Ubiquiti

Ubiquiti Inc. (formerly Ubiquiti Networks, Inc.) is an American technology company founded in San Jose, California, in 2003. Now based in New York City, Ubiquiti manufactures and sells wireless data communication and wired products for enterprises and homes under multiple brand names. On October 13, 2011, Ubiquiti had its initial public offering (IPO) at 7.04 million shares, at $15 per share, raising $30.5 million.

Products
Ubiquiti's first product line was its "Super Range" mini-PCI radio card series, which was followed by other wireless products.

The company's Xtreme Range (XR) cards operated on non-standard IEEE 802.11 bands, which reduced the impact of congestion in the 2.4 GHz and 5.8 GHz bands. In August 2007 a group of Italian amateur radio operators set a distance world record for point-to-point links in the 5.8 GHz spectrum. Using two XR5 cards and a pair of 35 dBi dish antennas, the Italian team was able to establish a 304 km (about 188 mi) link at data rates between 4 and 5 Mbit/s.

The company (under its "Ubiquiti Labs" brand) also manufactures a home-oriented wireless mesh network router and access point combination device, as a consumer-level product called AmpliFi.

Brands
Ubiquiti product lines include UniFi, AmpliFi, EdgeMax, UISP, airMAX, airFiber, GigaBeam, and UFiber. The most common product line is UniFi which is focused on home, prosumer, business wired and wireless networking. EdgeMax is a product line dedicated to wired networking, containing only routers and switches. UISP, announced in 2020, is a range of products for internet service providers.

airMAX is a product line dedicated to creating point-to-point (PtP) and point-to-multi-point (PtMP) links between networks. airFiber and UFiber are used by wireless and fiber Internet service providers (ISP), respectively.

Software products
Ubiquiti develops a variety of software controllers for their various products including access points, routers, switches, cameras, and locks. These controllers manage all connected devices and provide a single point for configuration and administration. The software is included as part of UniFi OS, an operating system that runs on devices called UniFi OS Consoles (UniFi Dream Machine, Dream Router, Cloud Key). The UniFi Network controller can alternatively be installed on Linux, macOS, or Windows, while the other applications included with UniFi OS such as UniFi Protect and UniFi Access must be installed on a UniFi OS Console device.

WiFiman is an internet speed test and network analyzer tool that is integrated into most Ubiquiti products. It has mobile apps and a web version.

U-Boot configuration extraction
In 2013, a security issue was discovered in the version of the U-Boot boot loader shipped on Ubiquiti's devices. It was possible to extract the plaintext configuration from the device without leaving a trace using Trivial File Transfer Protocol (TFTP) and an Ethernet cable, revealing information such as passwords.

While this issue is fixed in current versions of Ubiquiti hardware, despite many requests and acknowledging that they are using this GPL-protected application, Ubiquiti refused to provide the source code for the GNU General Public License (GPL)-licensed U-Boot. This made it impractical for Ubiquiti's customers to fix the issue. The GPL-licensed code was released eventually.

Upatre Trojan
It was reported by online reporter Brian Krebs, on June 15, 2015, that "Recently, researchers at the Fujitsu Security Operations Center in Warrington, UK began tracking [the] Upatre [trojan software] being served from hundreds of compromised home routers – particularly routers powered by MikroTik and Ubiquiti's airOS". Bryan Campbell of the Fujitsu Security Operations Center in Warrington, UK was reported as saying: "We have seen literally hundreds of wireless access points, and routers connected in relation to this botnet, usually AirOS ... The consistency in which the botnet is communicating with compromised routers in relation to both distribution and communication leads us to believe known vulnerabilities are being exploited in the firmware which allows this to occur."

2021 alleged data breach and lawsuit
In January 2021, a potential data breach of cloud accounts was reported, with customer credentials having potentially been exposed to an unauthorized third party.

In March 2021 security blogger Brian Krebs reported that a whistleblower disclosed that Ubiquiti's January statement downplayed the extent of the data breach in an effort to protect the company's stock price. Furthermore, the whistleblower claimed that the company's response to the breach put the security of its customers at risk. Ubiquiti responded to Krebs's reporting in a blog post, stating that the attacker "never claimed to have accessed any customer information" and "unsuccessfully attempted to extort the company by threatening to release stolen source code and specific IT credentials." Ubiquiti further wrote that they "believe that customer data was not the target of, or otherwise accessed in connection with, the incident."

On December 1, 2021, the United States Attorney for the Southern District of New York charged a former high-level employee of Ubiquiti for data theft and wire fraud, alleging that the "data breach" was in fact an inside job aimed at extorting the company for millions of dollars. The indictment also claimed that the employee caused further damage "by causing the publication of misleading news articles about the company’s handling of the breach that he perpetrated, which were followed by a significant drop in the company’s share price associated with the loss of billions of dollars in its market capitalization." The Verge reported that the indictment shed new light on the supposed breach and appeared to back up Ubiquiti's statement that no customer data was compromised.

In March 2022, Ubiquiti filed a lawsuit against Brian Krebs, alleging defamation for his reporting on their security issues. Both parties resolved their dispute outside the court in September 2022.

United States sanctions against Iran
In March 2014, Ubiquiti agreed to pay $504,225 to the Office of Foreign Assets Control after it allegedly violated U.S. sanctions against Iran.

Open-source licensing compliance
In 2015, Ubiquiti was accused of violating the terms of the GPL license for open-source code used in their products. The original source of the complaint updated their website on May 24, 2017, when the issue was resolved. In 2019, Ubiquiti was reported as again being in violation of the GPL.

Other
In 2015, Ubiquiti revealed that it lost $46.7 million when its finance department was tricked into sending money to someone posing as an employee.