Forced backup of configuration files onto cloud services - do you agree?

[lemonadesoda]

This week my Ubiquiti Dream Machine Pro offered a firmware update. Great. Always happy to have bugs squashed and new features added.

But I noticed something new: There is a new forced use of ubnt's cloud service in order to update firmware. You have to opt in: Enable Cloud Config Backup and have your config files uploaded to some unknown cloud service, in an unknown country, with unknown data protection, or you can't update the firmware. What?! Our company has a strict policy: NO data in the cloud, especially data that contains security profiles (configurations, usernames, passwords) etc. It is a dismissible offence to let protected data leave the building.

This is quite a problem. Not just in my case, but all cases where on-site hardware or applications FORCE the admin/user to send data to the cloud. Not only is this not giving the admin/user choice, but it seems to me to be in breach of EU-GDPR laws. Moreover, it adds a new attack vector. Config and security profiles are now sitting around on a cloud server somewhere, where you have no idea where it is, how it is being secured, who "has eyes on it" etc.

What do you think?

Oh, and don't tell me Sophos, Synology, Ubiquiti have never had security or data breaches!

 

[eidairaman1]

I wouldnt

 

[R-T-B]

Forced is the key word here I take issue with. I'm fine with cloud backup if it isn't forced.

 

[chrcoluk]

I can only see this poll going one way.

 

[Selaya]

Forced is the key word here I take issue with. I'm fine with cloud backup if it isn't forced.

and then all the idiots who are getting (chain-)pwned when, invariably the cloud server's getting pwnt will come crying

tbh, those guys just have to get pwnt once and then get sued out of the solar system for ensuing damages, but yea

 

[bobbybluz]

I don't trust anything I can't put a hand on when I feel like it, especially vital backup data. For some things I use two or three separate or external drives for redundant safety assurance.

 

[R-T-B]

and then all the idiots who are getting (chain-)pwned when, invariably the cloud server's getting pwnt will come crying

Cost of entry.

 

[thewan]

This week my Ubiquiti Dream Machine Pro offered a firmware update. Great. Always happy to have bugs squashed and new features added.

But I noticed something new: There is a new forced use of ubnt's cloud service in order to update firmware. You have to opt in: Enable Cloud Config Backup and have your config files uploaded to some unknown cloud service, in an unknown country, with unknown data protection, or you can't update the firmware. What?! Our company has a strict policy: NO data in the cloud, especially data that contains security profiles (configurations, usernames, passwords) etc. It is a dismissible offence to let protected data leave the building.

This is quite a problem. Not just in my case, but all cases where on-site hardware or applications FORCE the admin/user to send data to the cloud. Not only is this not giving the admin/user choice, but it seems to me to be in breach of EU-GDPR laws. Moreover, it adds a new attack vector. Config and security profiles are now sitting around on a cloud server somewhere, where you have no idea where it is, how it is being secured, who "has eyes on it" etc.

What do you think?

Oh, and don't tell me Sophos, Synology, Ubiquiti have never had security or data breaches!

If you are concerned about GDPR compliance, you wouldve thrown out all of your Ubiquity stuff a long time ago. They have already proven that they are not GDPR compliant in their forums to their own users. The fact that you still have your Ubiquity stuff phoning home without a care in the world shows you actually do not care about privacy and GDPR. Don't be a hypocrite please.

 

[lemonadesoda]

@thewan, hmmm, all diagnostics, logs, backups, error reporting, etc. are TURNED OFF. But you say this thing STILL PHONES HOME with user, password, config, data? That's bad news. No, I was not aware that with all cloud and phone-home settings turned off this thing was still doing it.

 

[Frick]

If you are concerned about GDPR compliance, you wouldve thrown out all of your Ubiquity stuff a long time ago. They have already proven that they are not GDPR compliant in their forums to their own users. The fact that you still have your Ubiquity stuff phoning home without a care in the world shows you actually do not care about privacy and GDPR. Don't be a hypocrite please.

If it's true they are not GDPR compliant, you should report them.

 

[Jacky_BEL]

These companies must think they can't be hacked.
Until they are hacked by someone smarter than them.

 

[lemonadesoda]

On 11.01.21, I got this email from Ubiqiuti.

Dear Customer, We recently became aware of unauthorized access to certain of our information technology systems hosted by a third party cloud provider. We have no indication that there has been unauthorized activity with respect to any user’s account. We are not currently aware of evidence of access to any databases that host user data, but we cannot be certain that user data has not been exposed. This data may include your name, email address, and the one-way encrypted password to your account (in technical terms, the passwords are hashed and salted). The data may also include your address and phone number if you have provided that to us. As a precaution, we encourage you to change your password. We recommend that you also change your password on any website where you use the same user ID or password. Finally, we recommend that you enable two-factor authentication on your Ubiquiti accounts if you have not already done so. Change Password Enable Two-Factor Authentication We apologize for, and deeply regret, any inconvenience this may cause you. We take the security of your information very seriously and appreciate your continued trust. Thank you, Ubiquiti Team

What I read here is this: ME----UBIQUITI----3RD PARTY CLOUD PROVIDER

So Ubiquiti isnt even providing the cloud services directly, but through a 3rd party.

What I perceive is this: ME---Attack Vector---UBIQUITI---Attack Vector---3RD PARTY CLOUD PROVIDER---Attack Vector / Data Sharing---nefarious data collecting intelligence agency.

 

[claes]

This might help you:

https://community.ui.com/questions/Dream-Machine-Pro-firmware-update-OBLIGATORY-use-of-Cloud-Backup-on-UnifiOS/1ab623f3-09d5-4f4f-958d-81884c4ed908#answer/65c36265-13b8-4a95-bae1-d6d904d36dfe

It seems like they’re forcing it because backups aren’t compatible, and maybe they do magic on their end to restore in case of a failure? Doesn’t make sense to me. Another option mentioned in the thread is to rebuild, but then of course you’ll have to configure from scratch

 

[ThrashZone]

Hi,
Yeah spooky the way this and operating system cloud auto uploading of personal files is being pushed so hard by ms and also cell phones to just to email or text a image lol

It's like a fishing expedition to find bad doers at the cost of everyone's elses privacy flushed down the nsa/.. drain.
The "well you have nothing to worry about if not a bad doer" is just a lame side to take seeing fighting the government local or federal with limitless resources is a loosing proposition for individuals

Some countries do have policies that information has to be stored on the same soil as the user but this is just so authorities has direct access to it and don't have to jump threw other countries jurisdictions protocols for access causing delays.

 

[Assimilator]

No, there is no justification for this. Even if we take the most charitable possible view that Ubiquiti is trying to help you in case the upgrade goes FUBAR, there's no justification for forcing the use of a cloud service over, say, a USB flash drive.

But this is where dumb companies are gonna be dumb companies, and fail both communications and UI design 101. Instead of imposing a decision that could be construed as unpopular on customers, you let them know about it beforehand so they can let you know that you're being a dumb company. And if you fail to do that, you at least put some information in the UI that's forcing that unpopular decision, to inform users about why it's necessary. Ubiquiti has managed to do neither of these things, which is dumb, dumb, dumb.

 

[lemonadesoda]

Thanks @claes , I'll try that.

 

[lemonadesoda]

@claes, the trick, hack, workaround, worked!

 

[claes]

Glad it did

 

[lemonadesoda]

ONE MONTH! after raising a ticket with Ubiquiti, I got the following recommendation:

Updating via SSH​

Note: SSH updating is not an officially supported process and may prevent your UniFi OS console from functioning. Only do this at the request of UI Support. It is only prescribed to work around specific scenarios, such as when:

• Prior traditional update attempts have failed. A successful SSH update will help verify if initial failures resulted from incorrect network configuration. For more details, see Troubleshooting Device Updates.
• Your UniFi Network device is not being discovered or cannot be adopted because it has been preloaded with outdated firmware.
• Your UniFI OS Console cannot be set up because it has been preloaded with an outdated version of UniFi OS.

UAP/USW (Internet)​

1. Copy the update link from community.ui.com/releases.
2. SSH into your device.
3. Run the following command: upgrade paste_download_link_here
   Example: upgrade https://dl.ui.com/unifi/firmware/UAL6/5.60.1.12923/BZ.mt7621_5.60.1+12923.210416.1641.bin

Other methods follow this link:​

https://help.ui.com/hc/en-us/articles/204910064-UniFi-Advanced-Updating-Techniques