43 comments

[ 3.3 ms ] story [ 101 ms ] thread
This change is a firmware update that was likely automatically installed on unaware customers equipment. Very shady.

They claim this is to "gather crashes and other critical events strictly for the purpose of improving our products", but to be honest; how often does that happen in routers? They are very barebone anyway, and were there to be any issues, they would be notified by the customer.

Having it forced with no way to opt-out is also an indication of hostility. They claim they will release a firmware update without telemetry, but no dates have been set.

They have a workaround until the firmware updated. You just need to put a firewall rule to block the url they are sending crash data to.

I have so many other devices that are snooping and constantly sending data (phones) that I don’t really care about my USG sending crash data.

I think commercial routers have a different standard to be held up to than consumer phones and iot devices.

The workaround is really lame and and blocks all traffic to the data leak domains.

I don’t want to send crash data. I also don’t trust a non-open source, non-documented, non-auditable submission of data from my network to theirs. They claim it’s only crash data, but I don’t know. They can also change it at any time as they’ve lost my trust by adding data leaks to a firmware update I accepted without knowing it.

>I also don’t trust a non-open source, non-documented, non-auditable submission of data from my network to theirs.

Do you compile the source and replace any preshipped binaries with your own? Do you audit said source yourself instead of assuming some mystery person in the open does?

You can just block any connection from the access points to the internet. They can connect to the controller and that's all the access they get. Access points have no need to connect to or be accessible from the outside world.
Ok. I get that it is best practice to give devices the least amount of access they need. But why does being able to block traffic make it okay that Ubiquity enables telemetry like this, without informed consent?
(comment deleted)
The article doesn't list which product lines are impacted, but as far as my experience goes with UniFi stuff, it doesn't auto update by default. You can turn it on in the controller but even that is unreliable at best (and not recommended, as the updates can sometimes be touchy - not to mention that the gear is offline during the update)
Wireless modems and routers were one of the more problematic pieces of tech in peoples lives. You used to have to reboot that stuff constantly. If theres any device that I want sending crash logs back to make the firmware better, its a router.

What piece of non mobile/pc tech do you run firmware upgrades on more often than a router?

Once I flashed my router with tomato I never had any problems with it again. It just works and needs nothing. Now that I set up a pi-hole I have to worry a lot less about telemetry from TVs and rogue devices.

Good technology doesn't need to be updated all the time.

Do you know if the ancient Linux kernel on your router has any security issues?

Do you receive any notification if there's ever an issue found? Is there even a centralised tracker for security issues affecting the router software?

Sometimes, things need to be updated. And consumers can't be bothered to flash a firmware image.

It's a home router, who cares. Chances are any security issue it has can only be realistically exploited on the local network. Is it really worth the trouble of constant software updates to bother to prevent? I don't think it is.
It's not that easy:

There could be a XSS vulnerability in the management interface.

There could be a vulnerability in any component which is internet facing.

The router is handling packets. There might be a vulnerability in that logic allowing for maliciously crafted packets (in the answer of a request).

> There could be a XSS vulnerability in the management interface.

Surely you aren't exposing that interface to the world at large, right?

If you click the wrong link while youre on the lan side.

Of all the devices in a house, a router should be the most important to keep up to date.

Pfsense and ddwrt were some of the first router software packages to fix DNS rebind attacks if that's what you are talking about.

If it is not, you will have to explain exactly the vulnerability works.

A link can also have an IP address as host. Many routers come with 192.168.1.1 preconfigured. With Javascript enabled you could also probe the network and craft a fitting link.

Preventing DNS rebind attacks closes only one avenue.

How would that work exactly and how would it be router insecurity?
There -could- be a lot of things. Pfsense and ddwrt were some of the very first router software packages to address DNS rebind attacks.

I think saying tomato is more secure and refined than some router that updates itself constantly to secretly bait and switch the user's expectations is an understatement.

Providing updates with a switch to opt out would be no problem to me. However they seem to be pushing the update without notice or consent, without a way to disable telemetry or automatic updates.
Your post has made it quite apparent that you have no experience managing these devices in a real world scenario.

>automatically installed on unaware customers equipment.

No.

>they claim this is to "gather crashes and other critical events strictly for the purpose of improving our products", but to be honest; how often does that happen in routers?

Also apparent you have not used their IPv6 stack nor their fq_codel implementation.

>Having it forced with no way to opt-out is also an indication of hostility. They claim they will release a firmware update without telemetry, but no dates have been set.

This move certainly made me scratch my head a little. Especially when Ubiquiti should know their customer base would be less than thrilled.

Have you owned or managed any ubiquiti hardware? The firmware is updated monthly, and there's always a detailed changlog.
HTTP/3 with DoH cannot come fast enough.
How is that relevant with telemetry? If anything, that would make it harder to block their analytic domains and stop it.
The router itself will have limited wiggleroom to snoop.
I’m so sick of the analytics theme as a way to increase revenue, instead of just innovating and making your product better. It just feels so lazy to me, and part of a checklist for any MBA type now.
Especially because most don't really use that data. It's stored because bandwidth and storage are cheap. But from all I've seen and heard, most don't really get any information from it they couldn't have gotten by just asking users.
>just asking users.

That's way easier said than done. Plus, then you have to trust users. If I want to know how often feature X is used on platform Y, having some basic telemetry is way more reliable than sending out a survey to users.

> having some basic telemetry is way more reliable than sending out a survey to users.

True, but this fact isn't important. What's important is having respect for your users and their preferences.

That's so unrelated that I'm not really sure how to respond.
You're responding to a suggestion to ask users for permission by saying "that's hard" and "telemetry data is more reliable".

Both of those points may be true. I'm claiming that the fact they may be true isn't important, though, because respecting user wishes, particularly about privacy, tops those considerations.

No, I was responding to a suggestion to ask users for the data that could otherwise be gathered by telemetry by saying that telemetry is better.
This is unfortunate. I was hoping the bad noise after this was announced would be enough for them to listen. I was literally about to buy one, and now it seems I'll just be upgrading my linux router, again.

Does anyone, literally anyone at all make hadware you can trust anymore? I feel like I am taking crazy pills.

The modern mindset for technology is not that it should enable users but that it should herd users, like cattle. A whole lot of people in this industry who like to think of themselves as technologists have this mindset. We should be surprised at the result.
I still haven't seen Ubiquiti officially acknowledging controller-level phone home. "unifi-report[.]ubnt.com" has not been mentioned anywhere in their announcement.
Any good open-source alternatives?
I use OpenWRT and couldn't be happier.
OpenWRT isn't really an alternative to the UniFi stack, unfortunately.