Users of Ubiquiti wifi products are reporting that they are suddenly getting security camera footage, photos, and access to other people’s devices when logging into their own accounts. A user also noted that when they tried to login to their own network, they were given access to 88 Ubiquiti devices from another user’s account.
“Security Issue: Cloud Site Manager presented me your consoles, not mine,” a post on the Ubiquiti forums posted under 24 hours ago reads. “Consoles” are internet-connected Ubiquiti products, which can be anything from WiFi routers to smart doorbells to office security card-reading systems to security cameras. That post notes that when the user logged in, “I was presented with 88 consoles from another account. I had full access to these consoles, just as I would my own. This was only stopped when I forced a browser refresh.”
On Reddit, a user in Germany described a “peculiar situation” in which “my wife received a notification from UniFi Protect, which included an image from a security camera. However, here’s the twist—this camera doesn’t belong to us.” UniFi Protect is Ubiquiti’s home security product. The user then published screenshots of several notifications and images from security cameras that they said they didn’t own.
Users in the comments said similar things happened to them in the last day: “When I navigated to inifi.ui.com this morning, I was logged into someone else’s account completely! It had my email on the top right, but someone else’s UDM Pro! I could navigate the device, view, and change settings! Terrifying!!”
In another thread, a user said "We had access to a user's system this morning. Not just push notifications. Looked like it was a person's business and home." They posted a series of screenshots of security camera footage and access.
On the Reddit thread, the official Ubiquiti account posted that “this is not expected behavior,” and on the Ubiquiti forums, staff members have said they are looking into the apparent issue. But Ubiquiti has not acknowledged any larger problem beyond these individual users’ reports. In an email to 404 Media, Ubiquiti said it was doing a “review” but that it did not yet know what was going on: “We appreciate you waiting while we still gather information to provide an accurate assessment. We will follow up with a statement shortly after our review is complete.”
Update: After this article was published, Ubiquiti published the following explanation: “We were made aware of a small number of instances where users received push notifications on their mobile devices that appeared to come from unknown consoles, or where such users were able to access consoles that didn’t appear to be their own,” Ubiquiti said. “This issue was caused by an upgrade to our UniFi Cloud infrastructure, which we have since solved. 1,216 Ubiquiti accounts ("Group 1") were improperly associated with a separate group of 1,177 Ubiquiti accounts ("Group 2”). during this time, a user from Group 2 that attempted to log into his or her account may have been granted temporary remote access to a Group 1 account.”
The lack of information has upset users, who have said that Ubiquiti’s immediate response has been inadequate given the potential severity of the issue.
Ubiquiti is a networking giant that sells a handful of different products used in millions of residential and commercial contexts. It sells security cameras, routers, network switches, smart door locks, phone systems, and many other products, all of which can be connected to and managed through a single integrated system. For example, someone can connect their security cameras, smart locks, wifi routers, and other online systems to a single piece of Ubiquiti hardware, and then can control all of these devices through a single login system called UniFi, which can be managed remotely through the internet.
This means Ubiquiti necessarily has potentially very sensitive access to security and surveillance systems, office and commercial access systems, home and commercial WiFi networks, and more.
Update: This article has been updated with additional comment from Ubiquiti.