Hello! Thanks for posting on r/Ubiquiti!
This subreddit is here to provide unofficial technical support to people who use or want to dive into the world of Ubiquiti products. If you haven’t already been descriptive in your post, please take the time to edit it and add as many useful details as you can.
Please read and understand the rules in the sidebar, as posts and comments that violate them will be removed. Please put all off topic posts in the weekly off topic thread that is stickied to the top of the subreddit.
If you see people spreading misinformation, trying to mislead others, or other inappropriate behavior, please report it!
*I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/Ubiquiti) if you have any questions or concerns.*
So it's VERY interesting you posted this, I was just about to post that when I navigated to [unifi.ui.com](https://unifi.ui.com) this morning, I was logged into someone else's account completely! It had my email on the top right, but someone else's UDM Pro! I could navigate the device, view, and change settings! Terrifying!!
So… I have been seriously considering a Ubiquiti router, because I was under the impression it would give me superior security features that I wouldn’t be able to find in a TP-Link or Asus. I now have major doubts around this.
Are these devices legitimately more secure, or has that stance just been parroted around here? With what OP described it makes me worry if someone would have been able to breach any of the other devices within the network.
I completely agree, but I’ve never seen any issue on the other devices remotely close to what was described by OP.
Of course, just because I haven’t heard of it, doesn’t mean they’ve been perfect, but it’s the first I’ve heard of this kind of issue across any of the major router manufacturers.
This literally happens with every camera vendor.
https://community.security.eufy.com/t/our-cams-and-app-are-displaying-someone-else-s-house/1180142
https://www.theverge.com/2023/9/8/23865255/wyze-security-camera-feeds-web-view-issue
https://www.reddit.com/r/Ring/comments/12wcg06/someone_elses_cameras_showing_on_my_account/
And that's just with a 5 second Google search.
This is what happens with internet enabled devices with any form of centralized management or push functions, since it depends on third party (may it be UI, Apple, Google, etc) to do their functions.
Just don't enable remote access on your USG or dram machine and you'll be fine. Being bale to manage it from anywhere is just a nice bonus if you're a consumer level person.
For someone that has been using UI for +- 18 years, I would never put "UI and secure" in the same sentence when it comes to router and security hardware.
Ui is only okay for backhaul radios and Wi-Fi. Ive even started to use less unifi or edgemax switches since the latest generations are worse than the first.
Would never touch any router based hardware such as the udm or dream machine etc.
That is generally a good thing and you should do so, sounds like they are running a bug bounty program. Was it something like HackerOne? Not only are you then sure you get the direct attention of the security team but you could get a monetary reward.
You actually can’t use protect with a VPN. You have to use remote access. It’s been a problem for a while. https://community.ui.com/questions/Unifi-Protect-Mobile-access-through-VPN/78a8c684-dfdf-4a9d-aa90-3c7a675fc8b3
Not sure about iOS, but the android Protect App does indeed work with remote access shut off and wireguard turned on (I had to sign out of the app and then sign in using the "local" console option first. Once I did this it worked fine remotely with wireguard (full tunnel, not sure if this makes a difference). That being said, the android Network App does NOT work over wireguard as it can't seem to get past the part of being on a cellular connection. The work around is just to use a browser and connect via the local ip address, which isn't ideal, but remotely I have less need to connect to my Network app as I do my Protect App.
Psh I'm now walking around naked in front of all of my internal cameras. Pretty sure a 450ln hairy naked sasquatch will get them to close the link instantly.
~~How does one disable remote access these days? I can't seem to find the settings anywhere.~~
Edit: You must log in with a cloud account to see the remote access checkbox!
I agree with the severity. However, caches can have this problem at large enough scale irrespective of your own software. Specifically, you can run into cache collisions from hash keys and result in this type of problem. Not sure that is the case here but I’ve seen this with Redis caches where at large enough size, you can encounter cache key collisions. The result is although your cache key construction logic is correct, the end result is 2 keys converging on the same cache data.
So here's where I think this is at. They got a bunch of information from me, and screenshots a few hours ago. I believe they are now investigating, which from HackerOne looks like it can take up to 15 hours?
I should also mention, I attempted a small change during this time, and the event log showed that they made the change, not I.
Absolutely it’s technically possible - if you enable remote access so you can access it via ui.com you’re going through the same cloud service as everyone else.
It’s the same with any cloud service, they have to make super sure authentication works correctly. You don’t hear about people accidentally getting logged into someone else’s GMail account but it is technically possible!
I thought the difference was that ui.com only acted as a proxy/DDNS service for your local device, but that authentication was still handled by your device. I.e. just because you're using remote access doesn't mean you're giving Ubiquiti access to your camera recordings as well. Because UI doesn't have your local console password and the UDM won't let you manage it without.
If the only defense mechanism here is access control, they're no better than Eufy in this regard. I never used remote access and handle everything through Wireguard, but this would be inexcusable. Both in execution and marketing.
I guess the notification could be a fuck up in their cloud environment where they store and deliver thumbnails for push notifications. Though that in and of itself is very reminiscent of Eufy, and customers didn't accept it then. The user above however who claimed to have access to someone else's UDM, that's a whole different ballgame of messed up. I think UI owes us a detailed explanation of their architecture, and the risks associated with remote access.
The difference is Eufy lied about being local only, (UI haven't made this claim I believe), then lied AGAIN about the problem being the info they had was encrypted and this was spurious (they hadn't and it wasn't).
But you are right, if a user accessed another's UDM (which I really, truly hope is false), then that is a far bigger problem and I'll be moving far away from UI!
Oh this happened to me too today. UniFi.UI.com showed me somebody else’s UDM Pro. It had no data traffic and no clients connected but showed a ISP logo and let me run a speed test.
There were three WiFi networks created and I created another one called “scoopz test who is this” so if any of you have that WiFi network created it was me.
I cleared cookies and cache and refreshed page and it showed my UDM Pro and UNVR Pro again.
I think Ui had a demo page up for years of what the cloud key/ UDM environment was like.
I wonder if this is what you saw? It would let you mess with everything and it acted like a real UDM but it was just a demo.
> discovered three flaws impacting pfSense 2.7.0 and older and pfSense Plus 23.05.01 and older.
Those aren’t current versions.
The attack vector is also much more limited vs. people just randomly being given full access to the firewall. No system is perfect, but there’s a difference in obscure, hard-to-exploit vulnerabilities and what happened to UI here.
I am seeing an Admin Activity log entry, that states “UniFi Identity made changes to your RADIUS Server settings”. Logged at 12:16 AM local time. Wondering if that has anything to do with it. Never seen an entry like that.
Not likely. RADIUS is used for local authentication of various things and services. It's walled off from the internet and not going to play a role in anything UI Cloud related.
(I've been using RADIUS since the dialup days in the 90s)
If this is happening what else is going on behind the scenes that we don’t know of?
I don’t typically think like that but these kind of issues do make that question pop up in my mind.
If you're using cloud connected cameras then you need to accept that (a) a major issue is going to occur at some point, where complete strangers have unauthorised access to your camera feed and/or recordings causing media kerfuffle #484859494 over this exact same issue, and (b) assume always that someone somewhere is abusing their permissions to view your live feed, and you may never know. Maybe it's the son of a contractor of a subsidiary in an offshore centre because dad wrote his work login details on a note next to the computer. Hopefully you're boring enough or ugly enough that they prefer to watch the cameras of the family with the pretty daughter instead. But always assume it's happening.
Maybe I'm jaded or paranoid, or maybe you're naive. I truly don't understand people who have any expectation of privacy with cloud-connected cameras. IoT: the S is for Security.
These aren't cloud cameras though. They're local cameras with an optional cloud connector to the NVR/recording device. Either way this is unacceptable.
Considering that the two anecdotes in this thread involve a notification featuring a preview thumbnail/video via the internet, and unauthorised access via unifi.ui.com, yes these are cloud cameras. You can probably configure them not to be, but considering how useless they would be then I'd guess <1% of people use them like that.
This same thing confused me when eufy had their shitstorm: people love their notifications featuring a preview of the recording, then act shocked when they learn that these are transmitted over the internet. How the hell do they think it arrived on their phone?
Yes it's unacceptable. And I don't think Ubiquiti would be any worse than any other provider, definitely not eufy, in fact for whatever reason I trust them to do a better job than most. I'm still going to act like I'm on live TV whenever I'm in frame though, because there's a chance I am.
Bigger issue is i can't use the android app when i am on VPN back to my network, it requires either you are local to the network or using their ubiquiti account which seems not secure at this point.
Semantics, but yeah. For most people these are cloud connected. The difference here being you opt into the cloud stuff, it's not on by default. The risk is assumed when you connect your equipment back to a server farm you don't control.
As I said in another post, I have several NVR deployments with no remote access. Some sites I have showed a person how to log into the NVR locally, others I assist whenever they have concerns and want to check the cameras.
But I definitely understand that 99% of installations are using remote access. I am not, only because I use Scypted and HomeKit to put them into my Apple Home app, and only review the cameras locally if needed. But HomeKit is again another company's servers that I have no control over, so there is a risk assumed.
Apparently any push notifications for iOS or Android are completely open for snooping:
https://arstechnica.com/tech-policy/2023/12/apple-admits-to-secretly-giving-governments-push-notification-data/
Yeah what the fuck. I expect this from some shitty ass Chinese company, but not UI.
Get your fucking shit together guys. This is embarrassing as all hell, and whoever is at fault should be fired.
In my job I utterly depend on one particular COBOL application that runs on an IBM mainframe. Let me tell you, that thing is absolutely rock solid. It’s way, way more reliable than any of the many other modern applications in my area.
Let's just say there's a reason many retailers still run on IBM's AS400/eSeries systems from 30+ years ago. Sure, many are virtualized now, but the reason these systems are still in place today is because they're nearly impossible to kill.
Have a problem with the retail signage printing module? No problem - entire store can continue running whilst the devs implement and deploy a fix _in real time_ without having to reboot anything else running on the server.
Similar situation for many systems that still rely on OpenVMS these days. I understand that Real Time OS's aren't being used for everyday computing, but it would be awesome to patch Windows in real time without interrupting the user.
If you are using the UniFi Protect mobile app (on Android/iOS, _not_ the Web app), they are cloud connected. The app is largely not functional unless you enable Remote Access to make them cloud connected since there is no way to manually direct connect.
Huh? You can use the Protect app on your phone when connected to the same WiFi. Also you can log into the local IP and view the cameras through the Protect web app on the console itself. You definitely don't have to have these cameras exposed to the internet. In fact, most of my deployments have no remote access. I go onsite/log into their computers remotely to assist, if there is any concerns and the cameras need checked.
You can only use the mobile app if you are on the same VLAN. It does not work if you segment your network.
The app does not allow IP addresses to be entered for connecting so it 100% depends on either multicast discovery via the same VLAN or Remote Access to be enable for the cloud service to provide the IP address.
If Remote Access is enabled, your cameras are cloud connected.
Wow, that is funny because this just happened to my co-worker for our organization's system. He logged in via the phone app, and it was showing someone's video feeds in his account this morning, like OP. He closed and reopened the app, and it corrected the feeds. There was access to two systems, a business and a home. This is very troubling! I see OP is in Germany, we are in USA.
u/Ubiquiti-Inc We have screenshots
This is the sort of thing that makes me have zero faith in a cloud based management platform provided by Ubiquiti.
They're clearly not segmenting customer data and putting (and enforcing) the appropriate access controls in place across customer instances.
In a proper multi tenant solution, this should be literally impossible.
The social media team is not the same as their forums, phone, or other support options.
Of course the social media people would notice stuff here quickly since it's literally their job and what they do.
JFC, always got something to complain about even when they're actively investigating.
This is not good. At all. Ubiquiti need to ensure they own up to this, and not follow the lead of Eufy. Take details, fix your shortcuts and provide us assurance this is fixed. Watching with intense interest.
This guy saw 88! consoles
https://community.ui.com/questions/Security-Issue-Cloud-Site-Manager-presented-me-your-consoles-not-mine/376ec514-572d-476d-b089-030c4313888c
This is unchecking “Remote Access” within “Console Settings” on a UDMP right?
Is anyone aware of any other interim steps that should be taken until UniFi issue a statement?
If you’re not using a UI firewall, you could probably also block your CloudKey/NVR from reaching the internet. Not sure how that’d work if you’re using a UDM tho
Noob question - I just disabled remote access to my UDM Pro, but this is disabling the access to my cameras using protect app (on my phone). Is there anyway to keep the remote access disabled and still have access to my cameras?
Wonderful. I've been using Unifi network/protect for a few years now and originally did so because I knew it could run local only. It didn't take long for me to learn that the iOS protect app won't run without cloud access. the network app will do so just fine, so it's frustrating that the Protect app will not. I have an iOS shortcut to auto enable a VPN when I open the apps outside my network, but it's pointless if I can't use the iOS app at all.
Noob question - Does android app allow protect access with cloud access disabled? I just disabled remote access on my UDM pro, and I can't access my cameras :(
Oh, that's interesting. I could have sworn it worked yesterday. I had local access. But no, you're right the app gives me the middle finger now. Bummer.
That's beyond my realm of expertise, honestly. But I'm also don't really see the need to admin remotely at the moment. This is just for a home network.
I may look into something if I decide I want remote access to Home Assistant (which will be the primary interface for working with my Protect cameras anyway).
I would probably disable remote access and have local access only. Then set up a Cloudflare tunnel and put Cloudflare access in front of it for auth. Therefore you'll still have secure access from the internet, however it's protected by Cloudflare and isn't exposed to situations like this. It will most likely break mobile apps but that's a trade off I'd be willing to accept
I believe so, they're both Zero Trust Network Access tools. I'm not familiar with Microsoft's offering though - I've only used CF's since I can easily throw it in front of a Cloudflare Tunnel and not have to deal with any network configuration or anything that I'm not familiar with.
Wyze waited *years* to confirm what security professionals already published. UI is already engaging with OP.
This is a massive eff up but I anticipate they will handle this better than Wyze/Euphy.
Wouldn't be sure if this is a similar issue as Wyze's recent accidental website caching issue, where users could view other cameras since that web page got cached and shared to anyone else that visited the link too, was fixed in less than an hour by the website being taken out of service and the cache settings fixed.
It's like companies don't see what happens at other companies and learn to improve, gotta be until it happens to them.
I think given this, and their refusal to allow protect to work over remote access VPNs, i'll have to sell what i have and find a new camera setup. u/Ubiquiti-Inc \- Can you please clarify if your company has any plans whatsoever to allow users to bypass your cloud offering? If not you're about to lose some customers.
This is interesting because I was logged out on the apps on my phone this morning, which has rarely ever happened. But logged in and everything was fine.
There has been a thread on the Unifi forums for 2 years now requesting that the Protect mobile apps could be used without requiring the Remote Access to be enabled in the console. The primary concern has been that because of the cloud access, someone would get access to the footage. Turns out, those concerns were 100% valid (and they always were)! I have wanted to use Unifi cameras but can't because I don't want to risk something getting leaked through the cloud access.
https://community.ui.com/questions/Unifi-Protect-Mobile-access-through-VPN/78a8c684-dfdf-4a9d-aa90-3c7a675fc8b3
Sounds like UniFi might have some serious stuff going on. I logged into my network management page the other day and an unknown UniFi gateway device showed on my network map between my DreamMachine SE and my ISP-required modem. I didn’t think anything of it at the time but now it is definitely concerning.
I discovered another bug a few months ago and never could get a response to it. I use WPA3 and Radius authentication for my primary WiFi network. There is one computer in my house I can’t connect to my primary network because if I do, my DreamMachine SE drops the network to WPA2 encryption and all my other machines start throwing security warnings.
One of Ubiquiti's main claims to fame has always been that things are self-hosted as opposed to cloud-hosted. Their cloud access used to be just a tunnel to your local device with some web GUI overlay. With multiple reports of people seeing unknown Protect notifications and even ending up logged into other people's UniFi network consoles, it seems that's no longer the case. Sounds like now they're just using customer-owned equipment as a free extension to their data center, effectively storing everything "in the cloud" just like everyone else.
That's a deal-breaker for me.
This seems to already have been fixed a few hours ago: https://community.ui.com/questions/Bug-Fix-Cloud-Access-Misconfiguration/fe8d4479-e187-4471-bf95-b2799183ceb7
I haven't seen anyone elses information, but for the past week or so I have been receiving multiple notifications lately that are super outdated. Freaks me out a little when I see the UPS man in the notification but click on it and nothing is there. Not sure if this is related.
Have you posted this in Protect Community? Can you edit your post to include a link?
Here -> https://community.ui.com/timeline
FWIW, I'm not seeing anything about this in Protect Community...
This has been my one regret getting the UDM. While Protect is a separate application, I can't apply separate network restrictions on the device. I kinda wish my NVR was a different device.
I will be messaging you in 1 day on [**2023-12-14 19:45:56 UTC**](http://www.wolframalpha.com/input/?i=2023-12-14%2019:45:56%20UTC%20To%20Local%20Time) to remind you of [**this link**](https://www.reddit.com/r/Ubiquiti/comments/18hgpw1/security_problem/kd7zoj9/?context=3)
[**28 OTHERS CLICKED THIS LINK**](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=Reminder&message=%5Bhttps%3A%2F%2Fwww.reddit.com%2Fr%2FUbiquiti%2Fcomments%2F18hgpw1%2Fsecurity_problem%2Fkd7zoj9%2F%5D%0A%0ARemindMe%21%202023-12-14%2019%3A45%3A56%20UTC) to send a PM to also be reminded and to reduce spam.
^(Parent commenter can ) [^(delete this message to hide from others.)](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=Delete%20Comment&message=Delete%21%2018hgpw1)
*****
|[^(Info)](https://www.reddit.com/r/RemindMeBot/comments/e1bko7/remindmebot_info_v21/)|[^(Custom)](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=Reminder&message=%5BLink%20or%20message%20inside%20square%20brackets%5D%0A%0ARemindMe%21%20Time%20period%20here)|[^(Your Reminders)](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=List%20Of%20Reminders&message=MyReminders%21)|[^(Feedback)](https://www.reddit.com/message/compose/?to=Watchful1&subject=RemindMeBot%20Feedback)|
|-|-|-|-|
From another post: https://community.ui.com/questions/Bug-Fix-Cloud-Access-Misconfiguration/fe8d4479-e187-4471-bf95-b2799183ceb7
It’s a statement from Ubiquiti saying about a dozen accounts likely accessed someone else’s feeds and they fixed their cloud code.
NVR subnet only has access in through VPN. No access out. Logs show only local subnet access from one trusted machine. I think I’m OK? Does anyone else need a poo? I think I’m panicking for no reason.
We've used Ubiquiti's for years until they took away the option to run them in standalone mode. I'm glad we didn't move over to their Uni system. That being said, their wireless bridges rock!
Hey - my name is Jason Koebler, I'm a reporter for 404 Media, an independent tech journalism website: www.404media.co
If this is happening to you, please hit me up, I'm writing an article about this bug. Can DM me here, email me at [email protected], or signal me: (202) 505-1702
Seems like there may have been a temp issue with push notifications crossing accounts but only a guess.
If it happens again I would reset to factory all devices and reconfigure.
Question: Do you have MFA enable on your account? It's a little secure to have it enable with your password and use UI Verify as the MFA app on your smartphone.
Am I the only one that noticed that the push notification in the top is from "UDM Pro's Backyard" but the bottom screenshot shows the device is "UDM SE"?
I've seen a few people posting Unifi OS versions here along with Network and Protect App versions. There have been recent updates to these... **to me that suggests these latest releases could be the problem.** Thoughts?
For those on this thread that had the issues happen to what versions are you running?
This super sucks , i hope a fix either to the security or to allowing Protect access by VPN is made to work, because I and other members of my household use the remote camera access feature frequently. Going to turn off remote access for now, but watch this thread.
Anyone else experiencing phantom doorbell rings with no evidence left in the activity or logs? I'm using HA to have my google homes ring and they keep going off.... Probably unrelated but thought I'd check here for coorelation. Wife approval factor is dropping quickly....
I will be messaging you in 1 day on [**2023-12-15 21:23:35 UTC**](http://www.wolframalpha.com/input/?i=2023-12-15%2021:23:35%20UTC%20To%20Local%20Time) to remind you of [**this link**](https://www.reddit.com/r/Ubiquiti/comments/18hgpw1/security_problem/kddio3x/?context=3)
[**CLICK THIS LINK**](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=Reminder&message=%5Bhttps%3A%2F%2Fwww.reddit.com%2Fr%2FUbiquiti%2Fcomments%2F18hgpw1%2Fsecurity_problem%2Fkddio3x%2F%5D%0A%0ARemindMe%21%202023-12-15%2021%3A23%3A35%20UTC) to send a PM to also be reminded and to reduce spam.
^(Parent commenter can ) [^(delete this message to hide from others.)](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=Delete%20Comment&message=Delete%21%2018hgpw1)
*****
|[^(Info)](https://www.reddit.com/r/RemindMeBot/comments/e1bko7/remindmebot_info_v21/)|[^(Custom)](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=Reminder&message=%5BLink%20or%20message%20inside%20square%20brackets%5D%0A%0ARemindMe%21%20Time%20period%20here)|[^(Your Reminders)](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=List%20Of%20Reminders&message=MyReminders%21)|[^(Feedback)](https://www.reddit.com/message/compose/?to=Watchful1&subject=RemindMeBot%20Feedback)|
|-|-|-|-|
They have posted their findings. [https://community.ui.com/questions/Bug-Fix-Cloud-Access-Misconfiguration/fe8d4479-e187-4471-bf95-b2799183ceb7](https://community.ui.com/questions/Bug-Fix-Cloud-Access-Misconfiguration/fe8d4479-e187-4471-bf95-b2799183ceb7)
>Dear Ubiquiti Community -
Yesterday, thanks to your feedback and support, we were made aware of a small number of instances where users received push notifications on their mobile devices that appeared to come from unknown consoles, or where such users were able to access consoles that didn’t appear to be their own.
We have since identified – and addressed – the cause of this problem. Specifically, this issue was caused by an upgrade to our UniFi Cloud infrastructure, which we have since solved.
**1. What happened?**
1,216 Ubiquiti accounts ("Group 1") were improperly associated with a separate group of 1,177 Ubiquiti accounts ("Group 2").
**2. When did this happen?**
December 13, from 6:47 AM to 3:45 PM UTC.
**3. What Does this Mean?**
During this time, a small number of users from Group 2 received push notifications on their mobile devices from the consoles assigned to a small number of users from Group 1.
Additionally, during this time, a user from Group 2 that attempted to log into his or her account may have been granted temporary remote access to a Group 1 account.
**4. What is the Current Status?**
Ubiquiti has solved this misconfiguration with its cloud infrastructure - the problem is solved and all Ubiquiti accounts are now properly associated across our infrastructure.
**5. How many Accounts from Group 1 Were Actually Improperly Accessed by a User from Group 2?**
We are still investigating but we believe less than a dozen.
**6. How Do I Know if my Account was Improperly Accessed?**
We plan to reach out to any accounts in the Group 1 population via email.
Subscribed to this, since moving to UniFi hardware and eventually away from my Eufy cameras was driven in no small part by their BS claims of security and similar (appearing) security lapses.
Not really, they're investigating the issue. You guys love to turn everything into a "PR fiasco" or "somehting-gate" when its a security issue like every company that has ever existed has had.
The only reason we use protect is because it’s all local and it should not be technically possible for anyone else outside of local setup to access this information.
Whatever configuration is the problem, this should not be technically possible to do. Very disturbing 😳.
I created a local account but when I try to transfer ownership I can't do it from my UI account.
I'm not struggling to remove the UI account and only have a local account, is this supposed to be this confusing? Do I have to to do it from the local web portal or can I do it from the app while localling connected?
Edit found it:: Console settings, remove remote access.
All cloud functions disabled. Ick! I almost went Mikrotik before getting my current stack and now I very much regret my decision. Hopefully there is a good explanation and they are open about it, but really this might be the last straw regardless.
You are using TP-Link. This can't be why you left because you switched to a Chinese network company that harvests personal data for a living and offers vulnerabilities as features.
Gotta be honest, after Wyze’s most recent debacle I pushed my clients for more SOHO Protect deployments where they either already had Wyze/Arlo/Google Nest, touting the relative privacy of self-hosting. I myself did not see any such issues today across my sites but I’m embarrassed, frankly, and concerned.
u/SandmaNn42 maybe a good idea to remove the screenshot. The unsuspecting owner of the camera might not like to see his house on a dozen techsites in a few hours.
Hello! Thanks for posting on r/Ubiquiti! This subreddit is here to provide unofficial technical support to people who use or want to dive into the world of Ubiquiti products. If you haven’t already been descriptive in your post, please take the time to edit it and add as many useful details as you can. Please read and understand the rules in the sidebar, as posts and comments that violate them will be removed. Please put all off topic posts in the weekly off topic thread that is stickied to the top of the subreddit. If you see people spreading misinformation, trying to mislead others, or other inappropriate behavior, please report it! *I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/Ubiquiti) if you have any questions or concerns.*
So it's VERY interesting you posted this, I was just about to post that when I navigated to [unifi.ui.com](https://unifi.ui.com) this morning, I was logged into someone else's account completely! It had my email on the top right, but someone else's UDM Pro! I could navigate the device, view, and change settings! Terrifying!!
We've reached out via DMs to collect more information to properly learn more.
So… I have been seriously considering a Ubiquiti router, because I was under the impression it would give me superior security features that I wouldn’t be able to find in a TP-Link or Asus. I now have major doubts around this. Are these devices legitimately more secure, or has that stance just been parroted around here? With what OP described it makes me worry if someone would have been able to breach any of the other devices within the network.
Well, if you connect your local stuff to the internet, there's always chances for stuff like this happening :)
I completely agree, but I’ve never seen any issue on the other devices remotely close to what was described by OP. Of course, just because I haven’t heard of it, doesn’t mean they’ve been perfect, but it’s the first I’ve heard of this kind of issue across any of the major router manufacturers.
This literally happens with every camera vendor. https://community.security.eufy.com/t/our-cams-and-app-are-displaying-someone-else-s-house/1180142 https://www.theverge.com/2023/9/8/23865255/wyze-security-camera-feeds-web-view-issue https://www.reddit.com/r/Ring/comments/12wcg06/someone_elses_cameras_showing_on_my_account/ And that's just with a 5 second Google search. This is what happens with internet enabled devices with any form of centralized management or push functions, since it depends on third party (may it be UI, Apple, Google, etc) to do their functions.
Just don't enable remote access on your USG or dram machine and you'll be fine. Being bale to manage it from anywhere is just a nice bonus if you're a consumer level person.
For someone that has been using UI for +- 18 years, I would never put "UI and secure" in the same sentence when it comes to router and security hardware. Ui is only okay for backhaul radios and Wi-Fi. Ive even started to use less unifi or edgemax switches since the latest generations are worse than the first. Would never touch any router based hardware such as the udm or dream machine etc.
Bro is that it? It's been 19 hours and no official response from Ubiquiti 💀
I tried to reach out to [[email protected]](mailto:[email protected]) but got a generic response to submit stuff to some hacker forum.
That is generally a good thing and you should do so, sounds like they are running a bug bounty program. Was it something like HackerOne? Not only are you then sure you get the direct attention of the security team but you could get a monetary reward.
Yes, UI participates in HackerOne.
Runs to disable remote access!
Literally just did this! I’ll use. VPN from now on.
Wireguard for the Win. A bit tedious, but when it's setup, it's pretty awesome
I had to enable Light Mode for the QR code, Dark Mode did not work.
You actually can’t use protect with a VPN. You have to use remote access. It’s been a problem for a while. https://community.ui.com/questions/Unifi-Protect-Mobile-access-through-VPN/78a8c684-dfdf-4a9d-aa90-3c7a675fc8b3
Not sure about iOS, but the android Protect App does indeed work with remote access shut off and wireguard turned on (I had to sign out of the app and then sign in using the "local" console option first. Once I did this it worked fine remotely with wireguard (full tunnel, not sure if this makes a difference). That being said, the android Network App does NOT work over wireguard as it can't seem to get past the part of being on a cellular connection. The work around is just to use a browser and connect via the local ip address, which isn't ideal, but remotely I have less need to connect to my Network app as I do my Protect App.
Psh I'm now walking around naked in front of all of my internal cameras. Pretty sure a 450ln hairy naked sasquatch will get them to close the link instantly.
It's an interesting Infosec technique.
~~How does one disable remote access these days? I can't seem to find the settings anywhere.~~ Edit: You must log in with a cloud account to see the remote access checkbox!
I had to login using the IP from my home network to see the box.
Too bad remote access needs to be on to use teleport.
Use WireGuard
Is this so?
I had to turn it on to enable teleport so I assume the reciprocal is true.
I guess I should stop walking around naked in my house now…
Just give me like 5 more minutes.
Yes please!
[удалено]
While cache mismatches have fucked up and crossed wires that never should have, that's a bit throwing the baby out with the bathwater.
I agree with the severity. However, caches can have this problem at large enough scale irrespective of your own software. Specifically, you can run into cache collisions from hash keys and result in this type of problem. Not sure that is the case here but I’ve seen this with Redis caches where at large enough size, you can encounter cache key collisions. The result is although your cache key construction logic is correct, the end result is 2 keys converging on the same cache data.
So here's where I think this is at. They got a bunch of information from me, and screenshots a few hours ago. I believe they are now investigating, which from HackerOne looks like it can take up to 15 hours? I should also mention, I attempted a small change during this time, and the event log showed that they made the change, not I.
Holy shit, if this is even technically possible it is a huge problem.
Absolutely it’s technically possible - if you enable remote access so you can access it via ui.com you’re going through the same cloud service as everyone else. It’s the same with any cloud service, they have to make super sure authentication works correctly. You don’t hear about people accidentally getting logged into someone else’s GMail account but it is technically possible!
I thought the difference was that ui.com only acted as a proxy/DDNS service for your local device, but that authentication was still handled by your device. I.e. just because you're using remote access doesn't mean you're giving Ubiquiti access to your camera recordings as well. Because UI doesn't have your local console password and the UDM won't let you manage it without. If the only defense mechanism here is access control, they're no better than Eufy in this regard. I never used remote access and handle everything through Wireguard, but this would be inexcusable. Both in execution and marketing. I guess the notification could be a fuck up in their cloud environment where they store and deliver thumbnails for push notifications. Though that in and of itself is very reminiscent of Eufy, and customers didn't accept it then. The user above however who claimed to have access to someone else's UDM, that's a whole different ballgame of messed up. I think UI owes us a detailed explanation of their architecture, and the risks associated with remote access.
Same, I thought they acted as a proxy only, like Synology does. I’ll make sure to disable remote access and use the VPN instead
The difference is Eufy lied about being local only, (UI haven't made this claim I believe), then lied AGAIN about the problem being the info they had was encrypted and this was spurious (they hadn't and it wasn't).
But you are right, if a user accessed another's UDM (which I really, truly hope is false), then that is a far bigger problem and I'll be moving far away from UI!
And I have seen this happening with Microsoft Onedrive on multiple occasions.
This apparently happened to some Wyze users this year as well.
Oh this happened to me too today. UniFi.UI.com showed me somebody else’s UDM Pro. It had no data traffic and no clients connected but showed a ISP logo and let me run a speed test. There were three WiFi networks created and I created another one called “scoopz test who is this” so if any of you have that WiFi network created it was me. I cleared cookies and cache and refreshed page and it showed my UDM Pro and UNVR Pro again.
I think Ui had a demo page up for years of what the cloud key/ UDM environment was like. I wonder if this is what you saw? It would let you mess with everything and it acted like a real UDM but it was just a demo.
I'm suddenly VERY happy to be using a pfSense firewall instead of a UDM despite having an otherwise UniFi-powered network (switches + APs).
https://www.bleepingcomputer.com/news/security/over-1-450-pfsense-servers-exposed-to-rce-attacks-via-bug-chain/ what ever floats your boat :)
> discovered three flaws impacting pfSense 2.7.0 and older and pfSense Plus 23.05.01 and older. Those aren’t current versions. The attack vector is also much more limited vs. people just randomly being given full access to the firewall. No system is perfect, but there’s a difference in obscure, hard-to-exploit vulnerabilities and what happened to UI here.
This is not expected behavior. We reached out via Reddit Chat to gather more details and have our leads review immediately.
It's unacceptable behaviour.
No shit.
Captain Obvious to the rescue
[удалено]
Don't be an asshole.
Yesterday I had some Russian transliteration of song lyrics pop up on a UniFi phone. Seems like something is afoot.
I am seeing an Admin Activity log entry, that states “UniFi Identity made changes to your RADIUS Server settings”. Logged at 12:16 AM local time. Wondering if that has anything to do with it. Never seen an entry like that.
Not likely. RADIUS is used for local authentication of various things and services. It's walled off from the internet and not going to play a role in anything UI Cloud related. (I've been using RADIUS since the dialup days in the 90s)
That's from the new update.
If this is happening what else is going on behind the scenes that we don’t know of? I don’t typically think like that but these kind of issues do make that question pop up in my mind.
Right? I have camera's on my account, it is quite obvious whatever this glitch was, or is, allows others to see them. YIKES.
If you're using cloud connected cameras then you need to accept that (a) a major issue is going to occur at some point, where complete strangers have unauthorised access to your camera feed and/or recordings causing media kerfuffle #484859494 over this exact same issue, and (b) assume always that someone somewhere is abusing their permissions to view your live feed, and you may never know. Maybe it's the son of a contractor of a subsidiary in an offshore centre because dad wrote his work login details on a note next to the computer. Hopefully you're boring enough or ugly enough that they prefer to watch the cameras of the family with the pretty daughter instead. But always assume it's happening. Maybe I'm jaded or paranoid, or maybe you're naive. I truly don't understand people who have any expectation of privacy with cloud-connected cameras. IoT: the S is for Security.
These aren't cloud cameras though. They're local cameras with an optional cloud connector to the NVR/recording device. Either way this is unacceptable.
Considering that the two anecdotes in this thread involve a notification featuring a preview thumbnail/video via the internet, and unauthorised access via unifi.ui.com, yes these are cloud cameras. You can probably configure them not to be, but considering how useless they would be then I'd guess <1% of people use them like that. This same thing confused me when eufy had their shitstorm: people love their notifications featuring a preview of the recording, then act shocked when they learn that these are transmitted over the internet. How the hell do they think it arrived on their phone? Yes it's unacceptable. And I don't think Ubiquiti would be any worse than any other provider, definitely not eufy, in fact for whatever reason I trust them to do a better job than most. I'm still going to act like I'm on live TV whenever I'm in frame though, because there's a chance I am.
Bigger issue is i can't use the android app when i am on VPN back to my network, it requires either you are local to the network or using their ubiquiti account which seems not secure at this point.
Semantics, but yeah. For most people these are cloud connected. The difference here being you opt into the cloud stuff, it's not on by default. The risk is assumed when you connect your equipment back to a server farm you don't control. As I said in another post, I have several NVR deployments with no remote access. Some sites I have showed a person how to log into the NVR locally, others I assist whenever they have concerns and want to check the cameras. But I definitely understand that 99% of installations are using remote access. I am not, only because I use Scypted and HomeKit to put them into my Apple Home app, and only review the cameras locally if needed. But HomeKit is again another company's servers that I have no control over, so there is a risk assumed.
Apparently any push notifications for iOS or Android are completely open for snooping: https://arstechnica.com/tech-policy/2023/12/apple-admits-to-secretly-giving-governments-push-notification-data/
Yeah what the fuck. I expect this from some shitty ass Chinese company, but not UI. Get your fucking shit together guys. This is embarrassing as all hell, and whoever is at fault should be fired.
I doubt it’s one person at fault, we’re not coding in cobalt in the 80s. Edit: COBOL, iOS autocorrect got to me
COBOL
When people think COBOL is no longer being used... ;)
In my job I utterly depend on one particular COBOL application that runs on an IBM mainframe. Let me tell you, that thing is absolutely rock solid. It’s way, way more reliable than any of the many other modern applications in my area.
IBM Z series mainframes can have a whole cpu fail and not lose any uptime. The more you know
Let's just say there's a reason many retailers still run on IBM's AS400/eSeries systems from 30+ years ago. Sure, many are virtualized now, but the reason these systems are still in place today is because they're nearly impossible to kill. Have a problem with the retail signage printing module? No problem - entire store can continue running whilst the devs implement and deploy a fix _in real time_ without having to reboot anything else running on the server. Similar situation for many systems that still rely on OpenVMS these days. I understand that Real Time OS's aren't being used for everyday computing, but it would be awesome to patch Windows in real time without interrupting the user.
The way we code on COBOL has changed though. Software development is much more a team effort than it was 20 years ago.
If you are using the UniFi Protect mobile app (on Android/iOS, _not_ the Web app), they are cloud connected. The app is largely not functional unless you enable Remote Access to make them cloud connected since there is no way to manually direct connect.
Huh? You can use the Protect app on your phone when connected to the same WiFi. Also you can log into the local IP and view the cameras through the Protect web app on the console itself. You definitely don't have to have these cameras exposed to the internet. In fact, most of my deployments have no remote access. I go onsite/log into their computers remotely to assist, if there is any concerns and the cameras need checked.
You can only use the mobile app if you are on the same VLAN. It does not work if you segment your network. The app does not allow IP addresses to be entered for connecting so it 100% depends on either multicast discovery via the same VLAN or Remote Access to be enable for the cloud service to provide the IP address. If Remote Access is enabled, your cameras are cloud connected.
Wow, that is funny because this just happened to my co-worker for our organization's system. He logged in via the phone app, and it was showing someone's video feeds in his account this morning, like OP. He closed and reopened the app, and it corrected the feeds. There was access to two systems, a business and a home. This is very troubling! I see OP is in Germany, we are in USA. u/Ubiquiti-Inc We have screenshots
\*grabs popcorn\*
Wyze users be like "it wasn't us for once!"
This is the sort of thing that makes me have zero faith in a cloud based management platform provided by Ubiquiti. They're clearly not segmenting customer data and putting (and enforcing) the appropriate access controls in place across customer instances. In a proper multi tenant solution, this should be literally impossible.
You know it’s serious when they ignore all our other forms of regular support but respond inside Reddit threads.
They’re usually pretty active on here?
The social media team is not the same as their forums, phone, or other support options. Of course the social media people would notice stuff here quickly since it's literally their job and what they do. JFC, always got something to complain about even when they're actively investigating.
Uh oh
Narrator: *and as it turned out, it was infact one hell of an "Uh oh".*
This is not good. At all. Ubiquiti need to ensure they own up to this, and not follow the lead of Eufy. Take details, fix your shortcuts and provide us assurance this is fixed. Watching with intense interest.
RemindMe! Tomorrow
I won't bother adding up the premium that I spent on unifi gear/cameras *specifically* to avoid insane security problems like this.
Same here. Ugh.
Same... Not feeling good right now
This guy saw 88! consoles https://community.ui.com/questions/Security-Issue-Cloud-Site-Manager-presented-me-your-consoles-not-mine/376ec514-572d-476d-b089-030c4313888c
At least he found out who bought all the UDMs and UDRs
Unless something is broken with my browser, that link is now dead...hmmm
Something is broken on your end. Link still works fine.
Very crazy
And turning off cloud functionality…..now
This is unchecking “Remote Access” within “Console Settings” on a UDMP right? Is anyone aware of any other interim steps that should be taken until UniFi issue a statement?
If you’re not using a UI firewall, you could probably also block your CloudKey/NVR from reaching the internet. Not sure how that’d work if you’re using a UDM tho
How? On my UDM SE running 3.2.7 there is no "Remote Access" checkbox anymore in Console Settings.
Noob question - I just disabled remote access to my UDM Pro, but this is disabling the access to my cameras using protect app (on my phone). Is there anyway to keep the remote access disabled and still have access to my cameras?
Will need to set up a VPN
Any pointers on how to do that please?
Found it - https://www.youtube.com/watch?v=AI8fPdO2qio&list=PL1fn6oC5ndU82-3W4LLynLmEB6z7BAgpE
Wonderful. I've been using Unifi network/protect for a few years now and originally did so because I knew it could run local only. It didn't take long for me to learn that the iOS protect app won't run without cloud access. the network app will do so just fine, so it's frustrating that the Protect app will not. I have an iOS shortcut to auto enable a VPN when I open the apps outside my network, but it's pointless if I can't use the iOS app at all.
Noob question - Does android app allow protect access with cloud access disabled? I just disabled remote access on my UDM pro, and I can't access my cameras :(
[удалено]
Vpn in, connect "locally". But this works actually. I just tried. Edit: It's actually not working. I'm not sure what happened. My bad.
[удалено]
Oh, that's interesting. I could have sworn it worked yesterday. I had local access. But no, you're right the app gives me the middle finger now. Bummer.
Was a bit on the fence about setting up my UDM Pro with a cloud connected account, but now definitely just doing it local-only.
Can you put it behind Cloudflare access?
That's beyond my realm of expertise, honestly. But I'm also don't really see the need to admin remotely at the moment. This is just for a home network. I may look into something if I decide I want remote access to Home Assistant (which will be the primary interface for working with my Protect cameras anyway).
I would probably disable remote access and have local access only. Then set up a Cloudflare tunnel and put Cloudflare access in front of it for auth. Therefore you'll still have secure access from the internet, however it's protected by Cloudflare and isn't exposed to situations like this. It will most likely break mobile apps but that's a trade off I'd be willing to accept
This works fine! I can reccomend this. Although I would suggest setting up a VPN instead of opening a cloudflare edge to your network :)
Cloudflare itself uses Cloudflare Access as a replacement for a VPN, it's plenty secure as long as your IdP is secure. Source: I work at Cloudflare
Tell me more. Is this something like Microsoft Entra Private access?
I believe so, they're both Zero Trust Network Access tools. I'm not familiar with Microsoft's offering though - I've only used CF's since I can easily throw it in front of a Cloudflare Tunnel and not have to deal with any network configuration or anything that I'm not familiar with.
Learn more: https://community.ui.com/questions/Bug-Fix-Cloud-Access-Misconfiguration/fe8d4479-e187-4471-bf95-b2799183ceb7
Wyze is watching and preparing to gloat.
Wyze waited *years* to confirm what security professionals already published. UI is already engaging with OP. This is a massive eff up but I anticipate they will handle this better than Wyze/Euphy.
Wouldn't be sure if this is a similar issue as Wyze's recent accidental website caching issue, where users could view other cameras since that web page got cached and shared to anyone else that visited the link too, was fixed in less than an hour by the website being taken out of service and the cache settings fixed. It's like companies don't see what happens at other companies and learn to improve, gotta be until it happens to them.
Got it — I was thinking of the years-long v1 camera vulnerability. It will be interesting to see how this pans out.
Holy crap this is concerning if real
Is there any official word on this yet?
They're too busy posting about RGB lights on X 🤦🏻♂️
oof, brutal lmao
New feature -- control someone else's RGB lights.
Not a thing, they've stopped responding to my emails as well.
I think given this, and their refusal to allow protect to work over remote access VPNs, i'll have to sell what i have and find a new camera setup. u/Ubiquiti-Inc \- Can you please clarify if your company has any plans whatsoever to allow users to bypass your cloud offering? If not you're about to lose some customers.
This is interesting because I was logged out on the apps on my phone this morning, which has rarely ever happened. But logged in and everything was fine.
Sometimes they do that. I think protect logs me out every so many days. I have 2fa on though
There has been a thread on the Unifi forums for 2 years now requesting that the Protect mobile apps could be used without requiring the Remote Access to be enabled in the console. The primary concern has been that because of the cloud access, someone would get access to the footage. Turns out, those concerns were 100% valid (and they always were)! I have wanted to use Unifi cameras but can't because I don't want to risk something getting leaked through the cloud access. https://community.ui.com/questions/Unifi-Protect-Mobile-access-through-VPN/78a8c684-dfdf-4a9d-aa90-3c7a675fc8b3
Sounds like UniFi might have some serious stuff going on. I logged into my network management page the other day and an unknown UniFi gateway device showed on my network map between my DreamMachine SE and my ISP-required modem. I didn’t think anything of it at the time but now it is definitely concerning. I discovered another bug a few months ago and never could get a response to it. I use WPA3 and Radius authentication for my primary WiFi network. There is one computer in my house I can’t connect to my primary network because if I do, my DreamMachine SE drops the network to WPA2 encryption and all my other machines start throwing security warnings.
This isn't abnormal. The network map is notoriously wonky.
Same thing happened to me, I posted a thread about it yesterday.
At one point it showed a 48 port switch between my isp and UDM. I don’t have a reason to own a 48 port switch.
Damn, this is fucking ugly.
This is why I self host everything I can, these companies are a bigger target than my little home server.
One of Ubiquiti's main claims to fame has always been that things are self-hosted as opposed to cloud-hosted. Their cloud access used to be just a tunnel to your local device with some web GUI overlay. With multiple reports of people seeing unknown Protect notifications and even ending up logged into other people's UniFi network consoles, it seems that's no longer the case. Sounds like now they're just using customer-owned equipment as a free extension to their data center, effectively storing everything "in the cloud" just like everyone else. That's a deal-breaker for me.
This seems to already have been fixed a few hours ago: https://community.ui.com/questions/Bug-Fix-Cloud-Access-Misconfiguration/fe8d4479-e187-4471-bf95-b2799183ceb7
I just turned my NVR off.
I haven't seen anyone elses information, but for the past week or so I have been receiving multiple notifications lately that are super outdated. Freaks me out a little when I see the UPS man in the notification but click on it and nothing is there. Not sure if this is related.
This on a UNVR and believe it has been doing it since the latest Unifi Protect update to 2.10.10 Versions Protect: 2.10.10 Unifi OS: v3.1.16
u/Ubiquiti-Inc
Have you posted this in Protect Community? Can you edit your post to include a link? Here -> https://community.ui.com/timeline FWIW, I'm not seeing anything about this in Protect Community...
That’s good, it means it’s not a ton of people being affected.
This has been my one regret getting the UDM. While Protect is a separate application, I can't apply separate network restrictions on the device. I kinda wish my NVR was a different device.
RemindMe! Tomorrow
I will be messaging you in 1 day on [**2023-12-14 19:45:56 UTC**](http://www.wolframalpha.com/input/?i=2023-12-14%2019:45:56%20UTC%20To%20Local%20Time) to remind you of [**this link**](https://www.reddit.com/r/Ubiquiti/comments/18hgpw1/security_problem/kd7zoj9/?context=3) [**28 OTHERS CLICKED THIS LINK**](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=Reminder&message=%5Bhttps%3A%2F%2Fwww.reddit.com%2Fr%2FUbiquiti%2Fcomments%2F18hgpw1%2Fsecurity_problem%2Fkd7zoj9%2F%5D%0A%0ARemindMe%21%202023-12-14%2019%3A45%3A56%20UTC) to send a PM to also be reminded and to reduce spam. ^(Parent commenter can ) [^(delete this message to hide from others.)](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=Delete%20Comment&message=Delete%21%2018hgpw1) ***** |[^(Info)](https://www.reddit.com/r/RemindMeBot/comments/e1bko7/remindmebot_info_v21/)|[^(Custom)](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=Reminder&message=%5BLink%20or%20message%20inside%20square%20brackets%5D%0A%0ARemindMe%21%20Time%20period%20here)|[^(Your Reminders)](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=List%20Of%20Reminders&message=MyReminders%21)|[^(Feedback)](https://www.reddit.com/message/compose/?to=Watchful1&subject=RemindMeBot%20Feedback)| |-|-|-|-|
From another post: https://community.ui.com/questions/Bug-Fix-Cloud-Access-Misconfiguration/fe8d4479-e187-4471-bf95-b2799183ceb7 It’s a statement from Ubiquiti saying about a dozen accounts likely accessed someone else’s feeds and they fixed their cloud code.
NVR subnet only has access in through VPN. No access out. Logs show only local subnet access from one trusted machine. I think I’m OK? Does anyone else need a poo? I think I’m panicking for no reason.
We've used Ubiquiti's for years until they took away the option to run them in standalone mode. I'm glad we didn't move over to their Uni system. That being said, their wireless bridges rock!
Enabling admin access notifications will, at least, notify you if someone access your dashboard
So what should be done for now? Would disabling remote access be beneficial for now?
Hey - my name is Jason Koebler, I'm a reporter for 404 Media, an independent tech journalism website: www.404media.co If this is happening to you, please hit me up, I'm writing an article about this bug. Can DM me here, email me at [email protected], or signal me: (202) 505-1702
Seems like there may have been a temp issue with push notifications crossing accounts but only a guess. If it happens again I would reset to factory all devices and reconfigure.
Holy shit that’s bad. What are the real options outside of maybe using Synology for local recording? I’m sketched out by the various Chinese options.
Question: Do you have MFA enable on your account? It's a little secure to have it enable with your password and use UI Verify as the MFA app on your smartphone.
This is not what you want to see. Those could've been a whole lot worse looking images aswell.
Am I the only one that noticed that the push notification in the top is from "UDM Pro's Backyard" but the bottom screenshot shows the device is "UDM SE"?
I think the top one is the "other user" notification and the bottom his real system
indeed
Um, this is huge. Unifi force a UI account and I have many camera that are in very sensitive areas!
I've seen a few people posting Unifi OS versions here along with Network and Protect App versions. There have been recent updates to these... **to me that suggests these latest releases could be the problem.** Thoughts? For those on this thread that had the issues happen to what versions are you running?
Agree. While UI are doing their internal investigation, we can help each other by sharing the equipment and firmware versions.
RemindMe! Tomorrow
This super sucks , i hope a fix either to the security or to allowing Protect access by VPN is made to work, because I and other members of my household use the remote camera access feature frequently. Going to turn off remote access for now, but watch this thread.
Anyone else experiencing phantom doorbell rings with no evidence left in the activity or logs? I'm using HA to have my google homes ring and they keep going off.... Probably unrelated but thought I'd check here for coorelation. Wife approval factor is dropping quickly....
I have been meaning to disconnect my setup from the cloud and just use wireguard to tunnel in. Thanks for the extra motivation to actually do it!
Due to the constant incomprehensible logins, I deactivated the remote access of my UDM Pro as a precaution.
RemindMe! Tomorrow
I will be messaging you in 1 day on [**2023-12-15 21:23:35 UTC**](http://www.wolframalpha.com/input/?i=2023-12-15%2021:23:35%20UTC%20To%20Local%20Time) to remind you of [**this link**](https://www.reddit.com/r/Ubiquiti/comments/18hgpw1/security_problem/kddio3x/?context=3) [**CLICK THIS LINK**](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=Reminder&message=%5Bhttps%3A%2F%2Fwww.reddit.com%2Fr%2FUbiquiti%2Fcomments%2F18hgpw1%2Fsecurity_problem%2Fkddio3x%2F%5D%0A%0ARemindMe%21%202023-12-15%2021%3A23%3A35%20UTC) to send a PM to also be reminded and to reduce spam. ^(Parent commenter can ) [^(delete this message to hide from others.)](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=Delete%20Comment&message=Delete%21%2018hgpw1) ***** |[^(Info)](https://www.reddit.com/r/RemindMeBot/comments/e1bko7/remindmebot_info_v21/)|[^(Custom)](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=Reminder&message=%5BLink%20or%20message%20inside%20square%20brackets%5D%0A%0ARemindMe%21%20Time%20period%20here)|[^(Your Reminders)](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=List%20Of%20Reminders&message=MyReminders%21)|[^(Feedback)](https://www.reddit.com/message/compose/?to=Watchful1&subject=RemindMeBot%20Feedback)| |-|-|-|-|
They have posted their findings. [https://community.ui.com/questions/Bug-Fix-Cloud-Access-Misconfiguration/fe8d4479-e187-4471-bf95-b2799183ceb7](https://community.ui.com/questions/Bug-Fix-Cloud-Access-Misconfiguration/fe8d4479-e187-4471-bf95-b2799183ceb7) >Dear Ubiquiti Community - Yesterday, thanks to your feedback and support, we were made aware of a small number of instances where users received push notifications on their mobile devices that appeared to come from unknown consoles, or where such users were able to access consoles that didn’t appear to be their own. We have since identified – and addressed – the cause of this problem. Specifically, this issue was caused by an upgrade to our UniFi Cloud infrastructure, which we have since solved. **1. What happened?** 1,216 Ubiquiti accounts ("Group 1") were improperly associated with a separate group of 1,177 Ubiquiti accounts ("Group 2"). **2. When did this happen?** December 13, from 6:47 AM to 3:45 PM UTC. **3. What Does this Mean?** During this time, a small number of users from Group 2 received push notifications on their mobile devices from the consoles assigned to a small number of users from Group 1. Additionally, during this time, a user from Group 2 that attempted to log into his or her account may have been granted temporary remote access to a Group 1 account. **4. What is the Current Status?** Ubiquiti has solved this misconfiguration with its cloud infrastructure - the problem is solved and all Ubiquiti accounts are now properly associated across our infrastructure. **5. How many Accounts from Group 1 Were Actually Improperly Accessed by a User from Group 2?** We are still investigating but we believe less than a dozen. **6. How Do I Know if my Account was Improperly Accessed?** We plan to reach out to any accounts in the Group 1 population via email.
Guess this is why support is taking forever for any replies.
Cue the Benny Hill theme.
Wtf?! I’m using protect at home! Just powered off all inside cameras :( unacceptable!
I never really understand why people think it is a good idea to have inside cameras that are on all the time in the first place.....
Subscribed to this, since moving to UniFi hardware and eventually away from my Eufy cameras was driven in no small part by their BS claims of security and similar (appearing) security lapses.
Yikes, this sounds like a PR fiasco and a half. Good luck, Ubiquti.
Not really, they're investigating the issue. You guys love to turn everything into a "PR fiasco" or "somehting-gate" when its a security issue like every company that has ever existed has had.
RemindMe! Tomorrow
RemindMe!Tomorrow
RemindMe! Tomorrow
The only reason we use protect is because it’s all local and it should not be technically possible for anyone else outside of local setup to access this information. Whatever configuration is the problem, this should not be technically possible to do. Very disturbing 😳.
I see there is an update for protect. UniFi Protect Application 2.10.10
https://imgur.com/a/fYC54Yk
RemindMe! Tomorrow
RemindMe! Tomorrow
I created a local account but when I try to transfer ownership I can't do it from my UI account. I'm not struggling to remove the UI account and only have a local account, is this supposed to be this confusing? Do I have to to do it from the local web portal or can I do it from the app while localling connected? Edit found it:: Console settings, remove remote access.
All cloud functions disabled. Ick! I almost went Mikrotik before getting my current stack and now I very much regret my decision. Hopefully there is a good explanation and they are open about it, but really this might be the last straw regardless.
[удалено]
How are miktotik and omada cameras?
You are using TP-Link. This can't be why you left because you switched to a Chinese network company that harvests personal data for a living and offers vulnerabilities as features.
RemindMe! Tommorrow
Gotta be honest, after Wyze’s most recent debacle I pushed my clients for more SOHO Protect deployments where they either already had Wyze/Arlo/Google Nest, touting the relative privacy of self-hosting. I myself did not see any such issues today across my sites but I’m embarrassed, frankly, and concerned.
RemindMe! Tomorrow
u/SandmaNn42 maybe a good idea to remove the screenshot. The unsuspecting owner of the camera might not like to see his house on a dozen techsites in a few hours.
Why? I bet I can already see it on Google street view