Ubiquiti is shady. And absurdly overrated

Morgan Stanley dropped coverage on Ubiquiti.

Ok… thanks for the links. Are you going to start a discussion or provide your own input?

OK fair enough. My input here is that I’ve seen a lot of red flags about this company and it’s confusing to me as an amateur user why this company’s products get recommended all the time. (No reference this blog)

I have brought points up about this company before in other areas and I always get attacked… But the red flags are there and have been there for quite some time… I just don’t get it

Also while most people might be aware of this, spreading the word on this for people that are unfortunately in the position of having a compromised network seems like the decent thing to do but I’ll delete it if you want of course.

I don’t want to be inappropriate here though and I appreciate this site a lot, so please let me know if this is borderline not cool and I’ll delete it

1 Like

I’ve got some Ubiquiti gear, so I’m mildly interested enough to click on the links.

  • I guess I’m still not a Krebs fan. That article felt a little breathless. Maybe if I understood exactly what offsite data was compromised I’d feel more strongly. Data breaches apparently happen daily, so I need to know a little more if MY data was breached. For example, if their in-house webstore transactions were leaked, then I’d know that I really don’t care about that since I didn’t buy directly from Ubiquiti.
  • The Citron article made me throw up in my mouth a little bit. I don’t recall hearing about Citron Research before, and I’m not sure if I’ve been missing out. Pop-up red conversation balloons? And here’s a quote that made me raise my eyebrows:

Citron has exposed more corporate fraud than any non-government agency based on this premise alone

Maybe Citron is a serious organization, but based on my quick scan of this article they seem breathless and sensationalist. I almost could have enjoyed their tracking down overseas distribution, but then I lost it when I saw the empty corporate office. I mean, it’s not like there’s a pandemic, and commercial real estate hasn’t been notably losing tenants?

Given that the EU regulations are pretty strict, come back when the European Commission has actually said something. Or maybe, wait until WSJ or Financial Times has done some original reporting?

This might meet my trolling quota for this month. I’ve got the gear, it works as expected. When there’s real business reporting I’ll read the story then. And I definitely don’t see evidence that my network gear from them is compromised.

It did say in the article what was breached.

But it really only applies to customers who used their cloud for configuration and access. If that is you, then yes, there is a risk they can remotely access your equipment unless you change your passwords and invalidate any previous access methods.

If you configured your Ubiquity gear stand alone and not with their cloud, you are not affected.

You can find similar info from multiple news sources.
I wasn’t writing a point by point dissertation, manifesto, or mathematical proof.

This is not the first time that they’ve lapsed on security either

But since it’s become an American pasttime to attack and denounce Soviet-style the reputation of sources when the information being conveyed is uncomfortable or pisses off peoples loyalties, here’s a few more rather readily available ones for the most recent incident:

https://news.ycombinator.com/item?id=26661138

(If you respect his opinions)

Does the stolen source code not make this breach a little bit larger than just if you’ve been using their cloud?

I am under the impression that it is but I don’t know.

I believe that was before the pandemic

I’m used to getting attacked and/or getting emotion thrown at me by Ubiquiti brand loyalists. There’s been a lot of not so professionally respectable information about them and their gear that has been in the public domain now for a number of years, but it seems that like American politics we can’t even discuss The irrationality of tribal/blind brand loyalty

The breach itself? Yes

I was addressing how it might affect the end users in particular.

If the leak of the source affects end users, it is only because of vulnerabilities discovered in their code, which would be an entirely new level of failure on their part.

Got it thanks for that.

Here’s hoping that The source code does not contain vulnerabilities that will not be exploitable on a practical level…

They have a very small team compared to networking companies that have products at similar price points from what I understand. Hopefully they allocate enough resources to it.

They so consistantly have failed to put resources into simple driver development that multiple ubiquiti users I know will tout them in one breath then tell you to never run the newest drivers, and they are gonna have the resources to cover their code if it has holes?

They had a nitche. A nitch that they exploited very well for a few years. A nitche that got more than patched by every other player in the last few years. Been at least 3 or 4 years since I ran any of their gear. I had moved on to better, and more stable product.

1 Like

I’m glad you mentioned the Ars Technica link, I’ve long enjoyed their content and have followed what they’ve written about Ubiquiti specifically. Mainly from their overall coverage, the picture I’m left with a company who would position themselves as innovators. But different groups within the company execute separate from one another, and without deep resourcing. And then the product implementation is uneven. Either promised features never show up, or the implementation is slow, or the implementation introduces new problems. A data breach is consistent with not robust business practice. I agree they had their niche at one time.

I bought an AC-Pro some time ago, and was absolutely a fan at that moment because nothing else was as performant and cost effective. The market changed and wifi mesh kits are clearly as performant (but not available when I installed my access point). I think it could be argued their access points are still more cost effective compared to mesh. Later I picked up an EdgeRouter but wasn’t really convinced it was the best choice. It’s obvious now a homebrew router would meet or exceed performance/cost but not power consumption. I’m considering buying IP cameras, but I don’t foresee buying from Ubiquiti. I own but have never installed a 24 port Ubiquiti POE switch that was left over from an install at work. I wouldn’t consider myself a dedicated fan, they had products when I needed them but if I had to setup my home network all again tomorrow I would likely choose to go elsewhere.

Interesting exchange. The part about Americans attacking new sources is boring. I read up on Citron Research after posting earlier, and I may have been too generous in my criticism of them. I didn’t take the time to check specifically, but it would be consistent with their historic practice to have a financial interest in Ubiquiti’s stock falling in value. I’m sure they conduct themselves legally, but the ethics of a short seller discussing security breaches when they stand to benefit financially if the stock price falls, that leaves me feeling uneasy. I admit their article was more wide-ranging than just the security breach.

Citron is a well known short selling info group. They are usually wrong in the long run however (you can Google or check Reddit for memes about it). The head of Citron was called out big time during the GME squeeze in January as he tried to bury the stock at the worst time. Since then he has said that they will not post short theses in the future.

If you’re focused on citron and assuming that I’m ignorant enough to see any post on the Internet and think that that’s the ground truth, you’re missing the point.
Try following the links within the post, and unbiased Google searches will prove to be your friend, please.

As stated, you can find the information that they bring up elsewhere, and that I was not writing a research paper with a full works cited… I couldn’t care less about citron, and whatever else they may happen to have on their website.
You can find enough credible information even within just the links to external sources, but google works too.

As far as attacking the source goes, I’ll say that even at the extreme of the b.s. spectrum…even Fox News or MSNBC will say occasionally say something that is true, even if it is for self-serving purposes.

I stand by the statement that Americans automatically disagree with each other without reading the contents source of information, and instead of reading it and trying to independently verify some of statements made, we just attack the credibility of the entire organization while Sometimes making vile comments about vomit in their mouths, all of which is frankly lazy and unhelpful to anyone and is rather the opposite, but it’s understandable in a human sense… we are drowning in crap And propaganda left and right all day long. And we have the most absurd, irrational/fanatical brand loyalties , Whether that’s to material goods or politics or otherwise

This has gone far afield from any type of technical discussion. I’m locking the post as it is now. Please do not make political commentary in this forum. This forum is for information exchange and technical discourse.

Thank you for your understanding

-Mod Team