Reverse-engineering the UniFi inform protocol

The author recounts their experience running a UniFi hosting service, which, despite customer demand, was barely profitable due to the necessity of dedicated virtual machines for each client. The core problem was UniFi controllers' lack of built-in multi-tenancy, necessitating a complex routing layer.

The breakthrough came from reverse-engineering the UniFi inform protocol, the mechanism by which devices "phone home" to their controllers. While the payload is AES-128-CBC encrypted, a critical discovery was made:

• The first 40 bytes of every inform packet are unencrypted.
• Crucially, bytes 8-13 contain the device's MAC address in plaintext.
• This design choice isn't a security flaw but a practical requirement: the controller needs to identify the device before decryption to fetch the correct per-device encryption key.
• Leveraging this, the author built a simple ~200-line Go proxy. This proxy reads the MAC address from incoming packets, looks up which tenant it belongs to, and forwards the entire, untouched packet to the appropriate dedicated controller instance.
• Other UniFi ports (web UI, STUN) were simpler to handle or internal, making the inform protocol the primary hurdle.
• This method allows multiple customer controllers to share a single host, drastically reducing costs and making the hosted service economically viable.

This clever exploitation of a protocol's inherent design, though likely not intended by Ubiquiti for third-party multi-tenancy, illustrates how deep technical insight can overcome architectural limitations and transform business models. It's a testament to the power of understanding the underlying mechanics of networked systems.