UISP - Security & Data Management
Overview
Readers will learn more about the various UISP security features such as certificates, encryption, and credential management, as well as how to export & delete data for security/compliance reasons.
Table of Contents
- Introduction
- UISP Server Ports, Certificates, and HTTP Headers
- Device Discovery and Connection
- UISP Login
- Data Storage
- Credentials Vault
- How to Export & Delete Data
- Telemetry & Error Reporting
Introduction
The security of the UISP console (server) and its users is one of the main design principles during the UISP development process. UISP uses double encryption for critical elements such as device communication, and will not store credentials unless strictly needed. A special bounty program was also created to help find any security issues in order to patch them as soon as possible.
UISP Server Ports, Certificates, and HTTP Headers
UISP Server Ports and Certificates
UISP will only communicate through encrypted channels (HTTPS and WSS), with one exception: HTTP port 80 is used by UISP exclusively for generating the built-in Let's Encrypt certificate. There is no easy way around it since Let's Encrypt servers need to access TCP port 80 in order to validate that the certified domain really belongs to the machine generating the certificate. UISP strictly controls whether the cipher suites are enabled or not. We do not support the DNS challenge since it is almost impossible to create a simple user-friendly user interface and set it up for all DNS hosting.
If users supply their own certificate during UISP installation then port 80 is not used at all and can be completely closed. However, it is important to mention that there is a significant benefit of using the native Let's Encrypt certificate. With this setup, the user does not need to worry about the certificate's expiration date as UISP will refresh the certificate automatically.
All other communication for HTTP (80) is automatically redirected to HTTPS (443) in order to utilize security encryption of the HTTPS protocol. This applies to any custom HTTP(S) ports set as well. Due to the redirection, the UISP user interface, API, and WebSocket cannot be accessed via HTTP.
It is also possible to set up a custom inform port in order to separate the UISP GUI from the communication channel to devices. The inform port is used by the devices to connect to the UISP server and is set to TCP port 443 by default. Separating the inform port from the GUI port will allow you to access the UISP GUI exclusively through a private network, while still allowing devices to communicate with it.
UISP HTTP Headers
HTTP headers are important for UISP security because they control several different browser options such as the location where the JavaScript is downloaded from, how it should run, and how certificates should be approached.
Device Discovery and Connection
Generic UISP Key
The most secure way to connect a device to UISP is to manually add the generic UISP Key to the device. This key contains the URL address of the UISP console (server) and a generic AES encryption key. The device will use the key to connect to the UISP server using the encrypted WebSocket protocol (WSS). All devices connecting to UISP will use both WSS and AES encryption, ensuring a double encrypted connection. All communication occurs through this secured channel, including the UISP Terminal that provides remote shell access, but does not use SSH to accomplish this.
UISP Untrusted Certificates
Another scenario where double encryption is important is when the UISP console (server) does not have a verified (valid) certificate and is accessible only through an IP address. Besides SSL, UISP will use another encryption system (AES 256 GCM) to ensure a system that is resilient to MITM attacks even when the certificate is not trusted.
Remote Discovery
Manually inserting generic UISP keys into devices one by one is not practical, so UISP also allows you to add devices using the (remote) Discovery feature. This feature will automatically discover devices in a (remote) network and can automatically insert the generic UISP key after providing the device credentials.
This is one of only two occasions (the other one being the UISP Terminal) when UISP will ask for the credentials of a device that uses them to connect via SSH or HTTPS. For security reasons, UISP discovery will not allow a device to connect if HTTPS is not enabled. The credentials are not saved during this process. After the initial connection is established UISP inserts the key into the device and a new encrypted WebSocket is established for further communication. In summary, the initial connection is made by UISP, but the communication is then initiated by the device and UISP assumes the role of the WebSocket server.
UISP Login
UISP Login Token
The security of the UISP user login process is based on a token that is sent through the A-Auth-Token header. This token also serves as a protection against CSRF attacks. On older UISP releases, the user session timeout was fixed at 24 hours and extended in case of user activity. On newer versions, the timeout is can be customized (from 30 min up to 30 days) in the Settings > Users > Edit Account section. While a user is active the token's validity is extended for up to one month, after which it is necessary to log in again. There is brute force protection build in UISP.
UISP User Roles
Currently, UISP supports two different user roles. The Admin role has full access to all features, whereas the Read-Only role cannot make any changes to the network or devices. You can specify a user as Read-Only in the Settings > Users section.
UISP Two-Factor Authentication
UISP supports Two-Factor Authentication (2FA) using the Google Authenticator app. There are 2FA applications for desktop computers available as well, but they are not recommended as 2FA is most useful if it is placed on a completely separate device. When 2FA is set up, the user will need to log in to UISP with their credentials and insert a 6 digit security code provided by the Authenticator app. Even if somehow the user's UISP credentials were compromised, the possible intruder would also need access to the associated mobile phone in order to access the UISP account.
Follow the steps below to enable Two-Factor Authentication (2FA) for a UISP user account:
1. On a mobile device, download the Google Authenticator app for iOS or Android.
2. Navigate to the Settings > Users > Edit Account section and select Enable Two Factor.
3. From the app, select Add Account (+) and scan the provided QR code.
Data Storage
The login credentials of UISP users are stored and protected with bcrypt. The plaintext is never used to save user passwords anywhere in UISP. UISP can also store device credentials in the Credentials Vault, see the section below.
Credentials Vault
The UISP Credentials Vault feature can securely store device credentials. There is also an option to generate credentials for many devices at once through the Vault which makes it a key component of UISP security. The vault encrypts stored passwords with asymmetric encryption. A public key is used to write data and a private key, protected by a master password, is used to read them. The master password is generated automatically during the vault creation process. The password generation feature is currently limited to devices that do not have multiple accounts.
It is currently necessary to store the Vault key file somewhere safe, but also readily available in order to unlock the Vault. The Vault key needs to be re-inserted every time the UISP server is restarted. The UISP Vault can be managed through the Settings > Credentials Vault section.
How To Export & Delete Data
Here we describe how an administrator can export or delete data from the UISP application.
Background
On May 25, 2018, the General Data Protection Regulation (GDPR) was enacted to strengthen personal data security in the EU and harmonize EU data protection laws. In addition to standardizing data privacy practices across the EU nations, the GDPR also imposes new requirements on all organizations that handle the personally identifiable data of EU citizens.
Exporting data from the Network module
To download specific client data:
- Open the Devices page in your UISP application, then select the Subscribers tab.
- Select the subscriber’s row from the listing to open their respective dashboard.
- Click the GDPR button located in the top-right corner of the subscriber’s dashboard to generate a tar.gz file containing their data.
This tar.gz file includes the:
- Client’s name, address, phone number, and email address.
- IP and MAC addresses of devices associated with their subscribers.
Deleting data in the Network module
First, you will need to identify the devices and subscribers that are associated with the client. To do so, enter the client’s name or address into the Search field to see a list of all relevant devices.
To delete a device, click the ellipse icon within its row and select Delete.
Once you’ve deleted your devices, you can also delete the subscriber record from the Subscribers tab. It is not possible, however, to delete a subscriber while there are devices assigned to it.
Exporting data from the CRM module
To export a client’s subscriber data to a CSV file:
- Go to the CRM > Clients page in your UISP application.
- Click Export in the top-left corner of the page.
This file will include the personally identifiable information of the client’s customers, including their:
- Full name, company name, home address, email address, and phone number(s).
- Invoice and payment information.
- Additional information associated with their ISP service, such as service plan duration.
Deleting data in the CRM module
Before you can delete a client from your CRM, they must be archived.
To archive a client:
- Go to the CRM > Clients page in your UISP application.
- Select the client(s) you want to delete, then click Archive. The process will take a few minutes to complete, but it will run in the background so you can continue working elsewhere in your CRM.
To delete an archived client:
- Click the Archive tab on the CRM > Clients page.
- Select the archived client(s) and click Delete.
Ongoing GDPR compliance measures
Our team continuously reviews our products and practices to ensure complete customer data security and full GDPR compliance. We will provide periodic updates about our ongoing compliance measures and continue to introduce new data protection features in order to maintain trust and transparency with our customers. We will also continue to monitor evolving GDPR guidance from regulatory bodies and adjust our actions accordingly.
If you have any questions about Ubiquiti’s GDPR compliance, or about how to improve your own, please reach out to us at dataprotection@ubnt.com.
Telemetry & Error Reporting
The UISP local application collects certain telemetry and error information and reports it to Ubiquiti for the purpose of improving the product and the user experience, as described in more detail under sections “Why are we collecting this data?” and “What data is reported?” below. The telemetry data used in the UISP local application is generated without common device identifiers (e.g.IP/MAC addresses) or personal information (e.g. emails). Standard sanitization filters are applied to the error reports to remove potentially sensitive variables and strings.
The purpose of the reports is to help us better fine-tune and improve UISP application performance for all users so that we can ensure that everyone gets the best possible experience from both Network and CRM modules. With this data, we can measure and optimize improvements and quickly identify and fix any regressions.
In case you want to opt-out of providing this info, Telemetry and error reporting for both Network and CRM modules can be disabled in Settings > UISP.
Note that depending on UISP Module, different data may be provided:
Network module
When the telemetry and error reporting is enabled, the following data is sent:
- UISP random ID, controller version, and uptime.
- UISP server hardware parameters.
- UISP settings.
- Device and system configurations and usage.
- The number of devices, Sites, Subscribes, and users.
- The number of active/disconnected devices and outages, sorted by device model and firmware version.
CRM module
When telemetry and error reporting is enabled, the following data is sent:
- Whether the app keys are used and if so, what is the date of when it was last used?
- Whether the mobile app is used and if so, what is the date of when it was last used?
- The number of clients, organizations, invoices, jobs, and tickets.
- CRM random ID, version, last login date, device and system configuration, and usage.