UniFi OS Hacking

With the UDM / UDM Pro I’ve been regularly expressing disappointment that Ubiquiti is transitioning to a custom Linux distro that doesn’t have a package manager and doesn’t really have any provisions for persisting anything useful across reboots — particularly configuration changes and mechanisms to launch your own scripts.

With the second-stage transition to “UniFi OS” they’ve been moving more things into containers and it has now spread from the UDM Pro to the UNVR-4, which was previously running straight Debian with no containers.

Yesterday it was pointed out to me that “UniFi OS” isn’t merely a re-branding of the “UbiOS” the UDM debuted with. The unfi-os container is a full Debian environment. A quick investigation on my UDM Pro showed that I could enter the unifi-os container, apt install software packages, and make changes which persist across reboots. It would appear that all changes within the container are persistent via an overlay for / which goes to persistent storage on the host.

This is not at all how Containers are supposed to be used, it is a gross violation of best practices… but it’s a foot in the door to using these devices in ways that Ubiquiti didn’t bless.

I’m super-disappointed that nobody seems to be exploring the unifi-os container in public. Google turns up nothing, there hasn’t been anything meaningful on /r/UniFi or ubntwiki.com. Probably all hidden on the Discord.

I don’t love UniFi Threat Management and neither should you

When Ubiquiti put out the first Beta releases of IDS / IPS, I was surprised by the overall excitement of the enthusiast community. People were snatching up $2,000+ USG-XG-8s just to be able to use this feature without slowing down their WAN. Cheaper line-rate IDS / IPS has been a major force behind the UDM / UDM Pro hype train.

I am far less enthused, about IDS / IPS specifically and UniFi Threat Management in general.

My core issue: It’s Free.

Free is not inherently bad. I use lots of things that are free. Ubiquiti is built on lots of things that are free — VyOS, Linux, OpenWRT, hostapd. But security is different. Security is a process, not a deliverable.

Look at how Ubiquiti is offering security. Did they produce an IDS / IPS product? No, it’s just Suricata. Are they employing an army of security professionals to discover new threats, analyze alerts from their customers, produce new signatures? No, they’re just passing along the free rulesets that any Suricata user has the ability to use. Is Ubiquiti adding any value to Suricata alerts, such as making them easier to interpret or correlate? Heck no.

There’s a saying that If you’re not the customer, you’re the product. Does that apply here? Also, no. Enabling UniFi’s IDS/IPS isn’t passing any value back to the Open Information Security Foundation, the Suricata project, or any of their sponsoring organizations.

My other issue: What Ubiquiti is providing isn’t particularly good.

IDS / IPS: Suricata is purely signature based, like an antivirus program from 30 years ago… only worse. Most signatures are simplistic, prone to false positives, and the alerts they generate do not provide much context to decide whether they warrant further investigation or can be ignored. I’m not positive about this, due to the minimal information provided, but I think many of the alerts I’ve received are for traffic that the firewall was going to drop anyways.

There are many things Ubiquiti could be doing to add value to Suricata alerts — pruning rulesets and providing more context would be a great start — but that would require substantial investment.

Zeek (Bro) is generally considered better than Suricata, in that it’s focussed on flagging anomalous traffic instead of depending on signatures, but turning that into a user-friendly solution also requires significant investment.

DNS Filtering: I’ve previously written about this. In short, they’ve delivered an extremely simplistic filtering solution that depends on redirecting DNS traffic to an undisclosed 3rd-party. The manner in which they’ve implement filtering is unsuitable for a broad range of common DNS scenarios and they’ve provided zero control beyond choosing from the 3rd-party’s three filtering options.

It’s not worth using. Use PiHole and / or OpenDNS at home. Subscribe to Cisco Umbrella for business filtering.

Network Scanners: The Endpoint Scanner is basically a point-in-time nmap. No history, no correlation with UniFi’s Client History data. The Internal Honeypot is also extremely simplistic — it seems to alert simply on connection attempts to particular ports.

GeoIP Filtering: Hey, it does exactly what’s expected! I wish it did more tho. In particular, I might like to drop traffic from some countries to particular ports (VPN-related) but not others (HTTP / HTTPS).

IP Reputation: Tor blocking and Restrict Access to Malicious IP Addresses do what they say, tho again, it’s unclear what the information source is and if 3rd-party disclosures are involved.

Missing Features: Competing Unified Threat Management solutions generally have features that Ubiquiti isn’t (yet) providing: A/V scanning, HTTP / HTTPS interception, email filtering, data loss (PII / PHI exfiltration) protection, integration with Network Access Protection / Network Access Control systems, and more.


 

At some level it’s great that Ubiquiti is making security tooling available to users with less technical expertise or budget. What’s not great is those are the demographics who will read the marketing and believe they’re getting much more than is actually being provided.

The Real MGP

UniFi Management Gateway Pro, that is. Who comes up with these names?

UMG-frontUMG-back

Freshly announced, ahead of being available for Early Access purchase, we have essentially a UDM Pro… minus the switch, minus the HDD bay, half the RAM… and no local controllers! Adopt it to your Cloud Key, cloud-provider, or self-hosted UniFi install.

It also has a built-in UniFi Smart Power Plug. I can understand why — reboot your Cable / DSL “modem” if the Internet goes down — but it’s just such an odd thing to integrate into what is otherwise a plain router.

I’m happy to see this, tho disappointed that it’s not in more of an ER-4 form-factor with an optional rack mount kit. Hopefully this is a sign that a smaller-but-equally-capable desktop unit will come eventually.

I’m also hoping that this is a sign that in the future it will be possible to disable all local controllers on the UDM / UDM Pro.

Update: They’ve tweaked the original post, now it’s “UniFi Managed Gateway Pro” and the UMG Pro will be the first of the “UniFi Managed Gateway Product Line.”

Update #2: Renamed again, UXG-Pro. If Ubiquiti is anything, it’s consistently inconsistent. 

Left the Discord, Permanently

I checked out of the Ubiquiti Discord for months around the time of my move, and when I came back everything had changed. More Channels. More Rules. More Mods holding everyone else to higher standards than themselves. And… the same old cliquish behind-the-scenes behaviors.

Basically a shitty sub-Reddit in chat form.

I tried to focus on the good and ignore the parts I didn’t like, but… ultimately I realized that I wasn’t getting anything out of my participation in the community beyond frustration.

So I said Adios.

USG-XG-8 is Dead

Ubiquiti has finally admitted that the USG-XG-8 is dead. The big problem with the USG-XG-8, aside from UBNT taking a solid year to product decent firmware, is that UniFi just doesn’t play in that league. It’s forgivable that the USG and USG Pro sacrifice features for simplicity because they’re cheap and UniFi is awesome. The USG-XG-8 is not cheap and that makes it harder to ignore all the things it couldn’t do. Especially when the EdgeRouter version can do those things at a much lower price.

Good riddance!

My Favorite Black Friday Deal

I always get myself the best “Christmas” presents. I know me so well. This year, it’s a couple of Arcade1up cabinets from Walmart for $249/ea.

img_0423

In my early 20s I got into collecting arcade cabinets for a minute. A 29″ Neo-Geo MVS 4-slot and mint 4-player Gauntlet were the highlights of my collection, but of course, what I really wanted was a Pac-Man cabinet. I was just never willing to pay the price for one that was in presentable condition.

Eventually I had to give up the collection. I’ve always wanted to get back into it, but… they’re just so big, and heavy, and difficult to move up and down stairs without several helpers.

Spotting the Pac-Man cabinet at Walmart literally made my Christmas. Even tho it was only Black Friday.

These Arcade1up cabinets are just 4′ tall and a mere 65lbs. Easy to shuffle around and I can man-handle them up and down the stairs all by myself. Assembly takes about 40 minutes with just a screwdriver. All the bags of parts are labelled so there’s no guesswork as to which type of screw gets used where and it comes with a bag of spares.

Obviously it’s not as solid as a 300lb cabinet made of 3/4-inch birch or MDF, but the construction is good enough for home use. I’ve no concerns that they’re going to fall apart.

I’ll be keeping the Pac-Man cabinet as-is for now, but I’ve already ordered the parts to convert the Street Fighter cab to a RetroPie MAME setup — basically it just needs an LCD controller board and a USB encoder for the controls.

And I suspect I might pick up another one or two…

Our Homestead

Before I start posting about all of my home networking projects, I should probably describe the home and property. This is it:

Satellite view of my property showing the main house, pool, and detached garage / apartment.

The lot is 1.5 acres, roughly 180×400 if it were perfectly rectangular, with the front of the house about 120′ from the road. The house itself is the standard 40×30 box on a crawl space, with another 25×30 of garage / utility room and bonus room above. An addition off the garage provides a larger living room with a high vaulted ceiling. There’s attic access in the main part of the house, knee wall access on either side of the bonus room, and from the back side I can reach the living room’s attic space. There’s also some attic above the bonus room but the a/c ducts leave no room to get in there.

There’s a detached garage that was converted to a 2-bedroom apartment and came with tenants who pay half my mortgage. It also has attic access.

There’s a pool house that is basically a glorified shed. There’s an open area in the middle with small rooms to either side. One had been a proper bathroom but at some point in the past vandals ripped out the copper pipes.

So that’s what I’m working with. I have plans to bring Ethernet and in-wall access points to several rooms, blast WiFi across as much of the outdoors as I can reasonably manage, use 60GHz PtMP gear as wireless backhaul links for all three structures, give my tenants their own access point in the apartment, and much more.

My next post will be about deploying the PtMP gear.

UniFi Protect moves away from self-installs

Much online rage has been spilled this weekend over UniFi Protect not being made available for self-installation. If you’ve not been paying attention, UniFi Protect is a new NVR platform from Ubiquiti. Presently Ubiquiti says that UniFi Video will continue to be developed and supported… but nobody expects this to continue for very long. Protect is the new hotness, and since Ubiquiti doesn’t charge for their software, it is unimaginable that they will continue putting resources towards two separate products that do the same thing.

Today, the only way to get Protect is on the UCK-G2-PLUS — which has just launched for $199 with an 8-core ARM SoC w/ 3GB RAM and an easily upgradeable 1TB 2.5″ hard drive. Support for the UAS-XG — an attractive but otherwise bog standard 1U server with a $1,999 MSRP — is coming soon.

People are miffed for a variety of reasons. The G2+ offers very limited storage options. The UAS-XG is a fair value compared to buying an equivalent server from an Enterprise vendor, but it’s incredibly expensive relative to DIY or other thrifty options. There’s presently no middle ground.

And with the UAS-XG being a standard Intel server running Ubuntu 16.04 LTS, there’s no technical reason that Protect can’t be offered for self-installs. Using Docker — as they’ve done with UNMS, and had alluded to providing for Protect during the Beta cycle — would greatly reduce the support challenges of providing self-installable software for Linux.


I’m not sure how I feel about this. I have 5 UVC-G3-Flex cameras that I have been planning to deploy on the G2+ w/ Protect, with the expectation that if I was happy with the platform over time I would replace 6 Ring Spotlights, 4 Amazon CloudCams, and probably add a couple more.

That’s all within the advertised capabilities of the G2+, but with its limitation of a single 2.5″ drive it won’t be able to meet my continuous recording retention targets. I happen to have a 2nd G2+ already so maybe this isn’t a total deal-breaker for me, if it turns out that I really love Protect, but right now I’m questioning if Ubiquiti’s camera platforms are worth the lock-in and premium pricing.

I already have an NVR server that is substantially more powerful than the UAS-XG, an unlimited camera license for Sighthound, and a bunch of Reolink cameras from my old house which are comparable in quality to the G3 Flex.

Automating the Home

Last Christmas the girlfriend asked for an Echo Dot. At the time I thought the regular Echo was ridiculously over-priced and the Dot just plain dumb — why can’t any of them act as a Bluetooth speakerphone?! — but I got her one anyways because who am I to judge spending money on silly gadgets.

At first she used it for reminders, timers, music, and audible books in the kitchen. Then she steadily expanded with another Dot in her bedroom, a Wink hub, some TP-Link outlets, and assorted smart bulbs to about a half-dozen lamps / fixtures in her home.

Now, for practically my whole adult life I’ve used a couple of cheap GE remote-controlled outlets for the lamps in my bedroom so that I’m not getting into bed in the dark or fumbling around for a lamp’s on / off switch. Every time I’ve looked into changing over to something more advanced I’ve felt it wasn’t worth the expense nor the hassle…

But the girlfriend’s setup has grown on me. HA products keep getting simpler and cheaper and Alexa’s capabilities keep expanding. The tipping point for me was Alexa Smart Home Device Groups and discovering the 8-pack of Sengled ZHA bulbs. The Sengled’s have had coupons for 15-30% off for the holidays, bringing them as low as $6.50/ea — making it cheaper to upgrade my fixtures with smart bulbs than smart switches, plus saving me the the hassle of messing with electrical wiring in a home that I’m not planning to live in much longer.

My hardware assemblage so far:

Originally I wanted SmartThings + Echo Plus figuring I wouldn’t be able to cover my house and detached garage / office / theater from one hub, but ST is doing the job just fine despite not being in the best position. I’ve deployed one of the Hue Color kits in the master bedroom and several Sengled bulbs in the office, with Echos for each plus another in the kitchen. Over my holiday stay-catation I’ll be deploying the rest — an Echo for each living space and bulbs in the most used fixtures / lamps.

I may still decide to wire in a few smart relays for my outdoor lights — getting them on a schedule is highly appealing, and they really demand local control that preserves automation. Best as I can tell, nobody makes outdoor-rated smart bulbs yet.

And maybe some motion sensors to activate the stairway and upstairs hallway lights.


Going through all of this, I find myself wishing that Ubiquiti hadn’t screwed the pooch on mFi. The vision was there… but they basically made every wrong decision possible when it came to execution. I hope they’ll take another crack at it some day while embracing open standards and connectivity.

Chromebooks May be Habit-forming

I’ve recently discovered Chromebooks:

2017-08-08 15.53.46

Ok, it’s not like I just heard about them, but it was over the past few weeks that I realized they can serve a useful purpose.

  1. I needed a cheap portal serial terminal. Beagle Term and a cheap USB -> RJ45 serial cable fit the bill perfectly.
  2. I wanted a device to leave at my girlfriend’s for casual use. Never cared to Android tablets, didn’t want to spend real money on an iPad or a Windows tablet with a decent CPU. The Chromebook works nicely for this.
  3. The girlfriend’s kids have started 3rd grade and need access to a computer for school assignments. Was going to give them one of these Chromebooks… but she’d prefer they use something not portable and eventually I snagged a good eBay deal on an LG Chromebase instead.
  4. My mother needs access to a computer. For both her and the kids, giving them a computing environment that’s real difficult to screw up is high on the priority list. ChromeOS is perfect for this.

My Chromebook of choice is the Asus C300SA — 3lbs, 13.3″ screen, 4GB RAM, and a legit 10+ hours of battery life. The best part is that Amazon regularly offers reboxed returns at a low price, I’ve picked up four for $100-$115/ea.

Weak points are the sub-1080p display, non-backlit keyboard, and of course, the N3060 dual-core CPU (~989 CPU Mark score). Not gonna sugar-coat it, this thing strains under the load of 10-20 browser tabs I routinely have open… but it does far better than those cheap Windows tablets on Z-series Atom quad-cores.

Apps are also a weakness. For the kids and mom, the browser is all they really need. For myself… I need more, and I’m not real impressed with the selection and quality of what’s available in the Chrome Store in the categories I care about. I don’t want to go the Crouton / Linux route either, as that disables many of the security features of ChromeOS. I think I’d be happiest using the Chromebooks as thin clients to Windows. Guacamole and the various Chrome RDP clients haven’t been appealing to me from a UX perspective, so I’ll be digging into Horizon next.

Regardless, for $100-ish the Pros far outweigh the Cons. They’re not good enough to be my only PC, but they are good enough to be the only PC that I take with me.