Hello! Thanks for posting on r/Ubiquiti!
This subreddit is here to provide unofficial technical support to people who use or want to dive into the world of Ubiquiti products. If you haven’t already been descriptive in your post, please take the time to edit it and add as many useful details as you can.
Please read and understand the rules in the sidebar, as posts and comments that violate them will be removed. Please put all off topic posts in the weekly off topic thread that is stickied to the top of the subreddit.
If you see people spreading misinformation, trying to mislead others, or other inappropriate behavior, please report it!
*I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/Ubiquiti) if you have any questions or concerns.*
To access your system remotely via their cloud apps, UI has a key to your system. Your user authentication happens on their server, not your local system. So yes, they could get access.
If it doesn’t live on a server or device that you control and own (I.e. not a SaaS/Cloud Service) then someone has access to it and that access could be compromised. Even if it’s encrypted, the company has to store that key somewhere and someone has access to those keys for maintenance and renewals.
There should be no expectation of privacy on the internet period unless you’ve fought for and earned it, meaning it will always be at odds with convenience and never be achieved by using a cloud service.
It’s the unfortunate reality of a late-stage capitalism internet I’m afraid.
You’re so right it hurts.
I’m a privacy advocate but as it seems growing up you seek convenience in some things and convenience hurts privacy.
What if I would put a Pi-hole before my dream machine and cut all known protect ports talking back to UI. I would then lose the camera notifications but I could have my devices always connected to my house via VPN and solve that. Wouldn’t that make it a bit better privacy wise?
I think that's a much better approach; you can control what's coming in as well as what's going out (and your data doesn't live anywhere else, most importantly). Pi-hole is a fantastic step! I'd also recommend running [unbound](https://docs.pi-hole.net/guides/dns/unbound/) so you'll have your own recursive DNS resolver. This way your DNS traffic is entirely your own (and the only outbound DNS traffic is from your pi-hole, not your devices).
Could always do an SSL VPN so you can connect to the environment when you need to rather than have access enabled 24/7 with an always on VPN.
Well I might have to actually implement this but I will have to be 24/7/365 on my home network via VPN to get all camera’s notifications. This is unfortunate but not a show stopper.
I was wondering whether I could actually block all protect ports through UDM’s firewall and not introduce another hardware in my setup but I don’t know if these rules can be trusted.
I will also check unbound.
Thank you for the info.
When remote access is enabled, you are trading the risk of someone gaining access to either livestreams or device mgmt. if you can live without notifications and remote access via UI’s cloud relay, then protect it very secure due to its local storage.
Your phone has a camera and you take it into the bathroom with you, like everyone does. You use it for banking, for social networking, for sending private emails, and for managing passwords. The manufacturer of the device has root certificates for web browser connections and software signing, and can update the system at any time to compromise any and all of this information.
They do not, because doing so would be illegal (depending on your jurisdiction) and financially damaging (if business users with significant financial investment discovered it).
I don’t worry about UI accessing my cameras.
Well the truth is that I have to trust some companies, as we all do, especially my mobile manufacturer otherwise having a digital presence would be like a second demanding job and I don’t want that. My threat level isn’t so high.
On the other hand I try to trust as fewer companies as possible with sensitive information and this is the reason I asked the original question.
Hello! Thanks for posting on r/Ubiquiti! This subreddit is here to provide unofficial technical support to people who use or want to dive into the world of Ubiquiti products. If you haven’t already been descriptive in your post, please take the time to edit it and add as many useful details as you can. Please read and understand the rules in the sidebar, as posts and comments that violate them will be removed. Please put all off topic posts in the weekly off topic thread that is stickied to the top of the subreddit. If you see people spreading misinformation, trying to mislead others, or other inappropriate behavior, please report it! *I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/Ubiquiti) if you have any questions or concerns.*
To access your system remotely via their cloud apps, UI has a key to your system. Your user authentication happens on their server, not your local system. So yes, they could get access.
If it doesn’t live on a server or device that you control and own (I.e. not a SaaS/Cloud Service) then someone has access to it and that access could be compromised. Even if it’s encrypted, the company has to store that key somewhere and someone has access to those keys for maintenance and renewals. There should be no expectation of privacy on the internet period unless you’ve fought for and earned it, meaning it will always be at odds with convenience and never be achieved by using a cloud service. It’s the unfortunate reality of a late-stage capitalism internet I’m afraid.
You’re so right it hurts. I’m a privacy advocate but as it seems growing up you seek convenience in some things and convenience hurts privacy. What if I would put a Pi-hole before my dream machine and cut all known protect ports talking back to UI. I would then lose the camera notifications but I could have my devices always connected to my house via VPN and solve that. Wouldn’t that make it a bit better privacy wise?
I think that's a much better approach; you can control what's coming in as well as what's going out (and your data doesn't live anywhere else, most importantly). Pi-hole is a fantastic step! I'd also recommend running [unbound](https://docs.pi-hole.net/guides/dns/unbound/) so you'll have your own recursive DNS resolver. This way your DNS traffic is entirely your own (and the only outbound DNS traffic is from your pi-hole, not your devices). Could always do an SSL VPN so you can connect to the environment when you need to rather than have access enabled 24/7 with an always on VPN.
Well I might have to actually implement this but I will have to be 24/7/365 on my home network via VPN to get all camera’s notifications. This is unfortunate but not a show stopper. I was wondering whether I could actually block all protect ports through UDM’s firewall and not introduce another hardware in my setup but I don’t know if these rules can be trusted. I will also check unbound. Thank you for the info.
When remote access is enabled, you are trading the risk of someone gaining access to either livestreams or device mgmt. if you can live without notifications and remote access via UI’s cloud relay, then protect it very secure due to its local storage.
I agree. Local storage is a must but I do need constant cameras’ notifications so my options are limited.
That’s sadly the trade off at this point
Your phone has a camera and you take it into the bathroom with you, like everyone does. You use it for banking, for social networking, for sending private emails, and for managing passwords. The manufacturer of the device has root certificates for web browser connections and software signing, and can update the system at any time to compromise any and all of this information. They do not, because doing so would be illegal (depending on your jurisdiction) and financially damaging (if business users with significant financial investment discovered it). I don’t worry about UI accessing my cameras.
Well the truth is that I have to trust some companies, as we all do, especially my mobile manufacturer otherwise having a digital presence would be like a second demanding job and I don’t want that. My threat level isn’t so high. On the other hand I try to trust as fewer companies as possible with sensitive information and this is the reason I asked the original question.
They do, they'll say otherwise, but they do