So I’ve been on a privacy binge recently (well the last 5 years really), and the final piece of tech on my hit list is my networking equipment.
About 7 years ago I bought a bunch of Unifi equipment (gateway/router, POE switch, AP, and controller) and I’ve been very happy with the results. Its been easy to use and has allowed me to learn a lot about networking.
The only real complaint that I have is that they are a hell of a lot slower than other companies to update their equipment to better standards like 2.5GbE, WiFi 6E, 10GbE etc. Other than that the gear is baller for the price. I’ve even been eyeing off buying a Dream Machine Pro SE, because I want my switch ports back
So back to the privacy piece. I’ve been concerned for some time of the potential for the equipment to “phone home”. I came across these posts tonight which seem to share my concerns.
Thankfully PiHole is doing the lords work and seems to be blocking most of the traffic. But WTF is warranty.svc.ui.com and why does my controller need to talk to it ???
Anyway, does anyone know:
what type of data is being sent back to Ubiquiti?
Can I stop the devices from talking to Ubiquiti in the Unifi Interface?
if I block everything (in PiHole) except for the base domain (www.ui.com) will that stop all of the telemetry?
if I do block everything can I still get firmware/software updates without having to make a custom FTP server? (it seems like they may have removed the ability to upload updates locally … )
and the biggie, if I cant make Unifi private, what are my options for an equivalent system at a reasonable cost? Like I said, I like the eco system, just not at the cost of my privacy … and if that means upgrading/replacing my gear … so be it!
I’d also like to hear your thoughts on the matter. Do you use Unifi kit? Are you concerned about privacy with your networking gear? Am I just a tin foil hat wearing numpty?
First of all, thank you for doing this kind of work. I really appreciate it. One cant be reasonably expected to buy and test all of these things. We can only rely on youtubers/influencer/podcasters to provide these kinds of things and not even all of them cover these things.
In the wake of the recent networking device vulnerabilities, think most of the newer networking equiptment has some sort of auto/forced updates. This is a bit ok, although I would still have some sort of control. A default setting of “auto update: on” for security updates to respect of user autonomy (if for some bizarre reason you want it off). Anything more than that - such as the device checking a warranty server would be undesirable in a privacy perspective.
The frustrating thing is all they need to do is have a list of these domains and what they do to put people at ease. I understand that companies need some kind of data to improve their products, but if they would be upfront about it, I’m sure there are plenty who would be cool with it.
The thing I don’t like is when you untick the box for data collection, it doesn’t turn it off… it just anonymizes it. Though I can’t say it’s enough to make me jump ship, because even if there’s gear that doesn’t do it now… it’s just a software update away. At least I know what I’m dealing with here to some degree.
Ubiquity has a history of dropping product support if they feel it has not reached a large enough sales goal. EOLing 1-2 year old “enterprise” equipment is simply not acceptable to me. I transitioned away from their solution and ecosystem 2 years ago.
In reality the ecosystem is really an AP GUI, and Router/Gateway GUI. The switch stuff is nice but the reality is that switches dont have enough functions to really benefit from a single UI vs using their own web interface.
I suggest a PFSense/Opensense/RouterOS gateway, and TP-Link Omada AP’s. For switches, buy what makes sense, I find great value in Mikrotik for my needs, but I also have an HP 48 port for raw connectivity.
My ubiquiti stuff doesn’t get unfeathered internet access - it’s firewall-ed off, I don’t know if it’s trying, but the only thing I’ve allowed it to get to is the controller (a separate wireguard tunnel interface).
It sounds like fair game to ask what these are in ubiquiti forums.
@Den-Fi Thats curious, after you said you’d never seen it I checked my logs again. My Unifi Controller is checking warranty.svc.ui.com once a day, at about 6am local time. Maybe see what yours is up to?
If they were up front about exactly what it is that is being sent, I might not have an issue depending on what it was. But at the same time, anonymous data is never truly anonymous so I would still have some reservations.
I too get that companies need data to improve their products. But here’s the thing Ubiquiti, I’m not your product tester. They need to test the products before I buy them. Too many companies are using their customers as their QA team and it needs to stop. Microsoft is the biggest culprit of this IMO.
Oh yah, I get that it’s a nice to have, and now that I have it I don’t really want 4 different management interfaces to do what I want to do. If I have to IOT have my privacy then I guess that’s what I have to do. But I really do like the Unifi-ed experience.
Do you mind if I ask how you did that? I went into the firewall settings on my Unifi Controller and the only things I can block on the WAN level are IP address’s, It won’t let me add a domain, so I could do that for now, but if Ubiquiti changes their IP its back to the way it was…
The EVEN FUNNIER part is they have an early access program where people buy stuff early willingly TO BE PRODUCT TESTERS. I can totally understand having mandatory data collection from people who choose early access and beta builds… but keep it at that. Some of the stuff that’s left EA before being stable totally baffles me. Though the Microsoft comparison is apt, since they too have a few levels of early access testing before stuff goes live.
I’m not using unifi for routing, only APs and Switches.
My router is a forbidden never ever do this in a million years router from hell (ie a simple Linux Debian box with two interfaces where I can do what I want). A regular pfSense would let you do the same with help of a PHP web app.