Ubiquiti Explained

Ubiquiti Inc.
Former Name:Ubiquiti Networks, Inc.
Type:Public
Traded As:
Russell 1000 Index component
Foundation:[1]
Location City:New York City
Location Country:United States
Founders:Robert Pera
Industry:Computer networking, energy
Products:Computer networking devices
Revenue: (2022)[2]
Operating Income: (2022)
Net Income: (2022)
Assets: (2022)
Equity: (2022)
Num Employees:1,377 (as of June 30, 2022)

Ubiquiti should not be confused with iBiquity.

Ubiquiti Inc. (formerly Ubiquiti Networks, Inc.)[3] is an American technology company founded in San Jose, California, in 2003.[1] [4] Now based in New York City,[5] Ubiquiti manufactures and sells wireless data communication and wired products for enterprises and homes under multiple brand names. On October 13, 2011, Ubiquiti had its initial public offering (IPO) at 7.04 million shares, at $15 per share,[6] raising $30.5 million.[7]

Products

Ubiquiti's first product line was its "Super Range" mini-PCI radio card series, which was followed by other wireless products.

The company's Xtreme Range (XR) cards operated on non-standard IEEE 802.11 bands, which reduced the impact of congestion in the 2.4 GHz and 5.8 GHz bands. In August 2007 a group of Italian amateur radio operators set a distance world record for point-to-point links in the 5.8 GHz spectrum. Using two XR5 cards and a pair of 35 dBi dish antennas, the Italian team was able to establish a 304 km (about 188 mi) link at data rates between 4 and 5 Mbit/s.[8]

The company (under its "Ubiquiti Labs" brand) also manufactures a home-oriented wireless mesh network router and access point combination device, as a consumer-level product called AmpliFi.[9]

Brands

Ubiquiti product lines include UniFi, AmpliFi, EdgeMax, UISP, airMAX, airFiber, GigaBeam, and UFiber. The most common product line is UniFi which is focused on home, prosumer, business wired and wireless networking. EdgeMax is a product line dedicated to wired networking, containing only routers and switches. UISP, announced in 2020, is a range of products for internet service providers.[10]

airMAX is a product line dedicated to creating point-to-point (PtP) and point-to-multi-point (PtMP) links between networks. airFiber and UFiber are used by wireless and fiber Internet service providers (ISP), respectively.

Software products

Ubiquiti develops a variety of software controllers for their various products including access points, routers, switches, cameras, and locks. These controllers manage all connected devices and provide a single point for configuration and administration. The software is included as part of UniFi OS, an operating system that runs on devices called UniFi OS Consoles (UniFi Dream Machine, Dream Router, Cloud Key). The UniFi Network controller can alternatively be installed on Linux, macOS, or Windows, while the other applications included with UniFi OS such as UniFi Protect and UniFi Access must be installed on a UniFi OS Console device.

WiFiman is an internet speed test and network analyzer tool that is integrated into most Ubiquiti products. It has mobile apps and a web version.

Security issues

U-Boot configuration extraction

In 2013, a security issue was discovered in the version of the U-Boot boot loader shipped on Ubiquiti's devices. It was possible to extract the plaintext configuration from the device without leaving a trace using Trivial File Transfer Protocol (TFTP) and an Ethernet cable, revealing information such as passwords.[11]

While this issue is fixed in current versions of Ubiquiti hardware, despite many requests and acknowledging that they are using this GPL-protected application, Ubiquiti refused to provide the source code for the GNU General Public License (GPL)-licensed U-Boot.[12] This made it impractical for Ubiquiti's customers to fix the issue.[12] The GPL-licensed code was released eventually.

Upatre Trojan

It was reported by online reporter Brian Krebs, on June 15, 2015, that "Recently, researchers at the Fujitsu Security Operations Center in Warrington, UK began tracking [the] Upatre [trojan software] being served from hundreds of compromised home routers – particularly routers powered by MikroTik and Ubiquiti's airOS". Bryan Campbell of the Fujitsu Security Operations Center in Warrington, UK was reported as saying: "We have seen literally hundreds of wireless access points, and routers connected in relation to this botnet, usually AirOS ... The consistency in which the botnet is communicating with compromised routers in relation to both distribution and communication leads us to believe known vulnerabilities are being exploited in the firmware which allows this to occur."[13]

2021 alleged data breach and lawsuit

In January 2021, a potential data breach of cloud accounts was reported,[14] with customer credentials having potentially been exposed to an unauthorized third party.

In March 2021 security blogger Brian Krebs reported that a whistleblower disclosed that Ubiquiti's January statement downplayed the extent of the data breach in an effort to protect the company's stock price. Furthermore, the whistleblower claimed that the company's response to the breach put the security of its customers at risk.[15] Ubiquiti responded to Krebs's reporting in a blog post, stating that the attacker "never claimed to have accessed any customer information" and "unsuccessfully attempted to extort the company by threatening to release stolen source code and specific IT credentials." Ubiquiti further wrote that they "believe that customer data was not the target of, or otherwise accessed in connection with, the incident."[16]

On December 1, 2021, the United States Attorney for the Southern District of New York charged a former high-level employee of Ubiquiti for data theft and wire fraud, alleging that the "data breach" was in fact an inside job aimed at extorting the company for millions of dollars. The indictment also claimed that the employee caused further damage "by causing the publication of misleading news articles about the company’s handling of the breach that he perpetrated, which were followed by a significant drop in the company’s share price associated with the loss of billions of dollars in its market capitalization." The Verge reported that the indictment shed new light on the supposed breach and appeared to back up Ubiquiti's statement that no customer data was compromised.[17] [18]

In March 2022, Ubiquiti filed a lawsuit[19] against Brian Krebs, alleging defamation for his reporting on their security issues. Both parties resolved their dispute outside the court in September 2022.

Legal difficulties

United States sanctions against Iran

In March 2014, Ubiquiti agreed to pay $504,225 to the Office of Foreign Assets Control after it allegedly violated U.S. sanctions against Iran.[20]

Open-source licensing compliance

In 2015, Ubiquiti was accused of violating the terms of the GPL license for open-source code used in their products.[21] The original source of the complaint updated their website on May 24, 2017, when the issue was resolved.[22] In 2019, Ubiquiti was reported as again being in violation of the GPL.[23]

Other

In 2015, Ubiquiti revealed that it lost $46.7 million when its finance department was tricked into sending money to someone posing as an employee.[24]

Notes and References

  1. Web site: Company . Ubiquiti Inc. . June 8, 2021.
  2. Web site: Ubiquiti Networks 2022 SEC Form 10-K.
  3. Web site: 2019-08-09 . UBIQUITI NETWORKS REPORTS FOURTH QUARTER FISCAL 2019 FINANCIAL RESULTS . live . https://web.archive.org/web/20191231082336/http://ir.ui.com/sites/default/files/2019-08/exhibit-99.1-6.30.19-8.8.19-final.pdf . 2019-12-31 . PDF . 2022-04-02 . "At the close of business on August 19, 2019, the company will legally change its name to Ubiquiti Inc. The last trading day on NASDAQ under the name Ubiquiti Networks, Inc. and the UBNT symbol is expected to be August 19, 2019.".
  4. News: Greenberg . Herb . Yet Another Controversy for Ubiquiti? . CNBC . June 12, 2012 . June 8, 2021.
  5. Web site: Witkowski . Wallace . September 18, 2017 . Ubiquiti shares hammered by Citron 'fraud' claim that contains little new evidence - MarketWatch . MarketWatch.com . November 29, 2017 . That may be a factor that led Ubiquiti's auditor, PWC, to cite a lack of internal controls in 2015, and an eventual staff clear-out that led Ubiquiti to move its headquarters from San Jose, Calif., to New York City and change auditors to KPMG..
  6. News: October 13, 2011 . Ubiquiti Networks IPO Priced To Work At $15? . December 22, 2012 . Seeking Alpha. Tillman . Trent .
  7. Web site: September 21, 2012 . Annual report for fiscal year ended June 30, 2012 . October 16, 2013 . Form 10-K . US Securities and Exchange Commission.
  8. Web site: World Record 304km Wi-Fi connection . August 27, 2007 . newatlas.com . December 22, 2012.
  9. News: Hands-on: Ubiquiti's Amplifi covers the whole house in a Wi-Fi mesh . Ars Technica . July 20, 2016 . December 1, 2016.
  10. Web site: Ubiquiti: UISP Is The New UNMS . McCann Tech . en-US . 29 December 2020 . 2021-01-24.
  11. Web site: Re: AirOS and Security: DUMP of configuration files with TFTP or other thing . July 16, 2014 . community.ui.com . May 9, 2017.
  12. Web site: GPL archive missing components . March 2, 2013 . community.ubnt.com . May 9, 2017 . dead . https://web.archive.org/web/20161209121418/https://community.ubnt.com/t5/airOS-SDK-Custom-Development/GPL-archive-missing-components/td-p/409238 . December 9, 2016.
  13. Web site: June 29, 2015 . Crooks Use Hacked Routers to Aid Cyberheists . Krebs on Security.
  14. Web site: Ubiquiti says customer data may have been accessed in data breach . 2021-01-19 . TechCrunch . January 11, 2021 . en-US.
  15. https://krebsonsecurity.com/2021/03/whistleblower-ubiquiti-breach-catastrophic/ Whistleblower: Ubiquiti Breach "Catastrophic"
  16. Web site: Update to January 2021 Account Notification . Ubiquiti, Inc. . March 31, 2021 . June 8, 2021.
  17. Web site: 2021-12-01. Former Employee Of Technology Company Charged With Stealing Confidential Data And Extorting Company For Ransom While Posing As Anonymous Attacker. 2021-12-03. www.justice.gov. en.
  18. Web site: Clark. Mitchell. 2021-12-01. Ubiquiti hack may have been an inside job, federal charges suggest. 2021-12-03. The Verge. en.
  19. Web site: Docket for UBIQUITI INC. v. KREBS, 1:22-cv-00352 - CourtListener.com . 2022-03-30 . CourtListener . en-us.
  20. https://www.lexology.com/library/detail.aspx?g=b60a9fc7-1d16-4193-8ab4-7b6e4b4d2aca "Ubiquiti Networks settles with OFAC for alleged violations of Iran sanctions"
  21. Web site: How Ubiquiti Networks Is Creatively Violating the GPL . Riley Baird . April 7, 2015 . LibertyBSD . April 30, 2017 . dead . https://web.archive.org/web/20170430232455/http://libertybsd.net/ubiquiti/ . April 30, 2017.
  22. Web site: N/A . Riley Baird . May 24, 2017 . LibertyBSD . December 12, 2017 . dead . https://web.archive.org/web/20170524235100/http://libertybsd.net/ubiquiti/ . 2017-05-24.
  23. Web site: When companies use the GPL against each other, our community loses . Denver Gingerich . October 2, 2019 . SFconservancy . December 21, 2020.
  24. Web site: Fraudsters duped this company into handing over $40 million . Fortune.com . August 10, 2015 . October 19, 2015.