Ubiquiti Promised Premium, Secure Routers; Then They Were Hacked

Cloud-based routers are convenient, but are they secure?

Key Takeaways

  • Ubiquiti sells high-end consumer wireless routers and requires new customers to create an online account when setting up the hardware.
  • The company was hacked in what it initially called a minor security breach, but which experts say is far worse than minor.
  • Experts say any hardware that requires an online account could put your data, and your privacy, at risk.
The Ubiquity Dream Machine

Ubiquiti, a manufacturer of feature-rich networking hardware, is the latest victim of a security breach that puts customer data at risk.

Ubiquiti is one of several companies to ask (or force) customers to create an account when setting up new hardware. Other new routers like Amazon’s Eero and Google’s Nest Wifi make cloud-based accounts central to the experience and can’t be used without a connection.

Their popularity has encouraged more traditional router companies, like Netgear and Linksys, to follow suit with their own cloud-hosted or app-based options—though they’re still optional in most cases.

"The breach only means their data is now in the hands of another party, other than the vendor," Dong Ngo, editor of Dong Knows Tech and former router reviewer for CNET, said in a direct message on LinkedIn.

Ngo thinks mandatory cloud-based accounts are bad news for customer privacy and security, and has frequently cautioned his readers about the problems with cloud-based interfaces. 

Want to Trust Your Router? Ditch the Cloud

The breach of Ubiquiti’s servers is a problem for customers because many of the company’s products require creating a cloud-based account. One example is the Dream Machine, a prosumer router the company released in 2019. 

Someone looking at a computer through the lenses on a pair of glasses.

Shamsudeen Adedokun / Unsplash

Ngo considers it a negative if a router he reviews doesn’t allow using a locally controlled alternative. He warns that network hardware relying on a mandatory cloud-based account leaves owners with no choice but to trust privacy and security to a third party and limits a user’s options if a breach occurs. 

What, then, is a security-conscious owner to do?  "Stick with the local web interface," said Ngo. "Avoid using a mobile app."

The best option isn’t a premium router promising a robust cloud interface but, instead, a simple, inexpensive router with a local interface accessed through a web browser. 

UniFi Fans Have Their Fears Confirmed

The breach of Ubiquiti’s cloud-based server hit a sore spot for fans when the company required that owners of most devices sign up for a Ubiquiti account during setup. It’s required to access the company’s UniFi platform, which controls the company’s routers and other networked products.

Ubiquiti’s latest statement, written in response to new allegations in a report published by security journalist Brian Krebs, was posted to its community forum on March 31.

The statement repeats that incident response experts "identified no evidence that customer information was accessed, or even targeted." Ubiquiti continues to work with law enforcement on identifying the attacker and claims to have "well-developed evidence." 

A screenshot of the Breach Statement from Ubiquity.

Ubiquity

This only fueled the uproar on the company’s community forum, which serves as its main line of communication with customers.

While the company says there’s no evidence that customer data was targeted or breached, Ubiquiti didn’t refute new allegations that it failed to keep proper logs of access to customer accounts on its cloud service.

A customer posting under the name Sonar made their disappointment clear, saying, "It's extra salt in the wound that Ubiquiti has been trying to force cloud access down the throats of the poor folks [using UniFi products]."

Others joined in, threatening to boycott future Ubiquiti hardware if the cloud-based account requirement isn’t dropped in future firmware updates.

The community post discussing Krebs’ report has received over 430 customer comments and 17,000 views. Another post asking that Ubiquiti make local accounts available has received 250 comments and over 12,000 views.

It’s unclear what Ubiquiti will do to regain the trust of fans. The company did not respond to Lifewire’s request for comment and has offered no response to customers in community threads discussing the breach. 

"The breach only means their data is now in the hands of another party, other than the vendor."

The silence from Ubiquiti seems to confirm Ngo’s advice. A locally controlled router can certainly have vulnerabilities, but owners at least have options.

Ubiquiti’s customers face a tougher choice: continue to trust the company and hope the problem isn’t as severe as alleged, or stop using its products entirely.

This same choice awaits customers of other routers that rely on cloud-based accounts. Their simplicity and convenience may seem alluring, but the options facing users are anything but simple when the attached cloud service is breached.

Was this page helpful?