[HN Gopher] Ubiquiti All but Confirms Breach Response Iniquity ___________________________________________________________________ Ubiquiti All but Confirms Breach Response Iniquity Author : parsecs Score : 183 points Date : 2021-04-04 19:28 UTC (3 hours ago) (HTM) web link (krebsonsecurity.com) (TXT) w3m dump (krebsonsecurity.com) | rosege wrote: | Opened HN to look to see what everyone was saying about the FB | hack, stayed for the Ubiquiti one. | bcrescimanno wrote: | It's disappointing to see a breach like this and even more | disappointing to see what (at least on the surface) appears to be | a lackadaisical response. | | At someone who runs a UniFi network in my home with just 4 pieces | of hardware (gateway, wired switch, and 2 PoE WAPs) I'm really | curious if there are solid alternatives for a managed home | network. UniFi really hit a sweet spot of price/performance that | made it a somewhat pricey; but, not totally unreasonable option | for the home. | | Any suggestions from the HN crowd? | e40 wrote: | That is my exact configuration, too. Would love to have | alternatives. | heavymark wrote: | I'm not aware of any alternatives that are designed as well, | and if you switch the new option could just as easily be | hacked or if so it on it could also be hacked but you may | never realize. Though it's good for all these people to | pretend to threaten to leave since maybe that will get the | company to be a little more forth right which is all we can | really ask for these days. | ThatPlayer wrote: | I've heard good things about TP-Link's Omada series. Their | controller even looks like a clone of Unifi's | lostlogin wrote: | Having messed with TP-Links smart plugs, I've been really | impressed. They integrate well into Home Assistant too. | ed25519FUUU wrote: | Isn't TP-link a Chinese company? | catblast01 wrote: | Is ubiquiti a Chinese company? | | Really, what a low effort idiotic post. | monkey34 wrote: | While I've not yet made the purchase, I'm eyeing a Synology | RT2600ac (https://www.synology.com/en-us/products/RT2600ac) and | an MR2200ac (https://www.synology.com/en- | us/products/MR2200ac#specs). It seems like they'll be adding | VLAN support in their 1.3 release | (https://community.synology.com/enu/forum/2/post/130414), which | should be nice for adding dedicated VPN and guest networks. | | For me it's one of the few options available because my ISP | forces me to use a transitional IPv6 technology called "MAP-E," | which the UniFi products don't support. I switched ISPs after | purchasing my equipment and ended up with $700 of dead weight. | ImprovedSilence wrote: | I recently went with two 2200acs. Been mostly pleased, but | there were some settings i had to play with to get the right | router to use some of the more distant devices.. without | custom settings it trys to load balance devices over choosing | based on signal strength, thus a far device from the main | router had an unusable connection.. | xyzzy21 wrote: | "The Cloud" absolutely can NOT be trusted with anything serious. | I'm still amazed serious people actually think it's a smart or | wise idea. It's become a "Go to the fridge and get the box" type | of mindless laziness by far too many marketers and developers. | imwillofficial wrote: | I used to be a die hard Ubiquiti fan. They have fallen from grace | in a big way. Disappointing. | arbitrage wrote: | So, what happens now? Will Ubiquiti be held to task, by anyone? | imwillofficial wrote: | They've lost my business. | kiwijamo wrote: | Ditto and they have also lost my recommendations. If I hear | any friends thinking of Ubiquiti, I will be pointing them | towards articles like the one we are discussing. I had been a | bit wary of then since their push for cloud SSO etc, but | these recent events have put the final nail in the coffin for | me. Personally I am migrating my family's network to MicroTik | gear. | lucb1e wrote: | A friend of my boss recommended Ubiquity semi-recently. | We're a small IT company, plenty of theoretical expertise | but no dedicated network admins, so it made sense to go on | a recommendation. | | The fact that doing _anything_ , for example assigning a | VLAN to a switch port, requires you to first setup a | mongodb server on your machine before you can install the | controller software tipped me off to the quality of what we | had bought. The device also gets like 80degC while idle. | | This controller software is now on isolated hardware, we | trust the thing about as much as an old Android phone, and | that was just from our impression as security people | without knowing of any breach. | | I see it as a good thing that other friends of $friend will | be spared that recommendation after this news. | imwillofficial wrote: | Meraki has captured my fancy lately. Expensive but a | pretty great value prop. | lucb1e wrote: | Frankly, all we needed was a switch where you can add | VLAN tags and send them to a trunk port. And I suppose a | password on the "I would like this VLAN on this port, | please" interface is also necessary, but I think that | already concludes the grand list of requirements. | Everything else we control on the router. | | It doesn't have to be network equipment in the | traditional sense: any old linux server will do, it's | just that it needs to have a couple dozen network ports. | Traffic can be limited to a gigabit per second between | all the ports combined (no need for multi-gigabit | backplanes or switch fabrics or what the correct term for | that is). I'd almost buy a big USB hub and connect USB- | Ethernet adapters, but that feels more hacky than core | infrastructure is supposed to be. | posguy wrote: | I support two Meraki MX64 routers, they are definitely | expensive and have repeatedly caused issues for my | clients when their ISPs force an upgrade of the | associated modem. Not sure what shenanigans Cisco has | done with Meraki, but I have wasted hours with them on | the phone trying to get these MX64's to DHCP from a new | cable modem. | | Ended up swapping in an Archer C7 on OpenWRT with a LTE | modem to ensure business continuity for the client while | working with Meraki's abysmal support to get their router | to work correctly. | unstatusthequo wrote: | Plaintiff lawyers will come into effect if there were actual | damages as a result of this. Has anyone heard of actual | breaches of their own networks as a result? If not, probably | no actual damages = class action plaintiffs don't care | because no $ for them. Of course this is generalizing but | this is usually the calculus. I know this because I am a | cyber attorney. | ejb999 wrote: | even without actual damages, there will be a securities | class-action lawsuit for anyone that lost money on the | stock.; and as usual lawyers will collect big payouts, and | shareholders will get a few dollars if they are lucky. | harry8 wrote: | Get a few dollars from who? The owners of the company | will have to pay themselves because they messed up? What | a great reason to pay lawyers and clog up courts at | taxpayers' expense. | LgWoodenBadger wrote: | I'm done buying ubiquiti equipment. 6 devices, and 3 family | members I recommended ubiquiti to who also have multiple | devices. | | Clearly the market exists for what they're offering. I am | surprised at the serious lack of alternatives. | skybrian wrote: | As Matt Levine often reminds us, everything is securities | fraud. This looks like a good case for a class-action | shareholder lawsuit? | arbitrage wrote: | I am looking forward to my cheque in three years for $5.37. | gvkhna wrote: | I'm still on board with Uniquiti, tons of equipment and it | wouldn't make sense to switch everything over for small | operations. But this is extremely disappointing, they're | definitely moving in a little bit of a different direction then | where many of us would hope. | | More shiny products that increase bottom line is great but many | IT officials rely on UniFi as well, I wonder how they're | responding to enterprise customers. | | I just hope this incident will at least get them to put some | emphasis on security again as well. | neartheplain wrote: | >I'm still on board with Uniquiti | | Freudian slip? | liaukovv wrote: | I wonder if you could extract costs of migration from ubiquity | with a lawsuit | madeofpalk wrote: | Sounds like a pain that's not worth it. | nomadiccoder wrote: | You shouldn't. | liaukovv wrote: | Why not? | teeray wrote: | What I'm curious about is, if I run my own controller on my own | hardware, do I need to be concerned about this? I could | understand supply chain concerns... I've held off updating | anything while this plays out. But all these "breach! breach!" | stories fail to spell out who is affected and what they need to | do. | ev1 wrote: | Force pushed updates overnight turned local controllers into | requiring ui.com single sign on, iirc. | Nextgrid wrote: | If the compromise is widespread enough then the attackers might | have gained control of the update infrastructure allowing them | to push out malicious firmware to your devices. | js2 wrote: | These blanket statements don't apply to everyone. It depends | which Ubiquiti hardware you own and how you've configured it. | | For example, I run the UniFi controller on my FreeNAS server. | There are no forced updates to it. It doesn't update unless I | update it. The firmware on my APs doesn't update unless I | update them from my controller. | lucb1e wrote: | So it's a game of luck, depending on whether you updated | your firmware? I would call that "affected" rather than | "unaffected". | | Just because not everyone installs security patches within | a few months after they come out (it says the breach had | been ongoing for two months) doesn't mean that therefore it | doesn't apply to everyone. In the strict sense, indeed not | everyone will have been compromised, but it totally applies | to you in the sense that through business as usual | (assuming that includes installing security updates), you | can be compromised. | ncphil wrote: | Agreed. My only gear is an EdgeRouter-4. Unlike the | Mikrotik it replaced you have go up, find the latest fw | file, download and install (that Mikrotik router wasn't | designed to handle 1 Gbps and at the time the next step up | cost more than the ER). | lucb1e wrote: | So unless it hits news channels major enough that you | hear about it or there is a bug that you isolate to be | due to outdated firmware, you probably won't ever patch | security issues in your _edge_ (outside-facing) router? | izacus wrote: | Unless you're manually verifying the content of your AP | firmware updates (which is a bit hard since they're | closedsource), I don't understand what you're trying to | say. | | The firmware could be compromised at the source so your | FreeNAS doesn't help at all when you download and apply a | compromised firmware update. | | Unless you're not updating your APs and keeping them | vulnerable in that way :) | gerdesj wrote: | You probably don't need to be concerned(ish). I run a | controller for 32 "sites" across the UK with 1 to 13 APs per | site and a few switches. I keep it behind HAProxy but with | fairly minimal changes (from memory.) | | I have stuck with controller 5.13.32 rather than moving to 6.x | just yet. It's an LTS version and I'm still waiting for the | whinging to stop on the forums. I also watch the AP firmware | and that has had some interesting times over the last few | months. I've confirmed dodgy AP versions on my sites and | backrevved and held accordingly. | | I treat the whole thing the same way I do any other system. I | come out in spots when people mention clouds and IT in the same | sentence, so I have not knowingly enabled any cloudy | integrations from my controller to UBNT. Specifically, I have | not enabled "Remote Access". | izacus wrote: | If you read the original post, the they noticed a breach when | someone put an "unknown" VM on their server infrastructure. The | attackers also got signing keys for firmware. | | So even if you run a local controller, I see two very serious | vectors: | | 1. The "Ubiquiti account signin" functionality - you probably | had it off, but I'd like a confirmation that it doesn't keep a | backdoor open anyway. | | 2. Having a malicious firmware update put on the servers. If it | took months for someone to find the vulnerability, who knows | how long the servers could push a compromised | controller/firmware builds for the hardware. | Normal_gaussian wrote: | So ubiquiti can't be trusted. What are the suggestions for | running a ssries if home and small office networks in rented | buildings (no cabling?). A UDM + nano ap / flex HD as wireless | bridges & mesh wifi gave VLANS, performance monitoring, and an | ease of use that let even a junior UI dev implement use it easily | and correctlywhile complying with all lease req's. | | With the world of work at home exploding there seems to be a big | missing link here. | | I'm sitting with a big list of q's that I'm not sure I have a | decent amount of time to answer. Does switching to | pfsense/openwrt/something open source work with mesh? With ease | of set up? Do enterprise brands offer anything worthwhile here? | Do I have to regress to letting machines connect to unsecured | networks? | efitz wrote: | You get great insight into the character of the leaders of a | company watching how breaches are handled. Companies that put the | customer first are transparent, and quickly take action (even if | painful to customers) to ensure that customers' data and systems | stay intact and confidential. Companies that try to gloss over, | hide or downplay things indicate that the leadership does not | respect their customers and is only interested in maximizing | profit/minimizing loss. | xvector wrote: | Ubiquiti has lost my business. And with the recent issues with | Netgate/PfSense [1], it looks like OpnSense is the way to go. | | [1]: https://arstechnica.com/gadgets/2021/03/buffer-overruns- | lice... | jessebarton wrote: | why would you not just run OpenBSD with PF. | bpye wrote: | Why should I choose OpenBSD over FreeBSD or even Linux with | nftables? | dijit wrote: | If you're really asking, and not making a point; | | PF is created and primarily maintained by OpenBSD | | OpenBSD's base system (without extra packages) includes PF | and has a focus on security. | | PF in freebsd is several major versions old. | | nftables (like iptables before it) is rule based and not | bucket based. So high numbers of rules will not affect pf's | performance like it does with nftables. | | But, for home users, probably not noticeable. Though I | prefer the syntax of PF personally. | hyperpl wrote: | Wireguard has also been stable on OpenBSD which helped me | with my throughput on my apu2d router hardware. | fuzzy2 wrote: | Could you expand on what you mean by "bucket based"? | Maybe the so-called "tables"? They sound pretty identical | to ipset on Linux. | dijit wrote: | Usually when people table about nftables they're talking | about iptables. | | iptables is frontend to the kernel framework called | netfilter. It is not the only one (for example, tc | controls another portion of netfilter), but it's the one | people are most familiar with. When people say | 'iptables', they either mean the userland tool, or the | mishmash of netfilter kernel features that the tool | controls. | | A lot of the favourable comparison of pf over iptables is | that the underlying iptables/netfilter architecture is | much, much messier. Here's how a packet flows through | netfilter[0], and here's how it flows through pf[1]. | iptables was a huge improvement over ipchains, but it's | now starting to show its age. | | The reason this matters to sysadmins is there's a whole | bunch of overlapping functionality between iptables and | the other netflow tools, which can cause a lot of | headache. For example, iptables can do basic connection | simulation (fixed ratelimit, burstable ratelimit, drop- | random, etc), but if you want to add latency to that | ratelimit, then you have to use tc. Or, you can do IP-NAT | in iptables, and you can also match on layer 2 (MAC) | addresses - but if you want MAC-NAT, then you have to use | ebtables. PF doesn't have that problem. | | [0]: https://upload.wikimedia.org/wikipedia/commons/3/37/ | Netfilte... | | [1]: http://mailing.openbsd.misc.narkive.com/jtIB9W3w/pf- | packet-f... | hyperpl wrote: | I switched from pfsense + Ubiquiti to OpenBSD + Ruckus and | couldn't be happier. While the web UIs were cool for a day, | with the command line I feel as though I understand exactly | what I have setup a bit better. Ruckus UI is also much more | friendly than Ubiquiti's - I had to actually install mongo db | + VM/dock just to configure my Ubiquiti WAP? Seriously? | | I just wish I had completely deleted my Ubiquiti account when | I sold my WAP. | posguy wrote: | Does OpenBSD with PF have a nice web interface to | administrate the firewall, DHCP server, WLANs, etc from? | brian-armstrong wrote: | Has anyone looked at Ubiquiti's firmware signing? Would it be | possible to patch it to retain the drivers and kernel but replace | the configuration layers? Being able to homebrew some config | would make the equipment more valuable to us I think. | KirillPanov wrote: | Ubiquiti does not lock their bootloaders like phone | manufacturers do. | | It is very, very easy to run vanilla Linux (or even OpenBSD) on | their hardware. I do exactly this: | | https://news.ycombinator.com/item?id=26645062 | | Octeons (not Octeon-TX) are amazing processors. Ubiquiti makes | killer hardware. I hear their software is junk but wouldn't | really know since I always erase it immediately after unboxing. | catblast01 wrote: | > An intel goldmont won't use much more power and can easily | do gigabit sqm and wireguard/IPSec without breaking a sweat. | Can any of these nearly 2 decade old MIPS/ARM designs come | close? I don't understand the hype for the hardware either. | jjeaff wrote: | Can you still take advantage of the hardware accelerated | features? Because I use a little er-x and if you turn on qos, | that disables the hardware acceleration and top speeds are | cut considerably. | rexfuzzle wrote: | AFAIK they've started locking them now, since about v5 if | memory serves. Got a couple gathering dust now because of | this. | gertrunde wrote: | People have been running OpenWRT on Ubiquiti gear for quite a | long time iirc. | | [https://openwrt.org/toh/ubiquiti/start] | Hikikomori wrote: | Afaik performance will be abysmal on edge router series as | the npu isn't used. | KirillPanov wrote: | From firsthand experience: performance is in fact awesome | on the edgerouters (4, 6, 8, and 12) using plain-vanilla | Linux. | | It's a big honking MIPS chip with firehose connections to | the ethernet PHYs. Precisely the kind of device you want | for a router. | Hikikomori wrote: | Then you are better off buying something with a beefier | cpu that costs less since it doesn't have an npu. | adriancr wrote: | couldnt find dream machine support there unfortunately, shame | since I have one gathering dust now | rossipedia wrote: | > Ubiquiti also hinted it had an idea of who was behind the | attack, saying it has "well-developed evidence that the | perpetrator is an individual with intricate knowledge of our | cloud infrastructure. As we are cooperating with law enforcement | in an ongoing investigation, we cannot comment further." | | I personally don't believe this. IMO, this is a company who is | looking for a fall guy, and _most likely_ it's going to be | somebody who raised a stink about all the security problems | during their time there. | | Form your own opinion, I'm just a guy who worked at Ubiquiti for | a year, raising all kinds of hell about the security, | architectural, and operational problems that I saw while I was | there. | | But what do I know... | edoceo wrote: | I hope you don't end up fulfilling your own prophecy | rossipedia wrote: | I'm pretty sure I'm safe. I left as soon as I could (almost 2 | years ago) once I realized how institutionally broken the | company was. | judge2020 wrote: | Given they were stupid enough to spin up some VMs, I doubt it | was someone that knew what they had access to. A skilled | attacker would stay dormant sucking up all data accessible via | the AWS API (including s3 stuff) and potentially keep access to | the infrastructure for years. | throwaway8581 wrote: | This kind of analysis is basically worthless because you | don't know whether they are operating at multiple levels of | deception by, e.g., making you think they are a stupid script | kiddie and that you successfully wiped them out. | smashed wrote: | There is no evidence that this did not also happen. | [deleted] | TeMPOraL wrote: | That would be the reverse of the usual strategy, wouldn't it? | Most companies seem to try to pin breaches on sophisticated | hacker groups backed by nation states. But then, they benefit | from the perception of a threat that's impossible to defend | from (so there wasn't anything they could do) - whereas | Ubiquiti benefits from people thinking the attack was just a | small actor that couldn't possibly threaten Ubiquiti's | customers. | rossipedia wrote: | Yes, you're right. But I don't really expect them to make the | "smart" or "usual" play. That would honestly surprise me. | Now, pinning it on somebody that was generally disliked | because they constantly blocked things that had obvious | gaping security holes? Basically sicking law-enforcement on | somebody out of pure spite? I can absolutely believe that. | ghughes wrote: | This quote says nothing at all. _Obviously_ the perp is someone | with intricate knowledge of their network. | | They might as well come out and say they have well-developed | evidence that the perpetrator has an IQ over 50. | rossipedia wrote: | I mean, don't get me wrong, there absolutely _is_ somebody | who's responsible for it, but I wouldn't place any money on | Ubiquiti being able to figure out who it really was. | | They want to brush this under the rug as fast as they can, and | that means using the opportunity to pin it on somebody that's | been "problematic". | dylan604 wrote: | Are you volunteering for the role? It almost reads as if you | are expecting to be named on a list of potential suspects. | admax88q wrote: | Or he _is_ the culprit trying to get ahead of the story. | vvanders wrote: | Damn, that's pretty depressing. | | I really wouldn't like to migrate away but I can't say all the | info that's been coming back has been making me want to have | them as a part of my network infrastructure. | bpye wrote: | During this week I've been playing around with replacing my | USG with my existing home server - it already has two NICs - | my first thought was to run OPNSense in a VM but nftables on | NixOS seems to work well enough - there are a few examples | floating online [0,1]. OpenBSD even supports the USG [2] but | I couldn't think of much reason to keep the extra hardware. | | The next thing I want to do is reflash my Unifi APs with | OpenWRT [3] - the hardware is fine, but at that point I'll | get all the support without the controller software. | | My home environment is fairly basic so moving away isn't too | hard - this would obviously be much harder for a small | business... | | [0] - https://francis.begyn.be/blog/nixos-home-router | | [1] - http://www.willghatch.net/blog/2020/06/22/nixos- | raspberry-pi... | | [2] - https://www.openbsd.org/octeon.html | | [3] - https://openwrt.org/toh/ubiquiti/start | lostlogin wrote: | > replacing my USG with my existing home server | | I like this idea too, but would prefer that the router was | physically separated and before any hardware that was in | the network. | | Is this a pointless concern? | posguy wrote: | I want to fire Ubiquiti, but where can I go to get my router, | wireless access points and switches in one management | interface? There are plenty of poorly performing consumer | grade options out there which hide all complexity, but they | break in fun ways (eg: Google WiFi creating loops in the | network when users try to do wired backhaul) and only tackle | part of the stack. | | I really just want to manage an OpenWRT based network with | one central web interface and not have to deal with | corporate/state entities deciding to push fun changes out in | the management interfaces that power these systems. | bpye wrote: | It's an interesting idea to have a single pane of glass | management experience for OpenWRT - given that all config | is under UCI [0] it seems very possible. One of the things | on my todo list is to try and get Nix to push config to my | Unifi APs when I flash them with OpenWRT. | | [0] - https://openwrt.org/docs/guide-user/base-system/uci | posguy wrote: | Take a look at https://openwisp.io/docs/ as it can | accomplish this today. | mopsi wrote: | I keep seeing the requests for central management | interface, which leave me somewhat puzzled. Why do you need | in a home environment? I run a small network with one big | router and several access points, and at least with | Mikrotik's gear, it's pretty much fire and forget. It has | CAPsMAN[1] to centrally manage wireless networks, but I've | found it to introduce unneeded complexity. Auto-updates[2] | don't need any central management either. Monitoring can be | done through SNMP[3], and there's a REST API too[4]. | | [1] https://wiki.mikrotik.com/wiki/Manual:CAPsMAN | | [2] https://wiki.mikrotik.com/wiki/Manual:Upgrading_RouterO | S#Rou... | | [3] https://wiki.mikrotik.com/wiki/Manual:SNMP | | [4] https://help.mikrotik.com/docs/display/ROS/REST+API | posguy wrote: | I have a good deal of experience with Mikrotik's | offerings, and I am not looking to power networks I | support with a patchwork of different systems that each | have their own interface. | | Most of the value proposition of the Unifi lineup is I | can look at a single website that I host and see the WiFi | clients connected to an access point, what switch feeds | that access point internet (and whether its linked at | gigabit or 100Mbps), uptime on all devices involved in | the stack, whether the client has poor WiFi quality, | trouble DHCPing, etc. | | The single pane of glass to view everything when I am | many miles from the networks I support is essential. | Compared to when these sites were on PFSense before | migrating, these networks have improved uptime, rapid | remediation of issues, and changing VLANs, SSIDs and | labeling each client on the network is a snap. | | Edit: Borrowed /u/bpye's single pane of glass term | torwayburger wrote: | > Most of the value proposition of the Unifi lineup is I | can look at a single website ... | | > The single pane of glass to view everything when I am | many miles from the networks I support is essential | | It's also why we're talking about this. | kweinber wrote: | It seems the hackers currently in your network must value | those same features. Very convenient. | lostlogin wrote: | > I keep seeing the requests for central management | interface, which leave me somewhat puzzled. Why do you | need in a home environment? | | Crap wifi was a huge thing I dealt with. Unifi fixed that | completely. The ability to run a relatively complex | network (by home network standards) with multi access | points is nice, but the ability to administer them | without CLI interface is great. I loved my edge router | but touched it with trepidation. It was rock solid except | when I was sucking with it. Unifi suits/suited the | enthusiastic amateur. | | > I run a small network with one big router and several | access points, and at least with Mikrotik's gear, it's | pretty much fire and forget. | | Unifi used to be too, with an interface that was a bit | difficult to navigate (settings spread among about 20 | tabs, but it was possible to get the job done without | sshing to components). | | Now it's flakey. I just rebuilt my last week which was | working fine but I couldn't log in and the UDM-P screen | said it required resetting. Dark times. | [deleted] | vmception wrote: | yeah this is just a good as just saying it "has the hallmarks | of a state-level attack", pointing at Russia and calling it a | day | | everyone believes it | harry8 wrote: | That may have worn thin, nowadays. The average response here | would have been described as cynical in the past. The | Russia/China scapegoat had been way overused to the point | where I'm cynical every time it comes up probably even where | it's actually true, one time in a hundred or whatever. | | Nobody blames the NSA in these circumstances, ever. | tpmx wrote: | By now we'll have to ask: Is it realistic to expect hardware- | oriented companies to build secure software? | | (Yes, Apple exists.) | ryandrake wrote: | Most hardware companies don't care in the slightest about | software quality. To them, software is just another line item | on the Bill Of Materials, like a bolt or piece of sheet metal. | You either have some overworked intern who knows C cobble | something together that barely works or you buy it from the | least expensive supplier. When the build is ramping, at the end | of the assembly line somebody is going to flash _something_ on | the device, and they are not going to stop the line to worry | about a security hole. | [deleted] | d-funct wrote: | What no one seems to be really discussing is how paranoid should | people be around this breach? | | Is it a case of you probably want to rebuild machines that have | default usernames/passwords? Or is it more whatever can be seen | in the Ubiquiti UI might be been accessed by third parties? | rovr138 wrote: | > Is it a case of you probably want to rebuild machines that | have default usernames/passwords? | | I mean, regardless, most probably, the answer to this is yes. | vr46 wrote: | So this week, I have gone from having a single little USG and a | massive order planned for loads of kit to stopping them | automatically updating the firmware and dropping that order. | Extremely annoying, but not as annoying as if this had happened | in a couple of weeks. | kbumsik wrote: | I was about to buy Ubiquiti products and it is disappointing. | | Are there good alternatives other than DIYs like PfSense/BSD? ___________________________________________________________________ (page generated 2021-04-04 23:00 UTC)