Ubiquiti

Brands

Ubiquiti product lines include UniFi, AmpliFi, EdgeMax, UISP, airMAX, airFiber, GigaBeam, and UFiber.

Their most well known product line is UniFi which is focused on home, prosumer, business wired and wireless networking in addition to IP cameras, physical access control systems, and VoIP phones. The EdgeMax product line is dedicated to wired networking, containing only routers and switches. UISP, announced in 2020, is a range of products for internet service providers.^[10]

airMAX is a product line dedicated to creating point-to-point (PtP) and point-to-multi-point (PtMP) links between networks. airFiber and UFiber are used by wireless and fiber Internet service providers (ISP) respectively.^{[citation needed]}

Software products

Ubiquiti develops a variety of software controllers for their various products including access points, routers, switches, cameras, and locks. These controllers manage all connected devices and provide a single point for configuration and administration. The software is included as part of UniFi OS, an operating system that runs on devices called UniFi OS Consoles (UniFi Dream Machine, Dream Wall, Dream Router, Cloud Key).

The UniFi Network controller can alternatively be installed on Linux, FreeBSD, macOS, or Windows, while the other applications included with UniFi OS such as UniFi Protect and UniFi Access must be installed on a UniFi OS Console device.

WiFiman is an internet speed test and network analyzer tool that is integrated into most Ubiquiti products. It has mobile apps and a web version.

U-Boot configuration extraction

In 2013, a security issue was discovered in the version of the U-Boot boot loader shipped on Ubiquiti's devices. It was possible to extract the plaintext configuration from the device without leaving a trace using Trivial File Transfer Protocol (TFTP) and an Ethernet cable, revealing information such as passwords.^[11]

While the issue is fixed in current versions of Ubiquiti hardware, despite many requests and acknowledgment that they are using GPL-protected application, Ubiquiti refused to provide the source code for the GNU General Public License (GPL)-licensed U-Boot.^[12][13] This made it impractical for Ubiquiti's customers to fix the issue.^[12] The GPL-licensed code was released eventually.^[14]

Upatre Trojan

It was reported by online reporter Brian Krebs, on June 15, 2015, that "Recently, researchers at the Fujitsu Security Operations Center in Warrington, UK began tracking [the] Upatre [trojan software] being served from hundreds of compromised home routers – particularly routers powered by MikroTik and Ubiquiti's airOS".

Bryan Campbell of the Fujitsu Security Operations Center in Warrington, UK was reported as saying: "We have seen literally hundreds of wireless access points and routers connected in relation to this botnet, usually AirOS ... The consistency in which the botnet is communicating with compromised routers in relation to both distribution and communication leads us to believe known vulnerabilities are being exploited in the firmware which allows this to occur."^[15]

2021 alleged data breach and lawsuit

In January 2021, a potential data breach of cloud accounts was reported,^[16] with customer credentials having potentially been exposed to an unauthorized third party.

In March 2021 security blogger Brian Krebs reported that a whistleblower disclosed that Ubiquiti's January statement downplayed the extent of the data breach in an effort to protect the company's stock price. Furthermore, the whistleblower claimed that the company's response to the breach put the security of its customers at risk.^[17] Ubiquiti responded to Krebs's reporting in a blog post, stating that the attacker "never claimed to have accessed any customer information" and "unsuccessfully attempted to extort the company by threatening to release stolen source code and specific IT credentials." Ubiquiti further wrote that they "believe that customer data was not the target of, or otherwise accessed in connection with, the incident."^[18]

On December 1, 2021, the United States Attorney for the Southern District of New York charged a former high-level employee of Ubiquiti for data theft and wire fraud, alleging that the "data breach" was in fact an inside job aimed at extorting the company for millions of dollars. The indictment also claimed that the employee caused further damage "by causing the publication of misleading news articles about the company’s handling of the breach that he perpetrated, which were followed by a significant drop in the company’s share price associated with the loss of billions of dollars in its market capitalization." The Verge reported that the indictment shed new light on the supposed breach and appeared to back up Ubiquiti's statement that no customer data was compromised.^[19][20]

In March 2022, Ubiquiti filed a lawsuit^[21] against Brian Krebs, alleging defamation for his reporting on their security issues. Both parties resolved their dispute outside the court in September 2022.

Other

In 2015, Ubiquiti revealed that it lost $46.7 million when its finance department was tricked into sending money to someone posing as an employee.^[22]

United States sanctions against Iran

In March 2014, Ubiquiti agreed to pay $504,225 to the Office of Foreign Assets Control after it allegedly violated U.S. sanctions against Iran.^[23]

Open-source licensing compliance

In 2015, Ubiquiti was accused of violating the terms of the GNU General Public License (GPL) for open-source code used in their products.^[13] The original source of the complaint updated their website on May 24, 2017, when the issue was resolved.^[14] In 2019, Ubiquiti was reported as again being in violation of the GPL.^[24]