each other. That made more people quit. I think they were | trying to reboot engineering in foreign countries when I | left because it felt like we were forgotten in the US | offices. | ihsw wrote: | What do you suggest for someone leaning on an EdgeRouter | Lite (with EdgeOS v1.10.11, staying far away from v2.x) | and a Unifi UAP-AC-PRO access point? | | The router will probably reliably carry me until | saturating 1Gbps becomes a daily occurrence and the | access point will be retired when WiFi 6E comes around | (assuming Ubiquiti's WiFi 6E access points aren't | required to connect to the cloud.) | Loughla wrote: | >I heard rumors that the CEO was making two separate | teams work [. . .] separately, competing against each | other. | | I don't work in tech, so maybe I'm dumb to this, but why | would you ever do this? | fletchowns wrote: | Isn't Oracle notorious for doing this? | rossipedia wrote: | This is not surprising to me at all. | | IMO, the CEO had a bit of a Steve Jobs hero-worship | complex, but only all the bad parts. I can absolutely see | him putting two teams on the same project, and "may the | best product win". | | The team that "lost" would get canned, obviously (I saw | it happen to two separate offices while I was there). | tablespoon wrote: | > IMO, the CEO had a bit of a Steve Jobs hero-worship | complex, but only all the bad parts. | | Part of me wishes Steve Jobs had never been brought back | to Apple and died in obscurity. He's such a bad example. | People idolize him, but his good parts can't be imitated, | his bad parts can, and a lot of people can't seem to tell | the difference. | gralx wrote: | Intel tried this too, according to an ex-Intel employee | here. It's a management strategy intended to get the best | result by inspiring competition. The problems it invites | are the obvious, but the tradeoff may be justified in | some scenarios. | | It's also the premise of David Mamet's famous play | _Glengarry Glen Ross_. | jakeva wrote: | I imagine it comes from some flawed business belief in | the survival of the fittest. I've never heard a tech | person advocate for it, I only ever hear it from business | types. | Silhouette wrote: | Of the things I've seen reportedly happening at Ubiquiti, | that one makes more sense than some. | | Businesses put projects out to tender all the time, and | other businesses that can provide what is wanted invest | sometimes very considerable resources into putting in a | bid, knowing that if they don't make the winning bid then | those resources will mostly likely be completely wasted. | Evidently it is still worth operating a business on that | basis because the benefits when you do win outweigh the | costs of the failed bids, and those costs might include | reducing morale in a team who worked on a failed bid. | | If that is the case across industries as a whole then | economically it _might_ make sense for a business to | operate on the same basis internally for their Next Big | Thing. Run multiple independent teams at the start, give | them all the same brief, then see which team comes up | with the most promising starting point. I don 't see much | of an argument for continuing the internal competition | beyond the concept to prototype stage, though, unless | perhaps it turned out that more than one team could | produce a product that was viable in its own right | without competing for the same market. | rsync wrote: | Now rewrite your entire comment with s/ubiquiti/sonos/g. | | So much wasted potential ... so much customer goodwill wasted | because (apparently) no company is worth running unless it is | a publicly traded unicorn. | colineartheta wrote: | Just curious (I agree with you), but what are the s/ and /g | for? Samsung and Google? | brod wrote: | I think the OP is using the sed syntax [0] to say: | | > _Now rewrite your entire comment with sonos instead of | ubiquiti._ | | [0] https://www.grymoire.com/Unix/Sed.html#uh-6 | istjohn wrote: | That's the syntax for search on replace with _sed_ on | Linux. | inetknght wrote: | Good tools support search and replace. Better tools | support regular expressions. | | https://linux.die.net/man/1/sed | [deleted] | tinco wrote: | It's how you do a text replacement in VIM, I believe it's | s for substitute, /../ for the regular expression, and g | for global, to substitute multiple instances. | actimia wrote: | It is a `sed` command, used to replace (s/) all (/g) | instances of the first word with the second. | brabel wrote: | https://www.cyberciti.biz/faq/how-to-use-sed-to-find-and- | rep... | [deleted] | [deleted] | javajosh wrote: | Why is it so easy to snatch defeat from the jaws of victory | in tech? | agentdrtran wrote: | It's not enough to be good, or great, every tech company | wants to be a world-spanning juggernaut. and it's just | not possible, let alone desirable. | rossipedia wrote: | Greed. 100% greed. While I was there, the CEO loved to | just fly between offices (randomly) on his private jet. | You never knew where he'd pop up, and that put everybody | on edge, because when he was unhappy he tended to fire | people in large chunks (and shut down entire offices). | Every decision was motivated by how it affected the stock | price. | croutonwagon wrote: | Even if greed is the only factor. Being unwilling to take | a short term loss or hit while you rebuild or reinvest is | just short sighted. | | Most successes come with some amount of risk or foresight | to anticipate the market. | JustSomeNobody wrote: | > Ubiquiti's stock price has grown remarkably since the company's | breach disclosure Jan. 16. After a brief dip following the news, | Ubiquiti's shares have surged from $243 on Jan. 13 to $370 as of | today. | | Why? Coincidence? | qwertox wrote: | It really doesn't get worse than this. But isn't Ubiquiti more of | a prosumer company, like MikroTik? MikroTik does get a lot of | heat when they have a security vulnerability and get downranked | for it as if it were far, far away from Ubiquiti's security | profile (something like "US vs. some east EU country"), but this | event tells a lot about Ubiquiti's upper management and their | internal security practices. | messo wrote: | Have MikroTik had any security vulnerabilities anywhere close | to what has now been revealed about Ubiquiti? MikroTik's | firmware seems very solid and I get the impression that they | care about security and routines. | pilsetnieks wrote: | Fun fact - a lot of Ubiquiti's engineering is located in that | same "east EU country". In fact, if you look at the open | positions - https://careers.ui.com/positions - it appears most | of the development appears to happen in | Central/Eastern/Northern Europe. | Saris wrote: | A potential option for anyone wanting to avoid buying new | hardware to move away from Ubiquiti management software: | https://openwrt.org/toh/start?dataflt%5BBrand*%7E%5D=Ubiquit... | akkartik wrote: | Why do people trust _any_ IoT devices these days? Shouldn 't we | be trying to _reduce_ our exposure to (inevitably insecure) | software? What benefits does it provide that are worth the | unbounded risks? | ramraj07 wrote: | It's not _that_ unbounded? At least not yet! Until a tech savvy | neighbor who's also a creep can easily break into your network | and home camera I'm not personally worried. | akkartik wrote: | Why does it have to be a neighbor? It says "internet" on the | tin. Do you have confidence that random people on the | internet can't do the equivalent of a port-scan on you? | | The other way I think of it is, I don't use it right now. It | likely has open doors, intentional or unintentional. If the | open doors are widely discovered, reliably closing them seems | difficult. The highest-leverage point in time to influence | this story is before I start using it. "The only winning move | is not to play." | | Feedback appreciated on this thought process. | arbitrage wrote: | been doing it for years. meet the new boss, same as the old | boss. | | this is the other side of the coin of "you don't need privacy | if you have nothing to hide", and it's exactly as stupid in | application here as it ever is. | vorpalhex wrote: | Well, guess I won't be about to drop a few thousand on Ubiquiti | gear anymore until we get some more details. Hopefully this | account isn't fully truthful, otherwise Ubiquiti has really | screwed up. | [deleted] | kitsunesoba wrote: | A few months ago I was considering outfitting my apartment with | Ubiquiti gear but ultimately decided to stick to an aging | AirPort Extreme and a couple of cheap ethernet switches after | seeing reports of bugs with various Ubiquiti pieces. Seems that | was a good judgement... | rswskg wrote: | meh, not really a good substitute. They've got the prosumer | market locked down. | | Probably why they got into this mess. Lots of successful | product people deferring 'non product' stuff. | knz wrote: | > Hopefully this account isn't fully truthful | | Brian Krebs is a reputable source who has a lot to lose if he | makes unsubstantiated claims. | vorpalhex wrote: | He's quoting a source. I don't doubt Krebs in the slightest | but he's simply forwarding someone elses account. | logicslave wrote: | But the routers have a nice user interface! | temp0826 wrote: | My favorite part of the web interface is when it silently | reverts changes made at the command line. | dismalpedigree wrote: | You enjoy that also? I thought I was the only one... | nikisweeting wrote: | The APs and switches are stateless by design (which I sort of | like), but if you make CLI changes on the controller using | the config file they are not reverted in my experience. | | Though it's not super well supported either because they | prefer people using the web UI to the config file. | 650REDHAIR wrote: | That's a feature not a bug | okigan wrote: | Ran into this [1] issue with Ubiquiti and Stripe integration. | Short story Ubiquiti integration insist on sending credit card | numbers directly to Strip (vs using more secure method). | | The issue has been there for 2 years -- which is beyond odd. When | I've reached out to tech support the issue was effectively closed | as known issue. | | [1] https://community.ui.com/questions/Tokenization-for- | Stripe-I... | speeder wrote: | I wonder why their legal department would PREVENT them from | saving their users. | | What legal reason would exist for that? I thought legal would | instead force them to save their users, since otherwise they | would risk getting sued by all of them by all the damages caused | or something. | lakecresva wrote: | > a source who participated in the response to that breach | alleges Ubiquiti massively downplayed a "catastrophic" incident | to minimize the hit to its stock price, and that the third- | party cloud provider claim was a fabrication. | | I'm sure their lawyers don't know anything about tech or | forensics, but they know how buy shareholders time in a way | that minimizes anyone's chances of going to prison or facing | serious civil liability. If you ask someone in charge of hiring | corporate counsel what they look for in a lawyer, they will | flat out tell you "a good risk manager who understands | discretion" which just means "someone who's going to tell us | what we can get away with". | | The regulatory system in the US is sufficiently dysfunctional | that there is zero incentive for corporate counsel to even | consider what's in the best interest of consumers. | izacus wrote: | > I wonder why their legal department would PREVENT them from | saving their users. | | Good legal departments understand that the company is there to | serve the users and make them happy and operate within those | constraints (even trading off possibly liability when it makes | the products sell better). | | Horrible legal departments will block anything that has even a | smell of liability, even when it comes to sabotaging the | product itself and hiding serious issues from users and | employees. | | I've met way too many ones from the second group. | tgsovlerkhgsel wrote: | Successfully sweeping it under the carpet means you don't get | sued for the mistakes you made. | | Legal isn't there to make sure the company complies with the | laws. Legal is there to advise on and minimize legal risk. | cheph wrote: | > Legal isn't there to make sure the company complies with | the laws. Legal is there to advise on and minimize legal | risk. | | Breaking laws is one sure way to increase legal liability. | hedora wrote: | Only if you get caught. | mywittyname wrote: | And be successfully prosecuted. | | I'm sure someone in legal knows someone at the AG's | office who might be "considering the private sector" in | the near future. | rStar wrote: | but if you get away with it 90% of the time.... | tgsovlerkhgsel wrote: | Yes, but if you've broken one law already, breaking another | one by sweeping it under the carpet may sound very | attractive. | nitrogen wrote: | _Legal isn 't there to make sure the company complies with | the laws. Legal is there to advise on and minimize legal | risk._ | | "It's not like we're building bridges or something." -- any | legal department when faced with engineers' ethical duty to | report a hack. | amzans wrote: | The scope of this breach is frightening. | | Would be great to better understand how the Lastpass credentials | got leaked in the first place. | | Anyone found any comment on that? | bedhead wrote: | Ubiquiti is another one of these companies where if you did | nothing but read about them on HN, Reddit, et al, you would think | they're filing for bankruptcy tomorrow, set orphanages on fire, | kill puppies, etc. The negative hyperbole around this company is | something else, hack or not. And yet, all they do is thrive... | blablabla123 wrote: | The hardware is very cheap and the market for their products is | thriving. In fact it's possible to put custom software on it | actually without using their cloud. | | > if you did nothing but read about them on HN, Reddit, et al, | you would think they're filing for bankruptcy tomorrow, set | orphanages on fire, kill puppies, etc. | | I need to check these posts ;) | bedhead wrote: | Seriously I'm just tired of it. Do you know how many tech | geeks over the last few years have proudly proclaimed online | that the company is "going downhill" and they'll never buy | any more Ubiquiti products? 50 billion, that's how many. How | many follow through? Evidently zero. It's comical. The hack | obviously not good, but GMAFB. | akkartik wrote: | Can you elaborate on what break this is that you desire? | What would you like to have happen? | christophilus wrote: | Is it? Until very recently, I've only seen positive comments | about them. | [deleted] | tw04 wrote: | It's a long-tail if I had to guess. In my "circle" of coworkers | almost every last one has ubiquiti today, and every last one is | planning to replace it with something else when they make the | jump to WiFi-6. | | Maybe we're the anomaly, but I have a feeling 2 years from now | if they continue down the path they're on, their earnings will | not be quite so rosy. | bedhead wrote: | My point is partly, let's check in a year from now. I'd wager | not one of your coworkers switched. Zero. | tw04 wrote: | You'd have lost that bet already. One of them switched to | Aruba last week. I've already replaced several pieces of | ubnt gear as well and posted for sale on ebay. The APs I'm | holding off until there are some solid WiFi 6E options. | | I know of at least two others that currently have hardware | on order to replace existing ubnt routers with OPNsense so | you can add them to the list by the end of April. | wnevets wrote: | Is it just me or are you no longer able to avoid the cloud with | the latest software updates for unifi? | surfsvammel wrote: | If you are using CK, Protect and/or the iOS app, it seems that | you need Remote Access (a.k.a. Cloud) enabled for | authentication. | myrandomcomment wrote: | No you do not, only setup. You can disable it after. See my | other comment. | blhack wrote: | Well this absolutely sucks :(. I've been a huge supporter of | Ubiquiti ever since I was buying mini their PCI cards and | sticking them into soekris engineering boards (ubiquiti started | out as a hardware company). | | The magic thing that absolutely sold me on their equipment was | the ease with with you could provision and mesh new gear. Does | anybody have anything that compares with that ease of use? | | To explain what I mean: I recently had a buddy move into our | guest house/apartment. While we waited for the ISP to come out | and hook up his internet, I just put an AP on his counter, | powered it up, and meshed it into our home network. The whole | process took less than a minute and didn't require any running of | ethernet. | | (Maybe that's a common feature nowadays and I've just been out of | the industry for so long?) | smashah wrote: | I can vouch for Google WiFi. Very simple to set up. | rys wrote: | I'm willing to see what Ubiquiti will do to make it right before | I switch away, because I have a local-only setup of EdgeRouter | and UniFi APs that's been absolutely great in the years I've had | it, but this is really last chance saloon stuff now. | | I'm looking for a proper post-mortem and the steps to make sure | it can't happen again, recommitment to local-only users and | respect of the customer, and a step back from the push to cloud | everything. | yabones wrote: | > "The breach was massive, customer data was at risk, access to | customers' devices deployed in corporations and homes around the | world was at risk." | | > "They were able to get cryptographic secrets for single sign-on | cookies and remote access, full source code control contents, and | signing keys exfiltration," | | Maybe putting your network control plane in 'the cloud' isn't | such a good idea after all... | | Edit: Just re-read the article, this part stood out: | | > the attacker(s) had access to privileged credentials that were | previously stored in the LastPass account of a Ubiquiti IT | employee, and gained root administrator access to all Ubiquiti | AWS accounts, including all S3 data buckets, all application | logs, all databases, all user database credentials, and secrets | required to forge single sign-on (SSO) cookies. | | > Adam says Ubiquiti's security team picked up signals in late | December 2020 that someone with administrative access had set up | several Linux virtual machines that weren't accounted for. | | If this is true, and whoever breached them had full access to | their AWS account, can we really trust them to clean up all their | tokens and fully eradicate all forms of persistence the hackers | may have gotten? | ryan29 wrote: | It's odd how the big cloud vendors have been able to escape | criticism for being completely open by default. Other vendors | have been taken to task and have adopted better security | practices. For example, SuperMicro IPMI comes with a random | password now. | | It's extremely difficult to lock down an AWS account when there | are a bajillion services, IAM policies, roles, etc.. I've been | trying for the last few days and it's so difficult that I can | understand things like this. I don't think it's acceptable, but | I can see how it happens. | | I think the expectation for AWS, Azure, GCP, etc. needs to | change. Accounts should allow nothing by default and part of | the tutorial / learning process should be understanding the | permissions needed for each service and how to limit access to | those services. As a bonus, they should show you how to | configure Budget Actions to catch anomalies and runaway | services. For example, I'm trying to set up my account so SMTP | access to SES gets revoked for SMTP users if the message count | exceeds a certain threshold. It's really, really hard because | there's not a single document / guide that shows the process | from start to finish. | musingsole wrote: | You can use AWS Accounts like microservices. The biggest | security walls in AWS are the account barriers. Those have to | be specifically configured to cross. Sometimes (1%) its | unavoidable, but if you have multiple services running on an | account, you force yourself to weave arcane webs of IAM | permissions crisscrossing all over to get what you need | where. It's a terrible model that people inflict on | themselves because it's how everything used to work. | yebyen wrote: | The triangle says Confidentiality, Availability, Integrity. | | While your concerns are 100% valid, we need to remember too | that setting up access in restricted ways and inviting users | to understand the protection and remove the correct barriers, | or implement the concerns necessary to interact with those | for themselves, always runs the risk that some users will | find your protections cumbersome and instead find a (totally | incorrect) way to baffle them, or otherwise even route around | them entirely mooting any efforts to secure a platform. | | And every time I hear this played out in conversation, the | answer is "that's on them!" But it's clearly a balancing act, | it's a trade off; tautologically, when you make the service | less accessible then... it is, well, ... made less | accessible. | | Besides facilitation of the secure access also sales | conversion ratios will depend on that accessibility. The crux | of your argument stands, the defaults are too open, and we | need to do more to ensure that naive users aren't handed a | loaded gun to aim at their own feet. | kenforthewin wrote: | Spinning up your own DB instance is also "open by default" | and takes both effort and expertise to secure properly. I | think it's pretty reasonable that there's a large surface | area of IAM permissions when AWS offers a vast number of | disparate services. | sofixa wrote: | Uhm.. in the AWS i've used, it's on explicit allow, and all | of their docs and tutorials start with IAM and what's needed | and why. What more do you want? I can't imagine IAM being | simpler while being as granular as it is. You just have to | actually take the time to learn about it, like every system. | It's still drastically easier to use it securely than doing | something on a similar scale and detail manually. | ryan29 wrote: | > What more do you want? | | The hard part for me is figuring out how to disable access | without breaking everything. I know it'll be useful once I | understand and I'll take the time I need to learn it, but | most people won't. | | I prefer the opposite learning direction. Start closed and | open the 1 or 2 things I need instead of having to | understand 1000 things immediately to configure permissions | reasonably. | ryandrake wrote: | > Maybe putting your network control plane in 'the cloud' isn't | such a good idea after all... | | Isn't one of the major selling points of cloud-everything "How | can you possibly secure your service better than | BigRespectableCompany?" I know any time I bring up self-hosting | E-mail or a web site or whatever, someone always comes out of | the woodwork to remind me that I am not an expert in securing | Internet services, and that BigRespectableCompanies have full- | time employees dedicated to security. Surely I should be moving | to the cloud for this expertise! This is sounding more and more | like FUD to me. | sofixa wrote: | > BigRespectableCompanies | | Ubiquiti really aren't in the same ballpark as AWS or | Microsoft, which are the companies people use that argument | for, and you can bet your ass their security is better than | in most places. | vkou wrote: | You may be smart, and have secured your systems properly, but | someone with the same resume as you in another company might | not be. | | As your manager, how can I tell the difference between | someone who actually did the work right, and someone who said | they did the work right (and also legitimately believes that | they did)? | grayhatter wrote: | You never can be... but you should already know that being | a manager. But if you're the target of an advanced | persistent threat. It doesn't matter how good your guys is, | they'll win eventually when the next 0day no one knew about | shows up. But then your cloud provider will have been | broken into dozens of times already. Hundreds of companies | have to do a security audit of all of their networks now* | because Ubnt got, got. The only ones who don't are idiots, | or not using ubnt et al. | IgorPartola wrote: | Was shopping for alternatives to my Ubiquiti last night. Seems | like there is nothing good out there. Engenius has shit | hardware and a cloud controller. Aruba has a cloud controller | AND you have to pay for a license. Cisco makes you pay for a | license. TP-Link is cloud-based. | | WTF. Does anyone have a decent WAP where I can use PoE, deploy | like 5 of them and have them support roaming between APs, all | managed locally? Is that too much to ask? | swiley wrote: | If you don't feel like configuring hostapd and dnsmasq I'm | pretty sure there's an nmcli one-liner that will have network | manager run a WAP for you. I use 'hotspot' on my phone all | the time. | | WAPs have been absolute crap for years. | ptomato wrote: | Ruckus Unleashed is what you're looking for. | surfsvammel wrote: | They are triple the cost of the UniFi stuff. So not really | a drop in replacement. | bubblethink wrote: | Look on ebay for slightly older models. R710, R720 should | be $200-$300. Not a replacement at scale, but the one-off | purchase from ebay is fine for home use. | [deleted] | azernik wrote: | Disclaimer: worked for Meraki (now Cisco Meraki) for several | years. | | Generally, halfway decent wireless APs are all targeted at | the enterprise market. Consumer hardware is a brutal race to | the bottom, as lay consumers aren't qualified to compare | options based on anything but price and UI. Ubiquiti was an | outlier in trying to bring enterprise features to the | consumer market | | The problem for enthusiasts and small business/home office | setups like yours are that both the enterprise market (e.g. | Meraki) and the premium consumer market (e.g. Google WiFi) | focus heavily on ease of management - cloud controllers are | table stakes these days, not a controversial feature. Part of | that premium that Meraki, Aruba, and that class of enterprise | supplier charge is about having a trustworthy and secured | backend. | | Note, however, that roaming between APs is a feature of the | 802.11 standard; you just need to have all your APs on the | same layer 2 (802.x) network, and using the same SSID and | credentials. No fancy hardware required, and you can even mix | and match vendors. | fullstop wrote: | Surely 802.11r has a purpose, yes? | cassianoleal wrote: | Yes, roaming by sharing SSID and passcode is a world of | pain. 802.11r solves all those pains, I've been using it | on OpenWRT for months without a glitch. | betterunix2 wrote: | Faster handoffs between APs. | passivate wrote: | We use Meraki MR/MX stuff at our office and are generally | happy with the value & service. The MS stuff though, thats | another story. Do you guys have plans to enter the sub $2K | tier with L3 devices? | judge2020 wrote: | > having a trustworthy and secured backend. | | Ubiquiti had a secured backend - their screw-up was not | doing MFA on their admin accounts. I would still like if | there was an option for a local-only control panel. | red_phone wrote: | For their UniFi line, at least, you don't have to use | their cloud controller. You can self-host. | SV_BubbleTime wrote: | My personal experience with Meraki has been the very | definition of vendor lock-in. | | The security appliance was relatively cheap, then we saw | the fine print that the total bandwidth was artificially | limited and increased only adaquetly two product levels up. | Sorry Mr BubbleTime, you need to buy a new applicance and a | new license. Your old one is worth nothing and non- | transferable, watch it rot. | | The switches seem absurdly expensive when you consider the | 5-7 year licensing costs. And the quality is poor at best | considering Meraki went and pushed a firmware update that | bricked every fan in every 48 port switch we had. But you | have the security appliance so it "only makes sense" to pay | for these switches. | | We had an IPSEC incompatibility between a vendor with an | ASA and our Meraki gear. The solution was to buy a Cisco | device just for that one connection. | | All in all, it's passable, but because of the lock-in it's | not like I have a cost effective choice to get away from | it. I wouldn't chose it again. | | That said, it does offer a mediocre IT tech a single pane | of glass they have to try to mess up. | | Of all the Meraki factors I've learned and considered, that | it is cloud-based is the least important towards my | recommendation or lack of. There are lots of people that | would be happy to explain all the ways my experience is | wrong, but whatever. | | Short version, I wouldn't do it again. | foobiekr wrote: | Is there a community for this kind of discussion at this | point? When I was an admin, and then later working in | networking in the 2000s, there were tons of very active | mailing lists, not just for hardcore networking but for | IT-oriented stuff, mostly all faded to a shadow of their | former selves. | | I'd be particularly interested in comparisons of | Meraki/Mist/etc. for small enterprise and campus. | jlawer wrote: | Completely agree with the lock-in, and they aren't the | best / featureful device out there. It seems the sweet | spot for them is places with LARGE distributed footprints | (such as retailers), where you can have very simple | networking (some back to HQ, the rest to internet). | | It fits well with being able to rapidly bring bodies into | a project and implement change X across hundreds of | stores, while having a standing IT team of 5. | | If you have onsite (fulltime) IT, its likely not the best | option. | antattack wrote: | Omada EAP245. You can use appliance and/or software | controller that you can run locally, to manage your APs no | cloud needed. | | https://www.tp-link.com/us/business-networking/ceiling- | mount... | nicolas314 wrote: | And if you only have one, no need to run Omada. Completely | controlled from the AP web interface. | topher_t wrote: | I hear Cardi B and Megan Thee Stallion have some pretty | excellent WAP's. | mattmcknight wrote: | You are going to end up paying for a license to cover | security updates. I use Fortinet, not cheap. | Scramblejams wrote: | No, TP-Link's Omada controller can be run locally, I do that | at home and at my parents' house. It is not cloud-connected | unless you turn that on. Runs surprisingly well on a | Raspberry Pi 2, actually. | | I've got a setup similar to what you're asking for. The TP- | Link APs (AC1750, AC1350 and AC1200) support PoE, they're in | a wireless mesh, support roaming, and all configuration is | handled with one interface, no cloud involved. | | Just make sure that what you're ordering says it supports | Omada. They still ship a lot of SMB gear that doesn't, but | all the basics are there now. | IgorPartola wrote: | How is the experience otherwise? Roaming? Throughput? | Reliability? I generally like their hardware. | jackweirdy wrote: | Great without it. The major improvement I noticed with | it, is 802.11k & v (faster handoff). | | Without those, it takes a little longer for the device to | switch APs at the borders of their coverage. Mostly | imperceptible, but the longer handoff times can be enough | to kill a phone call over iPhone WiFi calling | agurk wrote: | I run a similar setup with a bunch of EAP-225 APs | controlled by a local instance of their Omada software | (running on x64 rather that on ARM). | | I've been very happy with roaming/throughput/reliability | generally. The EAP-225 is 2x2, which they don't readily | announce. Their newer and more expensive units are | available as 4x4. That being said they're so cheap, I've | been happy just to throw more onto the network. | | For the software to manage them it uses some kind of | multicast identification scheme to find new APs. If | you're on a different subnet then it won't be able to | automatically see them. They have a tool to connect to | the AP and give it the management server IP, but that's | Windows only. | | The other option (that I went for) is just to create a | management VLAN (good practice anyway) that the | controller and APs live on. This is specifically | supported by the APs. | Scramblejams wrote: | Only been using it for a few months but it's been good. I | moved the config I mentioned above (the three APs) to my | parents' house and they haven't had any problems. | Throughput in their case is a little limited but that's | expected with the installation (no ethernet and a lotta | walls). Hasn't needed a reboot or anything. | | I just started using an EAP660 HD[1] at home a week ago, | so far so good. Haven't topped out the speeds yet because | nothing in my house can take advantage, but I have some | AX200 cards coming. I understand there's a throughput bug | at the moment that's going to be solved in a future | firmware fix[0], but my clients don't go fast enough to | hit that yet. TP-Link seems to very actively update their | firmware for the pieces I've been using, FWIW. | | So I've been pretty happy with it so far. Roaming has | been fine, though in one case I think I had non-optimally | located a couple of APs because my Linux laptop kept | rapid-fire flapping between two of them. I believe that's | a client-side problem, though. | | I did try a Cisco 240AC and its wifi performance was rock | solid. The management interface is non-cloud, and I | believe covers the whole network, but it lives inside the | AP itself, which I don't love. The management UI is buggy | and they seem slow to push bugfixes, and when I added a | 142ACM to extend my network it started going flaky -- I | had to do a factory reset/reconfigure of the 240AC to | resolve it, then it happened again a few weeks later -- | so I'm gonna flip my Cisco stuff on eBay. :-( | | [0] https://hwp.media/articles/review_and_test_of_the_tp_ | link_ea... | | [1] Tip if you adopt one of these in Omada: You need to | give Omada the EAP660's password (default | "admin"/"admin") for it to successfully adopt. The other | APs never required a password to adopt, so it was a | little confusing until the internet came to the rescue. | IgorPartola wrote: | SOLD! Thank you. | Scramblejams wrote: | Good luck! If you think of it, post a reply back here | letting me know how it goes. | fangorn wrote: | I bought 3 EAP330s and TP-Link deprecated them after a | year or so. No more firmware upgrades for their (then) | top "enterprise" access points. Rumour says they weren't | happy with the chipset, so decided to abandon them | altogether (just this model, cheaper ones were on | different chipsets and support was available for longer). | Last time I checked there was no OpenWRT support of any | kind. They did hang when I had port aggregation enabled | and seemed to run rather hot. But feature-wise and non- | trunked-networking-wise they were fine, supported what I | was looking for, no cloud, I didn't even use the | controller, you can just manage them "the old school" | way. But don't count on years of support. | laurentdc wrote: | For what it's worth, we've been running about 15 TP-Link | EAP225 in a warehouse without any hiccups so far. Most | importantly they don't randomly die or lose the | controller pairing like some low end Ubiquiti units tried | in the past. The only quirk is that on Windows Server you | have to configure the service manually, but it's no big | deal. [0] | | [0] https://www.tp-link.com/us/support/faq/2915/ | Melkman wrote: | I also have a TP-Link Omada setup. For layer2 networking | with switches and AP's it's fine. Cost effective, | reasonably stable, acceptable performance and features | that are regularly used are all there. | | The layer-3 stuff however is still early days and I can't | recommend getting the secure gateway at this time. No | IPv6 support. Depends strictly on an internet uplink | configuration for default route to which all traffic is | then NATted. Can't change that. No real security | features, no packet inspection etc. The routing features | really feel like an alpha version. They are working on it | and have a roadmap to a more workable layer-3 solution. | So maybe in the future the will be as nice as the | Ubiquity solution. | | Cloud is not needed but possible. You can get an OC-200 | controller for not much money that fills the role of | single pane configuration webinterface. The software for | that controller can also be downloaded for Linux on PC or | ARM if you want to use your own hardware. Also the | network keeps running if the controller is down. | TedDoesntTalk wrote: | Are you concerned that TP-Link is a Chinese company? Could | your data be exfiltrated back to China? | caeril wrote: | edit: Oops, disregard, I've violated HN hivemind | statutes, despite being completely factually correct! | | What I meant to say is that US law enforcement, and in | particular the FBI, are 100% perfect in every way. Nobody | has EVER used lawful request overreach to ruin the lives | of innocent people. Praise be to J. Edgar Hoover! | dylan604 wrote: | It's a sad commentary on how low the bar has been | lowered. "No, you're system isn't secure, but the people | that can access it can't really do you bodily harm" is | not really the level I would hope we are trying to | acheive. | astrange wrote: | This isn't useful input on where the actual bar is since | these are all just conspiracy theories. Who is doing any | of this? | TedDoesntTalk wrote: | I'm not sure what you're calling conspiracy theories | since it looks like the GP edited his content, but if you | think China is not exfiltrating data from hardware, let | me know. I'll provide you with copious references from | the recent past. Sure, the US is doing it, too. | ClumsyPilot wrote: | Kinda like spreading the risks | snypher wrote: | I'm not sure where your router connects upstream, but | they don't have to swim very far to find somewhere to | feed. | [deleted] | Scramblejams wrote: | As a US citizen, I would love for there to be a | reasonably-priced US-made alternative. I guess Netgear | could be one[0], but their Insight management system is | cloud-only, isn't it? Happy to be corrected. | | I think I'd rather take an ostensibly-offline controller | from China than a cloud-enabled one from the US, though | I'm not really happy with those options. :-( | | Are there some good options I missed? Would like to hear | about them, if there are any. | | [0] I expect their hardware is made in China, even if | their controller may not be. | TedDoesntTalk wrote: | Seems like an opportunity for router software with great | UI and management on linux or pi to excel. then run it on | anything. | mypalmike wrote: | What data would they even want? My WiFi password? My | PPPoE password? All my https packets? | jlawer wrote: | Synology. Isn't cheap, decent performance though. However it | doesn't seem to be the brands focus | [deleted] | TranceMan wrote: | Have a look into Ruckus with their local zone director | offering. | __d wrote: | Maybe a bit too soon, but has anyone tried Maxwell? | https://www.crowdsupply.com/andy-haas/maxwell | jandrese wrote: | Also add that all of the SOHO equipment is garbage that drops | connections randomly, crashes, or simply can't deal with some | WiFi chips. | | This is the reason I went with the Ubiquity UniFi 6 years | ago. It was the only one I tried that didn't constantly drop | connections or cost a fortune. But it's only G and I've been | considering an upgrade, but there are no good options on the | market that don't have stupid cloud management bullshit, are | built on garbage hardware, or cost an arm and a leg. | glsdfgkjsklfj wrote: | i did the same research 3mo ago. Was torn between a Ubiquiti | (mostly because a coworker was bugging me) and a Ruckus | Unleashed. | | I wish i had gone with the Ruckus. | | The lie that you can _easily_ self host your own controller | for ubiquiti is vastly exaggerated. Spent several hours of a | Saturday patching extremely ancient versions of mongodb and | compiling stuff. Not to mention that if you have a VM and | turn the controller off, several features of the APs will | stop working. and range for their Pro AP is lacking at most. | | I wish ubiquiti just published the damn shell commands so i | could be able to manage it without the silly troublesome | "controller" which is just an annoying web ui. So | condescending and inefficient just for the sake of exploiting | the customer base for lock-in effect. They are just a little | cisco. | weaksauce wrote: | have you checked out eero? https://eero.com/ | | I know someone that works there and they seem pretty happy | with the place and product. just saw the amazon link now | though so that may be a detriment depending on your view of | them. (I have never used their systems or anything so it's | not really an endorsement but something to consider) | Lammy wrote: | I have exactly this setup with three Aruba Instant APs (WiFi | 5), but afaict they've combined the Instant product line with | their cloud offering or something? I'm not entirely sure | where they're going with it, but I am very happy with the | setup I have. | roody15 wrote: | Aruba sells IAP instant models that do this. No cloud | required. | | (also sell campus controller local no cloud ... but this | route is pricey) | Abishek_Muthian wrote: | > Does anyone have a decent WAP where I can use PoE | | There are PoE devices with OpenWRT support[1] and should be | possible to enable 802.11r if they have the support. They can | be managed locally even with self-signed certificate. | | [1] https://openwrt.org/toh/views/toh_poe-powered | IgorPartola wrote: | I use OpenWRT now and would really rather avoid it. I want | a central controller, not having every AP have its own UI. | Plus firmware updates area always an adventure. | the8472 wrote: | OpenWRT also provides SSH access and CLI tools, so if | needed things can be automated the old-fashioned way. | oblio wrote: | I don't know about you, but I "automate the old-fashioned | way" at my day job, I want the damned thing to just work | without me bothering with "SSH access and CLI tools" at | home. | fock wrote: | and how many APs do you have at home? | nwmcsween wrote: | I'll let you in on a little secret, Ubiquity runs openwrt | as can be seen by sshing into any uaps | IgorPartola wrote: | That's fine. I think it's a great project. But I want | someone else to worry about what happens during each | firmware update. It's not trivial. | josteink wrote: | > Plus firmware updates area always an adventure. | | To somewhat eliminate the chances of adventure, I've | profiled the setup for each of my many OpenWRT devices | and created unique profiles for them in a (reasonably) | simple Git repo[1]. | | All I need to do to get device-specific firmware is to | update the OpenWRT version-number in a single makefile | and the rest happens automatically. | | I've even setup Github Actions to build the firmware for | me (basically, run make), so I can even get/build new | firmware from my phone. | | I've yet to have any issues when flashing these builds. | It used to be much worse when flashing the regular | "official" OpenWRT image and restoring packages | afterwards. | | Couldn't be simpler! (With the regular Linuxy you-have- | to-build-it-yourself-first clause) | | [1] https://github.com/josteink/openwrt-build | IgorPartola wrote: | About 5 years ago I would do the same thing. I want to | set it up such that if I with the lotto and move away, | the rest of my household can continue using the system | without having to learn a CLI. | motiejus wrote: | Turris series. | jiveturkey wrote: | ubiquiti is fine. you don't _have_ to use the cloud | controller. CLI works just fine, at least the products I have | used. | IgorPartola wrote: | The featured article seems to say to me that they are far | from fine. | heavyset_go wrote: | Look into Mikrotik hardware and OpenWRT. Of the Mikrotik- | based hardware I'm familiar with, they support PoE. OpenWRT | supports roaming and mesh networks, and is a local solution, | as opposed to a cloud-based one. There are no licenses you | need to pay for, either. | briangerman wrote: | I just ordered a mikrotik 10gb | https://mikrotik.com/product/crs305_1g_4s_in. The guys at | work recommended it so hoping for the best! | sigstoat wrote: | i've got one of those, and another mikrotik 10gb switch. | whatever the 16 port one is. | | they've been working nicely. i have good luck with fiber | SFP+ modules, but it seems picky about 1G copper SFP | modules, fwiw. | old-gregg wrote: | HN community is in an endless loop of switching vendors: | https://news.ycombinator.com/item?id=18200119 | | IMO using what we have intelligently is easier. Uniquiti | hardware has the Edge line of routers and switches that | are not cloud-controlled, not listen on any ports, and | not establish any connections on your behalf. | Godel_unicode wrote: | > using what we have intelligently is easier. | | Less dopamine, though. | telesilla wrote: | Mikrotik is amazing, for what you get. But of a learning | curve but worth the effort, I've seen large scale wireless | networks crossing mountains with their kit. | jimnotgym wrote: | I am not a fan of Mikrotik, the UI is not nice and the | defaults are not smart. I have seen professionals make | mistakes on them several times. | tails4e wrote: | I setup a small wisp using mikrotik kit for a few | neighbours, it worked well in the end, but the learning | curve was immense unless you have a strong networking | background. I'd setup and used openwrt before for a | domestic router and this was another level of complexity | to get basically functional compared to that. Thst said | the level of customizabilty and scripting (albeit in a | weird language) you can do is immense, so for a true | power user with a lot of time on their hands, it's a good | option | tubularhells wrote: | Mikrotik is nice and does all of those things. Just needs | actual expertise at network administration to set up. Once | done though, it's fire and forget. | Saris wrote: | As far as I know, TP-Link doesn't require any cloud based | service, or even a local controller. They can work fine | without any of it and you just manage them locally/directly. | [deleted] | yumraj wrote: | TP-Link is a Chinese company. Doesn't inspire much | confidence.. | imwillofficial wrote: | And Cisco does? With it's known back doors from the NSA? | VectorLock wrote: | Whataboutism aside, Cisco inspires even less confidence. | Source: Used to work for Cisco. | fuzzer37 wrote: | You could try using an aftermarket, open source firmware. | Something like Open-WRT | timzentu wrote: | TPLink newer stuff wasn't supported and wasn't going to | be DD-WRT for a while there so check first. They have a | crypto blob for the radio binary, or the entire firmware | system they the group would need to trust blind and not | be able to adjust settings with, or violate the DMCA to | reverse engineer. | | Don't know if this is the same case still or not, but | they did this for FCC compliance around the time 802.11ac | was launching. That might have changed that though I'm | not sure, I stopped considering them at that time. | | Also a good company to look at would be Microtek, I have | heard good things, but haven't looked into them directly. | jandrese wrote: | I've never had good luck with TP-Link hardware though. | Constant crashes/disconnections once you get past a few | devices on the network, mysterious failures, hardware | quickly getting dumped into the unsupported list, and so | on. I've sworn off of them entirely. | SamuelAdams wrote: | Yep, this is what I do. I used the EAP245 and now the EAP | 660 HD. Both were rock solid devices. Managed locally via a | web browser. Plugs into a netgear switch, into a pfsense | router. | cassianoleal wrote: | I have a Turris Omnia for my main router. It's a solid piece | of kit. | | The OS, TurrisOS, is based on OpenWRT and for a while they | were having trouble keeping up-to-date but that's been sorted | in recent releases. | | There are great features like auto-updates and BTRFS | snapshots and the ability to rollback to previous known good | if you screw up a config. I also run LXC containers on it for | things like PiHole (not on the internal flash but the main | board takes an M.2 SSD). | | The Turris MOX is a modular Turris system that you can | assemble from the parts that you need. | | I have a small Gl.iNet router upstairs flashed with upstream | OpenWRT that I use as a WiFi access point and have setup | 802.11r for BSSID roaming. Have been using this setup for | months and handoff has been completely transparent. | takeda wrote: | Isn't enough to just disable cloud access? | | Edit: I got upvoted by somebody, but as an UI user I'm | genuinely looking for an answer. If it's still possible to | get inside if devices aren't connected to UIs cloud. | IgorPartola wrote: | That's a part of it. But also: | | 1. They are now pushing ads to their local controllers. | That is a shady tactic. It also means the controller is | phoning home. It means they might have an XSS in that code | now or in the future. | | 2. They just deprecated a bunch of relatively new hardware. | If I'm going to invest a non-trivial amount into their | hardware I want to know it'll keep working for a long time. | | 3. They lost trust due to this breach. How can I trust | their code to secure my locks network if they can't secure | their own? | klagermkii wrote: | With TP-Link you can run the Omada controller for their EAP | line on a local device (I have it running on a Pi4). | msh wrote: | Mikrotik have products that are exactly like that. | kryogen1c wrote: | maybe their different product lines are managed differently, | but all my Unifi WAPs, router, and switches are managed on a | local controller that i installed and maintain myself. | | i recall some features being locked behind a UBNT account, | but that was only reporting-type stuff IIRC | | https://help.ui.com/hc/en-us/articles/360012282453-UniFi- | Set... | resfirestar wrote: | > Does anyone have a decent WAP where I can use PoE, deploy | like 5 of them and have them support roaming between APs, all | managed locally? Is that too much to ask? | | Not as comprehensive as Ubiquiti's management interface but | the CAPsMAN feature on Mikrotik routers and APs does cover | this use case. | croutonwagon wrote: | Ruckus R710 or R510 unleashed. I was talking about Ubnt's | horrendous security in another thread just last night. | | https://news.ycombinator.com/item?id=26628198 | | Or if you just want Wave1 Hardware...R700/R500 | | You can get these as overstock on the cheap on amazon etc. | The unleashed version means it can run the controller on the | AP. | taddevries wrote: | The R700/R500 are End-of-Life[1] so be sure you're OK with | not getting new firmware. | | 1. | https://support.ruckuswireless.com/product_families/4-eol- | ru... | WrtCdEvrydy wrote: | TP-Link Omada is locally controlled (through a smartphone) | but you can buy the Omada Cloud to control it remotely. | | It works with their small 16 port (8 PoE switch). | chrisweekly wrote: | Happy enough w my Netgear ORBI (2-node mesh router covers my | 3500sq ft house; handoff is fine) | gertrunde wrote: | The TP-link offering looks very similar to Ubiquiti from a | quick scan a month or two back. | | Both will run from locally hosted controllers if desired. | | I've been seeing more Cisco "Meraki Go" kit around as well, | which looks to target the same use cases as Ubiquiti (very | very similar gear, WAPs, low end switches & gateways), albeit | without a local controller option, but at least without the | usual steep Meraki subscription charges. | notamy wrote: | Peplink seems pretty good; they do have a Cloud:tm: | management offering called InControl2 but as far as I'm aware | it's entirely optional. I've had good luck configuring | everything via the local UI. My setup is a Balance Two + a | few One AX APs. | betterunix2 wrote: | Mikrotik, but unfortunately getting reasonable throughput for | wireless clients is a serious challenge (I always have better | results with openwrt on the same hardware). Still, nice to | have local control and not have to rely on some cloud service | just to use the hardware I bought. | Jnr wrote: | I wonder what is reasonable WiFi throughput for you? | | With my 5 year old Mikrotik hAP AC I am able to get up to | 500 Mbit/s on lan. | | And my old phone now shows 250 Mbit/s on speedtest.net both | directions. | | How much more are we talking about? Have I missed some big | hardware upgrade recently? | betterunix2 wrote: | Using 80Mhz channels I found the default configuration | never exceeded 200Mbit/s using iperf. For me "reasonable" | is closer to 800Mbit/s, which is roughly the theoretical | limit for 80Mhz with 2 spatial streams. I run my tests | with my devices sitting 1 meter from the AP. This is on a | hAP AC, and like I said, I get much better performance | (close to the theoretical max) running OpenWRT on the | same unit. I have had similar issues with the RB4011 and | cAP AC, and in both the NYC area and suburban Virginia | (so it is not just an issue of spectrum crowding in the | city). | api wrote: | Get Linux boards and USB-3 WiFi dongles with well-supported | chipsets and roll your own? | | The other alternative is to go way up-market and buy | industrial gear. Consumer gear is shit due to a race to the | bottom mentality. 90% of consumers buy the cheapest. This is | also what turned every TV and appliance into a feature- | encrusted shitbox full of spyware. | edoceo wrote: | I think you can do it with Pi-Zero and BATMAN? I gotta find | my notes. | jsmith99 wrote: | Technically, Ubiquiti does have a local option. You can run | the controller locally and disable cloud login. | IgorPartola wrote: | That's how I run it, but it seems they are now pushing ads | to local controllers and between this and deprecating | recently released devices, I just completely lost trust in | them. | dgudkov wrote: | > it seems they are now pushing ads to local controllers | | The pervasiveness of adtech doesn't cease to impress me. | ClumsyPilot wrote: | I really hope that one day it will be remembered the same | way we remember ritual sacrafice . | pseudalopex wrote: | People have reported cloud login can't be disabled now. | colechristensen wrote: | I set it up a few months ago with no cloud login, though | it was a pain. | winterphoenix96 wrote: | It can still be disabled from the controller: | | New UI: Settings > System Settings > Administration > | Enable Remote Access | | "Classic" UI: Settings > Remote Access > Enable Remote | Access | surfsvammel wrote: | Protect still needs cloud to be activated for | authentication it seems. | | I used to have remote access turned off and accessed the | video streams via the iOS app when my phone was on VPN to | the local network. That no longer works. Remote access | (cloud) needs to be activated in order for the iOS app to | work, no matter if you are on the local network or not. | croutonwagon wrote: | When did that start? | | My controller is only on 6.0.43 but i can access it via | iOS app on VPN. | | My contoller only does Wireless/AP management though. | nothing more. | nickphx wrote: | i've run my own controller locally for years without | forced cloud login.. i've never used the ios app, what | can you do from it that you can't do from the web | interface? | danhorner wrote: | I have been suspicious of their cloud config and run a | docker image of the controller locally. | | I'm still on version 5.14 and all of the cloud features are | optional. I just ignore them. I guess now I know not to | upgrade! | croutonwagon wrote: | When they introduced callhomes/telemetry sometime in the | 5.x code i blocked their known DNS entries and then setup | firewall rules to block all internet access outside of | the Ubuntu Repos.. | daniellarusso wrote: | It still checks for firmware updates, right? | traceroute66 wrote: | For those people here saying "go Ruckus unleashed" ... caveat | emptor my friends ! | | I have it on very good authority that Ruckus have started | rolling out a change in their pricing model to require a | Unleashed license per AP to operate, a move which obviously | increases costs to the end-user. | | Some people might say its a deliberate move prevent | cannibalisation of their main business model by nudging | people away from Unleashed. I couldn't possibly comment. | IgorPartola wrote: | Your credit card is stolen and your bank disables it -> | your network is dead. What a great user experience. | benjohnson wrote: | It's a shame that Mikrotik doesn't have a easy to use global | GUI. | | It's the right hardware, and great firmware and wonderful | flexibility - but it needs an easy to use GUI controller to | make the simple stuff easy to take over from Ubiquiti. | sam_lowry_ wrote: | Global UI? You mean, AWS-hosted configurator for your | network? We just had example of it being security risk. God | save Mikrotik from implementing something similar. | IgorPartola wrote: | No, a local controller that you run on a machine inside | your LAN. | weaksauce wrote: | nothing stopping you from using a local ubiquiti | controller though. you aren't tied to their servers if | you don't want to use them. that said, they seem pretty | problematic from a security standpoint based on these | leaks and your networking infra should be rock solid. | coder543 wrote: | That's basically what MikroTik CAPsMAN is, depending on | your needs. | | I think it's specific to Access Points, so not a general | purpose centralized controller for MikroTik equipment, | but... centralizing access point management seems to be | the main thing under discussion here. | taldo wrote: | CAPsMAN is a royal PITA to set up. You have to manually | add all the wifi channels, map each AP to the channels | it'll use, and a lot of busywork. Once it's set up, | though, it works fine, and lets you upgrade all devices | from the manager, etc. | pilsetnieks wrote: | > You have to manually add all the wifi channels, map | each AP to the channels it'll use, and a lot of busywork. | | No, you don't? I mean you can but you don't _need_ to. | | There are cases when that is useful, true - for example, | the automatic channel selection makes some curious | choices sometimes. | bshep wrote: | Their http interface is reasonable and you can | configure/provision the APs from CAPSman from one of the | routers/switches in a central location. | bombcar wrote: | You can also script against the Mikrotik CLI - I use it | to update the certificates every ~90 days. | m4rtink wrote: | Winbox is a really nice remote controller for Mikrotik & | vulnerabilities of a shared global controller have just | been clearly demonstrated, so I don't see an issue. | sofixa wrote: | Not really. The vulnerabilities of using a vendor hosted | cloud controller have been demonstrate, but having one | yourself next to your networking decides is just as | secure as it always was. | bpye wrote: | These recent posts about Ubiquiti have made me look again | at MikroTik. Their hardware is more affordable than I had | remembered. Is there any good intro to their hardware - | there are certainly a lot more options than you get with | Ubiquiti. | | Even before now there are some limitations with UniFi that | have annoyed me. Setting up more complex DNS and firewall | rules requires editing the JSON config. IPv6 tunnelling | isn't well supported. The stats in the controller, whilst | neat, aren't very useful because they have to be manually | reset to zero. | stock_toaster wrote: | I use the edgerouter line for firewalls, and unifi | (running on a local "cloud key", with cloud login turned | off) for only access-points and some switches. | | This news (covering up, legal overriding good security | practices) is super concerning though, and I'm definitely | going to start looking around as well. | jcadam wrote: | Yea. I only have an edgerouter 4 as far as Ubiquiti | equipment goes. It works great for its intended purpose | (I needed a dual WAN router and consumer level gear | generally doesn't do that). I was eyeing their WAPs, but | I believe I'll pass on them now. | KozmoNau7 wrote: | The best intro really is to buy some of their hardware | and play around with it. Their routers and APs are all | based on the same basic RouterBOARD hardware and run the | same RouterOS. The specs for each device is pretty well | laid out on their site, but you do have to read through a | few product pages to find exactly what you're looking | for. | | I would start with a hAP ac2, a wireless router that is | approximately the equivalent of their hEX Ethernet router | plus a dual-band AP (cAP/wAP ac). It's a great standalone | device and less than $70, or you could get the individual | devices for a bit more flexibility. | | Avoid the models labeled "lite", those are low-cost | versions with lower routing speeds and 2.4GHz WLAN only. | | For management you can obviously configure each device | separately, or you can use CAPsMAN where one device acts | as the controller and handles all configuration. It's not | as slick as Ubiquiti, but it works. | benjohnson wrote: | It may sound strange, but for Mikrotik, I find it more | productive to concentrate on setting them up via CLI. | It's certainly more trainable. | | CLI for Port Forward: /ip firewall nat add chain=dstnat | dst-port=1234 in-interface=ether1-gateway action=dst-nat | protocol=tcp to-address=192.168.1.1 to-port=1234 | | VS having to document the same task in the GUI: | | IP->Firewall->Nat-> Add New | | General Tab Chain: dstnat Protocol: TPC Dst. Port: Port | In. Interface: ether1-gateway | | Action Tab Action: dst-nat To Address: IP address of | Server To Port: Port # of Service | eecc wrote: | Yup, very nice router/switch. If anyone could forward a | properly documented configuration to make the Apple | AirPort guest network work I'd be ever grateful. | bombcar wrote: | The CLI tab-completion is great - you can figure out most | of what you need to do just by looking at it. | | Highly worth getting one to try out. | heavyset_go wrote: | Stick OpenWRT or pfSense on them, and you've got yourself a | nice GUI. You can use the CLIs if you want to, too. | 1over137 wrote: | >Seems like there is nothing good out there | | Check out Ruckus. I've found their 'unleashed' stuff quite | nice (no affiliation, just a customer). | dolni wrote: | So the question for becomes: is there just not a good | enthusiast market for this stuff? I have met a number of | people who are "network nerds", so I'm inclined to think the | market does exist. With any of the plethora of consumer | devices (Linksys, Netgear, D-Link) it's a dice roll whether | your gear is complete garbage or not. A lot of the time, | you're coming up snake eyes. | | I've got some Ubiquiti gear I bought a couple years ago. Like | you, I want good quality gear that I can manage myself. I | don't need a bunch of fancy corporate garbage, like link | aggregation or cloud management. Give me solid, hardware | accelerated routing and switching, flexibility over my local | DNS, and maybe some VLANing. | | I was running Linux on a small x86 box as my last network | router. Maybe it's time to get back to that. That or go back | to banging rocks together. Haven't decided which, yet. | Johnny555 wrote: | I think the enthusiasts still buy tiny PC's with Wifi cars | and run Linux/FreeBSD/whatever. | IgorPartola wrote: | I can't imagine that there isn't a market for this. Look at | the number of people recommending Ubiquiti stuff to each | other. There are entire YouTube channels dedicated to it. | If your whole living space or small office can be covered | with a single access point, get a 3-in-1 combo that has a | WAP, a router, and a small switch. But if you don't, you | are left with, what exactly? There is also some demand for | mesh stuff, for people who rent and don't want to run | Ethernet cable. | | My plan: OPNsense on a PC Engines board for router + | firewall, an unmanaged PoE-providing switch for switching, | and _something_ from 2-8 WAPs for indoor /outdoor Wi-Fi. | tomc1985 wrote: | I've been running Asus routers with Tomato firmware and | other than seemingly inevitable hardware quality issues it | has been smooth sailing | floatingatoll wrote: | As a former enthusiast in this area, I need the time for | other more pressing interests and have reverted my home | network to Eeros pinned to an IQrouter. All of them require | some central service to operate, and I rarely if ever have | to pay any attention to them. They also provide better | coverage and less radio interference than the prior gold | standard, Apple Airport devices. The IQ runs some sort of | ssh *nix variant and the only time I've ever had to call | Eero support was to turn off 5GHz for a minute^ to pair a | smarthome device. | | Still, it's nice to have a hobby, and if you're looking for | one, run your own, sure! No shame in that. But it's no | longer necessary, and that's pretty swell to me. | | ^ I agree with why they don't make that accessible to end | users: because people will uselessly fiddle with settings | knobs to feel empowered, knobs like "separate 2.4 and 5 | networks" (which breaks roaming and makes users incorrectly | blame their WiFi routers when PEBCAK is at fault) that | semi-expert users feel qualified to mess with, and lazy | technicians will use to create "guest" networks that don't | offer protection and perform miserably due to being locked | to 5GHz. | dolni wrote: | Maybe you and I have different opinions of "enthusiast" | in this context. There is really only so much you're | going to do on a home network. You set it up and once | it's going, it requires very little maintenance. I would | not consider running my own network gear a "hobby" any | more than I would consider restaining my deck a "hobby". | It's largely a one-time project. | | I do have requirements beyond what the typical consumer | does of their network, like PoE to run a couple of access | points, PPPoE so that I can put my modem in bridge mode, | the desire to configure extra DNS records, dynamic DNS | since my home IP changes. Oh, and let's not forget some | filtering/rewriting capabilities so that I can force | modern smart TVs to respect the DNS server I provide | them. | | My network is much more usable having put the time into | it. Yes, you could buy some off the shelf thing and get | an OK experience, but that wasn't good enough for me. | sylens wrote: | Do they make an Eero yet with more than two Ethernet | ports? I love the product, I just want to plug 4-5 | devices in as well as use the WiFi. | Godel_unicode wrote: | You can buy a 5-port unmanaged switch for roughly $30, | just FYI. | clajiness wrote: | When did link aggregation become "fancy corporate garbage"? | dolni wrote: | Garbage was a bit of an indulgent word. It certainly is | relevant and useful technology. It just isn't useful for | home users, at least none that I've ever met. | ryan29 wrote: | > So the question for becomes: is there just not a good | enthusiast market for this stuff? | | No. They just don't want to serve the low end. I'm from SK, | Canada and the vast majority of all businesses are small | businesses. This site [1] says 98%. The problem is they | only account for about 25% of the GDP, so vendors don't | consider them worth serving. Everyone wants to sell to the | 2% of the businesses that make up 75% of the GDP. | | There's a lot of money to be made in the small business | sector. It's just not *enough* money for huge tech | companies. | | 1. https://www.bizadv.ca/by-the-numbers-saskatchewan- | business-s... | tonyarkles wrote: | And now that OTV's gone, it's even harder to get semi-OK | gear (that can be immediately re-flashed with OpenWRT) | for a reasonable price. :( | | [Hi from Regina!] | novok wrote: | You often do not need long sales processes to get those | small companies, they tend to self serve selling to | themselves. | ryan29 wrote: | I do casual work for a person that serves that sector. | It's 100% self serve for us. We'll pay fair value for | stuff and vendors won't ever need to interact with us. | The problem is when those vendors think their firmware | updater is worth a $10 / month subscription. It's not. | | For example with pfSense going closed source we'd be | willing to pay around $100 total lifetime cost to put it | on PCEngines hardware. We can build that in to the | upfront cost of the device. I wouldn't be shocked if they | try for $50-$100 / year which won't be economically | viable for our market, so instead of getting $100 / | device and never interacting with us, we'll end up moving | to a different product. I really hope they come up with | an offering that's appealing to the small business | sector, but I'm not holding my breath and I'll be | learning opnsense as a contingency. | api wrote: | I've thought for a while that the neglect of consumer, | prosumer, and small business computing is a side effect | of concentration of wealth. A small percentage of | businesses have all the money. | kazen44 wrote: | ? So the question for becomes: is there just not a good | enthusiast market for this stuff? I have met a number of | people who are "network nerds", so I'm inclined to think | the market does exist. | | my experience as a professional "network nerd" is that most | other people in the networking field run cheap/second hand | enterprise gear fetched from their employer at a major | discount and simply seem to care less about wifi in | general. | Godel_unicode wrote: | A lot of that changed with my peer group either due to | caring about managing from a phone or caring about | power/noise. The latter are especially not things real | enterprise gear tends to optimize for. | newsclues wrote: | Ubiquity captured the prosumer networking market. | Vedor wrote: | Not 100% sure if that's what you are looking for (I don't do | much network works) but I think that Camsat's GlobalCAM-4.5G | may be worth checking, with one catch: the company targets | CCTV market. Still, that's just a router, without any special | license fees or mandatory clouds. | oblio wrote: | Maybe Plume Homepass: https://www.plume.com/homepass/ ? I'm | not sure if they're 100% equivalent, but it seems to cover a | good part of the Ubiquiti feature. | HowardStark wrote: | Interesting. Subscription-based services in the home seem | like a disaster waiting to happen. Unless you can self host | in the event of a company shut-down, you're beholden to a | company and their solvency. | | Can't see anything on their website for a transition plan | in the event of shutdown (and of course, why would they | post that and potentially signal lack of confidence in | their longevity). | awillen wrote: | So one might call them... ubiquitous? | | I'm so sorry. I'll go now. | [deleted] | Godel_unicode wrote: | You can absolutely manage ubiquiti local. Even with a | ridiculously named local appliance called a cloud key. Their | cameras are unfortunately another story. | wikibob wrote: | Eero is amazing. | | It Just Works. | | Apple style. Plug it in. Never fuck with it. Rock solid. | discardable_dan wrote: | They are amazon-owned. I'd be shocked if they weren't | collecting and reporting telemetry. | astrange wrote: | Telemetry is an extremely important part of making things | just work. There's no other way to find the unknown | unknowns. | IgorPartola wrote: | I have lots of devices that don't phone home. Have been | working for years. The company needing to know which | websites I visit to make my network function does not | speak well of the company. | heavyset_go wrote: | That's awfully convenient for the company offering those | products, but I want to control what happens on my | network, even if that's inconvenient for some hardware | vendor. | | Case studies, focus groups, surveys and interviews are | great ways to find the unknown unknowns. Of course, you | need to pay people to participate in them, and then you | need to pay expensive employees to conduct, collect and | analyze the results. | | It's often just cheaper to spy on customers, though, and | pretend that there is no other possible way to conduct | business. | sofixa wrote: | > Case studies, focus groups, surveys and interviews are | great ways to find the unknown unknowns. Of course, you | need to pay people to participate in them, and then you | need to pay expensive employees to conduct, collect and | analyze the results | | No they're not, because the vast majority of people | simply won't be bothered, and most people probably aren't | as reliable as concrete data. | Marsymars wrote: | Yeah, but they're still the best user-experience I've | found, and they seem to care about code quality and doing | right by their customers. | Jnr wrote: | Try Mikrotik. It can do all of the things you listed and | more. | [deleted] | biktor_gj wrote: | After the Unifi Video fiasco, I bought a UDM Pro to test Unifi | Protect. | | Once I saw it required cloud login I got scared. After I saw an | ubiquiti ssh key preinstalled in a device with unfeteted | internet access I shut it down to never bring it up again | lazyweb wrote: | Wow, are you serious? | dathinab wrote: | Man I really wonder why the lack of proper 2FA is so wide | spread? | | Is it rally cost and complexity? | | Or just missing awareness? | | Or the lack of consequences when you get hacked in a way which | could easily have been prevented (through then they might have | attacked in a different way, tbh.). | closeparen wrote: | He could have had 2fa on his console account but saved an | access key for CLI access. Many large organizations have an | infrastructure where you exchange your corporate | authentication (including 2FA) for a short lived AWS access | key, but AFAIK this isn't out of the box. | Bellyache5 wrote: | AWS SSO does offer this "out of the box", but many large | organizations use their own custom SSO setup with custom- | built tools to get temporary tokens. | TheGuyWhoCodes wrote: | You can force 2fa even for cli access as far as I remember | but It's not on by default. | neuronic wrote: | It's people not getting it and being plain annoyed by the | second factor. YubiKey or Authenticator app on a different | device... it's too inconvenient and people often only do it | if forced (e.g. banks do this afaik). | aneutron wrote: | Lack of 2FA for the AWS access ? Sure. It might have | prevented the attack. | | The attacker had access to the whole database. Which meant he | could alter the 2FA seed. So it wouldn't have mattered much. | dathinab wrote: | They seem to have gained access through getting secrets | from developers as far as I understood it. | | So with 2FA they would have had a much harder time to gain | access to the database. | | The part of changing the seed only matters for customers of | the hacked company but is (as far as I can tell) unrelated | to them gaining access. | rectang wrote: | > _can we really trust them to clean up all their tokens and | fully eradicate all forms of persistence the hackers may have | gotten?_ | | The state of security in the tech industry is miserable. The | only companies we should trust not to leak our data are those | that never collected it in the first place. | anticristi wrote: | We are certainly not having this conversation enough. I | regularly chat with a risk office and she keeps telling me: | Data minimization is your first line of defense. | kazen44 wrote: | Heck, most operating systems are leaky by default. Even | openBSD, which has a stellar trackrecord in terms of security | and "goes against the grain" on many decisions for the sake | of secure by default (for instance, disabling hyperthreading | altogether to prevent any kind of SPECTRE vulnerability) is | under constant scrutiny for not being secure enough. | | Maybe connecting everything to a network and making it a high | value target by collecting everyone's data is just a terrible | idea in the long run. | 650REDHAIR wrote: | What a shockingly large breech. Wow. | toomuchtodo wrote: | The breaches are common, the reporting/discovery of them is | not. Security just isn't a priority for a lot of Orgs, as the | consequences are minimal (see: Equifax) due to a lack of | regulatory or financial penalty pain when a breach occurs. | | "Help yourself to a free year of identify theft insurance" | and all that jazz. | neuronic wrote: | This is correct. Worked for a fairly large corp with lots | of customer data and while I haven't witnessed breaches of | said data it's pretty much a matter of time. | | Me and my colleagues always pushed for more secure setups | and configs but the common rebuttal was "no need there's a | keycloak running several layers above and you need to use a | VPN and need access to AWS first, go implement features | instead." | | I hope for them that no rogue employee decides to play | around a bit or that no one stores their credentials in | some cloud LastPass account with a '123456qwerty' master | password. | MattGaiser wrote: | Discovery of breaches seems to be undesirable in the | current environment, if many go undetected. | | If you discover, you have to report. If you don't, odds are | nobody will notice/will blame someone else. | Grazester wrote: | There is Fortinet(which acquired Meru 5 years ago). Meru was | pretty OK. I helped manage a setup of 2500 + access points on a | campus. I left that job 6 months after Meru was acquired so I | cant say how they are now. | xvf22 wrote: | Got 3 no brainer CVEs against them. We're an enterprise | customer who is now moving away because after Fortinet | acquired them support dropped off a cliff. They had some good | people but it bacame rather apparent that there was a bit of | a toxic culture there. | rossipedia wrote: | > can we really trust them | | absolutely not | modeless wrote: | Should have blown the whistle to the SEC instead. SEC | whistleblowers get paid. Up to 30% of eventual penalties paid by | the company with no upper limit. Lying about a breach could be | securities fraud. | MrFoof wrote: | They may already have. Investigation is already pending: | https://finance.yahoo.com/news/shareholder-alert-ubiquiti-in... | surfsvammel wrote: | This might just be a law-firm fishing for people willing to | be plaintiffs when they sue. So, this in itself might not | mean much of anything. This might just be a lawyer who read | the news and though "Hey, let's see if we can find enough | people willing to sue!" | neartheplain wrote: | Don't have time to dig into this right now, but I have a Ubiquiti | WiFi AP at my home behind a NAT; does this breach mean my home | network is vulnerable/effectively exposed to the Internet? Do I | need to log off HN and deal with this now, or can it wait? | aaomidi wrote: | I mean, yes, it does. However hopefully the hackers aren't in | their system anymore - so if you were at risk it's already | probably over. | | I guess just change your password and reset your 2FA? | neartheplain wrote: | Ugh. Guess I'll just go wired for now and unplug the AP. | Hopefully I'm only paranoid, but I really don't like the | feeling of a hole in the network with my family's NAS and IoT | devices. | | Never again with the cloud-connected network appliances. Time | to build a router from scratch, I guess. | geephroh wrote: | You can run the AP locally with the standalone controller | appliance in a container or VM[1]. Pretty simple, and | doesn't require a UNBT login. Probably still worth doing a | factory reset on your AP first, if you're paranoid like | me... | | 1. https://help.ui.com/hc/en- | us/articles/360012282453-UniFi-Set... | xoa wrote: | It depends. How do you manage said AP? The leaked credentials | issue here is specifically in SSO Cloud authentication to | Controllers, which are used to administer all the actual | hardware devices. However, the devices themselves aren't | affected. So depending on how, or for that matter if, you | manage them you may be unaffected as well which has always been | a major touted advantage of UniFi and has indeed proved true | right with this very incident. | | Your post seems to imply you have just that AP and that's it? | If you set it up initially (putting the controller on one of | your own computers temporarily maybe), and then just left it | standalone from there on out you're fine. There is no need to | have an active Controller for all the hardware to work as | configured, a Controller is just needed to change | configuration, collect real time statistics/send notifications, | and do necessarily active things like run a guest portal. | | If you are running a Controller, but you're doing entirely | standalone on your own hardware (or your own cloud service for | that matter), and haven't enabled Ubiquiti SSO cloud access, | you're unaffected. That's how I've always run since I don't | trust 3rd party cloud stuff for something like this, ever. | | It's """only""" an issue for their cloud service, and | apparently their "Cloud Keys" and "Dream Machines" as well | since they pushed it on people some recent firmware. Which | granted covers a lot of surface area, and Ubiquiti has pushed | very, very hard (see advertising outrage from just a few days | ago). But it's thankfully still not everything. | neartheplain wrote: | Thanks the detailed reply. As you correctly inferred, this is | my situation: | | >Your post seems to imply you have just that AP and that's | it? | | I recently moved to a house with a preexisting network, so I | have only the AP itself set up with the Ubiquiti | router/network controller still in storage. I use the mobile | app to configure the AP. It sounds like the AP won't phone | home or open tunnels to their cloud by itself, so I'll turn | it back on for now. | jniedrauer wrote: | > the attacker(s) had access to privileged credentials that were | previously stored in the LastPass account of a Ubiquiti IT | employee | | The interesting part of this story is how the employee's LastPass | got popped. My guess is their local workstation was compromised, | and their LastPass was either not logged out in a browser plugin, | or they didn't have 2 factor auth required for each login and a | keylogger got the password. In either case, it's a good reminder | to be paranoid about your password manager, make sure it's got a | logout timer, and use 2 factor auth. | | I also don't let my cloud password managers touch a mobile | device. It's fairly inconvenient, so I hesitate to recommend this | to others. But I don't trust mobile devices very much. Anyone | have thoughts on this? | baybal2 wrote: | Easy to imagine they just got a spiked chrome binary installed | cutemonster wrote: | How could an attacker make that happen? | cutemonster wrote: | > My guess is their local workstation was compromised | | You mean someone was physically at the laptop/desktop and could | access the OS and apps? Maybe if the employee was working | remote (covid?) from, say, a cafe and left the laptop | unattended when refilling coffee? | | Or something else? ... Hmm, could also have been eg a browser | zero day that gave someone remote access to the computer? Or a | dev tools supply chain attack? | hn_throwaway_99 wrote: | It's not that complicated. The local workstation could have | had a trojan or virus that installed a keylogger or | screengrabber. | rossipedia wrote: | > My guess is their local workstation was compromised | | Honestly I don't think it was even that complicated, | considering when I needed to spend money on some SaaS product | the "chief accountant" (because there was no CFO) straight up | sent me a photo of the corporate credit card and said "delete | that when you're done". | post_break wrote: | Verkada, now Ubiquiti, yikes. Also according to this leaker, it | seems like they tried to cover it up before letting the public | know. They are on my blacklist now. | surfsvammel wrote: | This company is a disaster it seems, and I have just setup my | whole home infrastructure and home security aound their | products... They where the most recommended brand when I was | shopping for new stuff a year ago. | thedanbob wrote: | Same, my setup is 100% Unifi from back before they started | going downhill. At least I was self-hosting the software so I | wasn't bitten by this breach. | xoa wrote: | We should be clear here that there are multiple types of | "self-hosted". Ubiquiti makes essentially little (weaker) | Raspberry Pi devices with PoE that are dedicated to just the | controller, and a few years back they also forced their | (garbage) "Protect" onto their hardware only. They | (confusingly) call these "Cloud Keys", though they have | nothing to do with the cloud. However, you can also get 100% | standalone versions of the Controller that will run on any | server or VM you've got, Linux, Windows, or Mac. This is just | the Java 8-based controller software and that's it, and you | can lock those down arbitrarily hard for any WAN access same | as any other LAN network software, no general internet access | is needed at all and no firmware is involved. | | A lot of people quite reasonably got CKs seeing them as very | easy ways to have a low power always on local controller | since they didn't have some other server running 24/7 | already. If the firmware on those was updated to require tie- | in to Ubiquiti's SSO that's a horrible betrayal. But I'm | confident in saying the full standalone Controller doesn't | since I have mine locked down from any general net access, | remote L3 management was done to IP only at the firewall and | I've been switching to just putting it all through WireGuard. | izacus wrote: | Hmm, even the self-hosted SW can use SSO from cloud... so I'm | now worried that our equipment is still vulnerable by | whatever system allows cloud logins. | pseudalopex wrote: | They forced cloud authentication on self hosted software | too.[1] | | [1] https://www.reddit.com/r/Ubiquiti/comments/kslyh9/cloud_k | ey_... | imiric wrote: | Wow, that's awful. | | I have a few Ubiquiti devices I haven't updated in months, | that don't use any cloud accounts, and I used to run their | controller software in a container that I only started when | I needed to administer something. But now I guess I'm never | updating and will be looking to get rid of all their | equipment. | | What an incredibly consumer hostile and incompetent | company. Shame, because the hardware pretty much works | reliably. | Ueland wrote: | Im a bit confused by this. I run a UniFi Controller in a | docker container, have a few APs and a router, and | everything works fine. No cloud stuff going on here. | | Am i just lucky or something that i havent been forced to | the cloud yet, or is it something i am missing here? | jmuguy wrote: | I think its just the cloud key. I have a unifi controller | install as well and use a local account with no issues. | stock_toaster wrote: | I have a cloud key with no cloud access. It's just that | cloud access is the user directed workflow for sure. | Setup without cloud access was not clear at all [1]. | | [1]: I don't even remember the steps, to be honest! | [deleted] | surfsvammel wrote: | Apparently I was... Now, updated the firmware and it says | server certificate changed. Frikkin A. Now I am in 'what the | hell' land | johnbrodie wrote: | I almost did the same thing, but it was clear a year ago that | they were moving towards "cloud based" services, something I | didn't want to participate in. Looks like it was a good | decision, in retrospect. | CorrectHorseBat wrote: | So what did you go with? | johnbrodie wrote: | Ended up with some used Cisco equipment aimed at the small | business segment. Similar-ish price to new Ubiquiti gear, | and I've spent essentially 0 time maintaining the stuff | beyond initial setup. Still don't have APs set up though, | I've just been making do with what I had laying around. | toyg wrote: | If i were you I'd take heart in the knowledge that the others | aren't any better, it's just a matter of "when" they'll get | cracked in the same way | bombcar wrote: | Not every network hardware provider ties everything to a | "Cloud" for reasons. They may have breaches but they won't be | this widespread. | bilbo0s wrote: | Wasn't really a "cloud" hack so much as a hack of a root | user. How they accessed that root user's credentials is not | detailed. Phishing? Hardware hack? Dumb root user and it | was possible to guess his/her credentials? Could even be, | that particular root user was in on it with them for all we | know? | | In any case, this sort of a hack of any other company's | root users would result in the same spectacularly | catastrophic pwnage. That your root users have root access | on your own machines won't help you. | | What they need is to structure their security properly. I'm | not sure why this user needed root access to everything | globally for instance? That seems wrong to me at first | blush, but it could be a matter of me not understanding | their business model. | bombcar wrote: | IIRC it says that they got the LastPass data for an | employee which had (non two factored?) AWS access | credentials. | greycol wrote: | The reason people are bringing up cloud is because it's | what effects them. If you have (cloud) access through a | company to local devices and that company is hacked then | that could be a very wide pathway into your local set up. | The company being hacked and related implications is | still not great for a huge list of reasons but it's the | possible local breaches that are more of a worry for a | lot of us. | | Ubiquiti has recently been pushing there cloud set up (to | the point that you can't set up a local controller with | out setting up a cloud account) that's why it's so | annoying. | | *There is probably a way but the last time I tried I | couldn't find it in setup and so installed using a | previous version. | kasey_junk wrote: | It's increasingly hard to find providers that don't though. | The advantages to global management software is pretty high | & the easiest way to implement that is the cloud. | abootstrapper wrote: | Me too! Now what do we do? | ruph123 wrote: | I always thought that the main selling point of their devices | was that you can run your own Ubiquiti server at home and keep | everything local? They are always portrayed as the not-so- | shitty IoT company. | OminousWeapons wrote: | If you don't have remote access enabled and aren't running | their surveillance camera software, it is not clear to me | that there is any risk to the customer from this event | (outside of the source code being used to generate new | exploits). It doesn't sound like the attackers were able to | abuse automated firmware update functions, and losing | credentials to a UI account has no impact on users running | cloud key locally without remote access enabled. | ruph123 wrote: | Right. I would never have any device like a camera be | directly connected to the internet and instead cut off that | device from the internet in my router software and only | access it from outside via a VPN. | | Not that this whole screw-up should be excused in any way | or downplayed. | mixologic wrote: | I bought one of their security cameras to act as a | nursery cam last year, which I could later convert into a | home security camera. | | The 'in house' software, unifi-video, was discontinued 3 | months after I got it set up. All of the apps I use to | connect to the system have been pulled from the app | store, and you now have to use their camera controller | for the one camera, vs the software Im running on my | linux box. | | Their controller is much more limited, and many, many | security camera installers were caught off guard with no | path forward for their customers. It's a nightmare of a | shitshow and I would never in a million years recommend | Ubiquiti as a company at this point. | spockz wrote: | I now use the camera in direct rtsp mode. This way it can | be used by any rtsp tool including video recording and | the lot. For the nursery camera I just use IPCams on iOS | on an iPad. | halefx wrote: | Yep, I also use their cameras as baby monitors. RTSP mode | to VLC on an old chromebook as an always-on monitor. | | The Protect app works pretty well now assuming you have a | controller to connect to, but the time between the Video | app shutting down and Protect actually working properly | was very frustrating. I would never trust the Protect app | to stay connected while I'm asleep, though. It's | definitely not stable enough for that. | caeril wrote: | I can't speak to the newer UniFi garbage, but the selling | point for their Edge network products was that you could have | Cisco-ish managed switches and routers without paying the | absurd prices for ASICs, licenses, ios upgrades, parasitic | middleman distributors, etc. | atourgates wrote: | Are you me? | | Just finished setting up my Ubiquiti-based home network that | includes a dream machine, 6 access-points, and a wireless | bridge to an outbuilding. All told about a $1,500 investment I | made because I thought I was investing in "best-in-class" | hardware and software. | | Sigh. | alkonaut wrote: | I picked up an EdgeRouter and none of the cloudkey/unifi stuff. | I initially felt like maybe I should have picked the unifi gear | and maybe a dumb switch, but now I don't regret the EdgeRouter. | Couldn't be happier with it. | | I don't trust anything that tries to solve the "firewall | problem" by setting up a cloud service for what should be a | local appliance. | moonbas3 wrote: | Yeah well, more money in marketing than anything else. | vmception wrote: | > Adam wrote in his letter. "Legal overrode the repeated requests | to force rotation of all customer credentials, and to revert any | device access permission changes within the relevant period." | | tsk. | Google234 wrote: | This actually seems like criminal advice. | mywittyname wrote: | It's probably considered Consciousness of Guilt. | beervirus wrote: | Yeah that doesn't make sense to me. Sales would do something | like that. Legal should be erring in the opposite direction. | jasonwatkinspdx wrote: | No. They don't care if customers get pwnd. They care if | customers become aware of exactly how they got pwnd and | launch a class action. It's shitty but entirely predictable | behavior common in these situations. | beervirus wrote: | Well you're right that it's not their job to represent | customers. Their client is the company. | | But telling your client to sweep something like this under | the rug isn't exactly great advice. | airstrike wrote: | But rotating credentials would not hurt or help that | alleged goal of hiding the truth from customers... | chrisbolt wrote: | "force rotation of all customer credentials" = make | customers change their passwords, which is a huge red | flag that would draw attention to why they were forcing | that. | hn_throwaway_99 wrote: | Github just recently logged out all users because they | had a bug that could leak other account data into | sessions. They were very transparent about why they did | that, what happened, and I for one trust them more for | it. | 650REDHAIR wrote: | By trying to sweep it under the rug they just opened themselves | up. | | Crazy. | elevation wrote: | I'll change my forum password and continue to avoid UBNT's cloud | features like always. | | I'm still happy with the value, stability, and security updates | (!!) of my UBNT hardware. | | I still won't buy gear from another vendor that wants $$$/device- | year in support contracts and have unavoidable cloud controllers. | eyeareque wrote: | How many of you would be surprised to hear that 99% of companies | have similar security gaps? These problems happen literally | everywhere. | mjfl wrote: | Is internet of things useful for anything except being a major | security vulnerability you could trick an enemy into installing? | gautamcgoel wrote: | Wow, this is huge. I wonder if the attacker was a state actor, | and if so, what their intended mischief is. | eqvinox wrote: | I don't think a state actor would've tried to extort bitcoin, | but who knows... ___________________________________________________________________ (page generated 2021-03-30 23:00 UTC)