Whistleblower: Ubiquiti Breach “Catastrophic”

Very surprised I haven’t seen any comment on this on here.

I’d love to see Wendell do a video about this, because it is one total cluster…keys to the kingdom in someone’s breached LastPass, all source code stolen, linux VMs set up by hacker in the Ubiquity internal networks, and Ubiquity’s legal department covering the whole lot up.


I was literally about to post this same article in the news dump. This is just ridiculous. Hopefully this will be looked into more and Ubiquiti faces some actual consequences if true.


Just. Wow

Cloud configured network gear. Not the best idea.

What we need is some self hosted auto config IPSec gear.

Ie. host it in your own cloud independent of vendor.

What these guys are doing isn’t rocket science, they’ve just paid people to do the legwork and bundled it up into a locked in vendor provided cloud service.

1 Like

A ubiquiti controller can be fully self-hosted, it has the option to use a cloud account which can be a super administer for a system if you so choose to hook it up (or other access level).

The physical devices can be allowed to connect to talk outwards to the internet to get firmware updates, but this too can be done manually by downloading what firmware you need from their site manually and then uploading it to the controller firmware/update cache and then you can roll it out to your environment.

I agree that this sort of compromise is unacceptable for Ubiquiti but lets forget that they’re one of the only vendors who doesn’t force a cloud account outright. At least not yet anyway which is why they’re still a compelling option.

They’re serving ads to controller management pages now, as an extra F You.

Personally I’ve had less than satisfactory performance from their stuff, I spent nearly £1200 on two full sets of Unifi gear for my house and mother-in-law’s house. After far too much messing about and stuff just not working, I ended up returning it all. I’m familiar with Unifi, too - I have two sites with a lot of APs and switches, and countless APs at work, so it wasn’t a “lol, not set up n00b” situation that was causing the issues.

I think there’s better solutions out there for the same money, or less. For home and MIL’s I went Asus AiMesh, and it’s been perfect, it Just Works ™.

1 Like

TBH I couldn’t give less of a shit about them promoting their own products on the main portal.

I get that some people are displeased by the principle though; to each their own.

I recently set up a UDM-Pro for a business. There was no option in the entire setup process to just use a local account. You must have an internet connection, and the super-admin account has to be cloud based.

I tried setting it up with a cloud account, adding a local account, then removing the original account but that didn’t work.

Definitely left a bad taste in my mouth.


Were you using a vm or a cloud key for your controller?

1 Like

Doesn’t matter what it’s running on. At work we run it off a Gen 1 CloudKey (heap of crap), at one non-profit I look after it runs off Debian Linux, and the other non-profit it runs off a Docker. Since the newest controller update it insists you link it to the cloud.

1 Like

Ah, a recent change. That’s a real bummer because the self-host nature was honestly the only truly appealing aspect. I’ll have to look at the change log closer.


I was using their hardware, their “Dream Machine Pro.” I would have liked to use my own hardware but this business does not need that administrative overhead, they would prefer an appliance.

Which is a shame. You would think that I could have a local account on hardware that I own, but nope.

Very unfortunate. I haven’t liked the direction Ubiquiti has been going in for a while now. I’m going to start evaluating Mikrotik to replace everything. Thankfully for me, Ubiquiti almost never EOL’s or updates their network hardware so I should get a decent price selling it despite its age.

Yep. Makes management network ports looks stupid when it all ends up on someone elses computer anyway.

AFAIK Mikrotik has one switch (CRS354-48P-4S+2Q+) that has some strange flaw with port 1 to 8 just dropping away.
For more info on L1T or in the MikroTik Forums.

With the MikroTik gear I used so far, no issues.


UDM requires cloud registration because it integrates a cloud key. If you wanted completely local management you should have used the USG Pro 4 or UXG Pro.

1 Like

And of course that’s the one I was going to get… still no definitive fix either based on the mtik thread. Although maybe r2 is ok and only r1 continues to have problems?

Thanks for the tip. Might have saved me a lot of grief.

1 Like

My APs can’t talk to the internet - they can only reach my controller running on my domain over https; and I checked, and they require a valid cert. (For adoption I SSH into them).

The controller is where they download the updates from, and also download the configs from and report metrics.

The controller is running on Debian and I haven’t updated to the very latest version (running one behind latest at the moment) but I haven’t seen ads in it.

I do not have “remote login” or any cloud features enabled in the controller - other than controller checking for updates.

I do not use their routers and don’t plan to (i like to tinker with routers and roll my own), I do have a USW Flex switch coming.

Mikrotik doesn’t have a good security track record either - they tend to be more locked down / less OpenWRT and less GPL friendly compared to Ubiquiti hardware. (In case you have old 802.11n Ubiquiti hardware that’s been EOLed, try OpenWRT … albeit that platform is pretty old so while you may end up running wpa3 somehow, ymmv).

1 Like

I’ve been recommending for years that anyone with a ubiquiti AP flash OpenWRT on top of it for reasons like this.


Looks like they posted an update on their own forums. Lots of words, not a lot to say though.


1 Like