Their popularity has encouraged more traditional router companies, like Netgear and Linksys, to follow suit with their own cloud-hosted or app-based options—though they’re still optional in most cases. “The breach only means their data is now in the hands of another party, other than the vendor,” Dong Ngo, editor of Dong Knows Tech and former router reviewer for CNET, said in a direct message on LinkedIn. Ngo thinks mandatory cloud-based accounts are bad news for customer privacy and security, and has frequently cautioned his readers about the problems with cloud-based interfaces.
Want to Trust Your Router? Ditch the Cloud
The breach of Ubiquiti’s servers is a problem for customers because many of the company’s products require creating a cloud-based account. One example is the Dream Machine, a prosumer router the company released in 2019. Ngo considers it a negative if a router he reviews doesn’t allow using a locally controlled alternative. He warns that network hardware relying on a mandatory cloud-based account leaves owners with no choice but to trust privacy and security to a third party and limits a user’s options if a breach occurs. What, then, is a security-conscious owner to do? “Stick with the local web interface,” said Ngo. “Avoid using a mobile app.” The best option isn’t a premium router promising a robust cloud interface but, instead, a simple, inexpensive router with a local interface accessed through a web browser.
UniFi Fans Have Their Fears Confirmed
The breach of Ubiquiti’s cloud-based server hit a sore spot for fans when the company required that owners of most devices sign up for a Ubiquiti account during setup. It’s required to access the company’s UniFi platform, which controls the company’s routers and other networked products. Ubiquiti’s latest statement, written in response to new allegations in a report published by security journalist Brian Krebs, was posted to its community forum on March 31. The statement repeats that incident response experts “identified no evidence that customer information was accessed, or even targeted.” Ubiquiti continues to work with law enforcement on identifying the attacker and claims to have “well-developed evidence.” This only fueled the uproar on the company’s community forum, which serves as its main line of communication with customers. While the company says there’s no evidence that customer data was targeted or breached, Ubiquiti didn’t refute new allegations that it failed to keep proper logs of access to customer accounts on its cloud service. A customer posting under the name Sonar made their disappointment clear, saying, “It’s extra salt in the wound that Ubiquiti has been trying to force cloud access down the throats of the poor folks [using UniFi products].” Others joined in, threatening to boycott future Ubiquiti hardware if the cloud-based account requirement isn’t dropped in future firmware updates. The community post discussing Krebs’ report has received over 430 customer comments and 17,000 views. Another post asking that Ubiquiti make local accounts available has received 250 comments and over 12,000 views. It’s unclear what Ubiquiti will do to regain the trust of fans. The company did not respond to Lifewire’s request for comment and has offered no response to customers in community threads discussing the breach. The silence from Ubiquiti seems to confirm Ngo’s advice. A locally controlled router can certainly have vulnerabilities, but owners at least have options. Ubiquiti’s customers face a tougher choice: continue to trust the company and hope the problem isn’t as severe as alleged, or stop using its products entirely. This same choice awaits customers of other routers that rely on cloud-based accounts. Their simplicity and convenience may seem alluring, but the options facing users are anything but simple when the attached cloud service is breached.
