How secure are GLiNET devices?

That is worrying. What would you say to be the latest model which can be considered as secure?

In GLiNETs defence, most of the exploits involved there are Windows related which is why I hadn’t realised before. Exceptions being the more recent key expiry CVE - unlikely to be ever be an issue outside of maybe enterprise use with former employees potentially still having access in certain circumstances.

The November PeerAPI DNS rebinding one however affects all platforms.
Security Bulletins · Tailscale
Looks like Openwrt has the patched 132.3 which is safe. [OpenWrt Wiki] package: tailscale. If you’re thinking of buying GLiNET products… I don’t mean to be so harsh - I really want to like them. Your ISP router won’t guarantee security, and you’ll miss out on the extra features. I would just rather less features & have them be better maintained. As that isn’t always the case I’d get a stock OpenWrt compatible device as hansome suggested, that way at least you have the option if you change your mind. With my Slate & Brume’s closed-source drivers I can’t do anything except return them - an option I’m not sure exists.
[OpenWrt Wiki] Table of Hardware

I know nothing will guarantee security but a router that receives periodic updates is surely more secure than one which doesn’t?

Is there any particular device you can recommend? And does OpenWrt have a web interface like gl inet does? I only own a tablet so can’t flash things and do command line terminal stuff

Edit: I’ve just checked here and this stuff seems unbelievably complicated so I’ve got no choice other than gl inet as they’re the only VPN router with a simple GUI. I’ll have to accept outdated security. My plan for purchasing changes every time I come on here so its probably best to just prepare for disappointment and buy whatever haha

As with many products, be prepared to be disappointed. I own several GL iNet routers, and although all are still supported, not one of them has received a released version of 4.x firmware, and they all are using OpenWrt 19.07 as the base firmware, which was declared End-of-Support in April 2022 and is no longer maintained or actively supported by OpenWRT. @alzhao in a post in early 2021 said that the 4.x firmware would be available by mid-2021, which I am still waiting for a released version for any of the routers I own. Since 19.07 is no longer actively supported, it is very hard to know if there are any current exploits in the firmware. Randomly, I have to reboot my travel routers, as they lock up from time to time.

Hardware wise, I have modified almost all my routers by adding a drop of epoxy to the micro-USB connector, as these connectors are known to shear off from normal use. This connector is only held to the circuit board with a small solder pad. Looking at both Amazon reviews and posts to this forum, people have had these connectors break while on travel, which should not happen on a device sold for travel.

My AR300M routers that I use as VPN servers have had to be modified, as I needed to support multiple VPN protocols, which is not a feature in pre 4.x firmware. This took hours of custom script writing and some interesting manual installation of some OpenWRT packages, but I now have small VPN servers running multiple VPN protocols on multiple ports, that reboot themselves daily, and have been very stable.

My general rule is not to purchase any GL iNet products that have not been on the market for at least a year, and to only purchase products that have a released version of OpenWRT (not just a snapshot version). Products that have a released version of OpenWRT just seem to work better for me.

Do I use their products, yes. Why? Because so far, I have not found anything better, but my newest product from them is an AR750S-EXT, and this probably will not change for some time.

Thanks for getting back to me. I’m thinking of getting the AX1800 Flint, would you say it has been around for long enough to receive continual updates? My MangoV2 is still on 3.215

I mean… this is a much more complicated question, even if you don’t necessarily realize it. Some layers:

1. Actual GL.iNet software - i.e., all of the stuff that GL.iNet has written themselves and the security defaults / bugs / what not thereof. None of this has been audited, as far as I’m aware, and there have been certain… issues… that might cause a reasonable person to question the general security defaults that are in place.

2. OS-level patches in stock firmware. Few if any GL.iNet devices are updated with the latest greatest OpenWrt under the hood - and most aren’t even up-to-date on the latest builds of packages within their own firmware group. On one hand this sounds bad, but in reality it’s kind of par for the course for a lot of router setups. Remember that in the enterprise space taking down a router is a really big deal - you don’t want to do it unless you really have to. One of my biggest criticisms of a distribution like OPNsense is that they actually issue updates too frequently. I don’t want to have to reboot my stuff every two weeks to apply updates, especially if I’ve done a decent job of securing the rest of the stack. If there’s something critical, sure… but…

3. Running stock OpenWrt. In some cases you can run stock OpenWrt on a GL.iNet router, and then you can just update to your hearts content. If you want to. But there are costs associated with that, and it doesn’t necessarily improve your security posture.

4. Do you actually have everything else locked down like you’re supposed to, which kind of doesn’t have anything to do with GL.iNet’s devices proper? Certainly running stock firmware is one of those things that opens up a lot of additional attack vectors.

If you’re really serious about security, an OpenWrt product is … maybe not what you ought to be looking at in general. If you are looking at an OpenWrt product and you’re really serious, I would recommend building your own firmware, from stock, and only including what you absolutely need, then making sure you’ve got a good environment set up to maintain all of that.

But honestly, I think that’s a bridge too far for most people. Make sensible security choices and do your best. Some choices are better than others, but in the consumer router space you’re probably not going to find somebody who is superior to everyone else (though you’ll find lots of choices who are inferior to the good players).

As OpenWRT has not released firmware for the AX1800, its too early for me to buy one. The only new GL iNet router to even have an OpenWRT snapshot build looks like the GL-A1300.

Thanks all for the replies.

I trust the stock OpenWRT on my Archer C7 V5 to be much safer than most consumer routers, given their constant updates and open source nature with lots of participants, and I don’t have suspicions that warrant compiling my own firmware from code.

It seems like GLiNet routers seem ideal for travel, but not what I’m looking for home security.

What would be worth looking at?

So what do you plan to use?

pfSense and OPNsense would both be better choices, IMO. Even something from Ubiquiti would probably be better and certainly more polished than relying on stock OpenWrt builds.

Basically you can make OpenWrt work in a semi-secure way, but it requires a lot of upkeep on your own time (building, updating, etc.). There’s not a single team that’s really charged with overall experience and/or product, so what you get is kind of what you get.

I’m not sure if doom and gloom are all that productive in today’s technology environment.

Instead of router OS’s, we could substitute desktop OS’s and ask how secure is Ubuntu.

Ubuntu is always updated and has a thriving community. And… Its not even close to zero bugs.

I do giggle somewhat at the personal security convo’s, but a quick glance at bleeping computers show how well many very well funded security teams are holding up in the same environment (ie. on Internet 1.0).

If we were to change the conversation to smartphones directly connected to the Internet (LTE, 5G NR, etc) with no form of security and with an always on connection, we could laugh at that glaring oversight in security, since you may in-fact connect that to your internal LAN over wifi and bypass any/all firewall security from you router.

I agree with the input that less is more and lean has always been cool. The more you learn about the Internet, the more a population of 5.5 billion people is not very smart digital hygiene with always-on-connections.

I enjoyed the Internet in the 90’s when the “whole population” online was under 20 million worldwide. Fast-forward to 2023 with over 5 billion users worldwide and the difference is more than obvious.

There is more chatter of Internet 2.0, 3.0, 4.0, etc, but a population rebalance already seems like an obvious innovation. 2023 may be that year Internet 1.0 and all of its baggage gets left behind.

I’m sure network appliance vendors like GL.Inet will continue to thrive with all of the new innovation on the horizon.

I’ve just checked Amazon and you can’t get a pfsense or opnsense router for under £200 so I’ll have to stick with the gl inet bodges.

Thrive and produce good products are two different things though, most companies think having a wider range of products shows evidence of thriving whereas in reality they make more and more devices with no care toward maintaining them or even ensuring quality of performance. I wish I was young enough to have enjoyed the freedom of 90s internet, my earliest spectrum of digital time was the early 2000s with MSN messenger and Limewire lol.

We didn’t have disposable hardware and abandoned devices until 2008’ish with the advent of smartphones.

Being introduced to technology in that kind of environment was nothing like the information superhighway. I still see that fad as technology pollution, now that Internet 1.0 has billions of outdated devices that did not exist prior to 2008 and will never see another update again, ensuring a polluted environment for everyone connected to it.

Internet 2.0 is already a breath of fresh air as far as technology pollution is concerned.

I think this is fair. At the same time I think the move you’re seeing toward zero trust architectures kind of reflects this. I mean, we’ve got Ubuntu 14.04 boxes still in the field that are EOL and won’t get another update - that haven’t been rebooted in almost 8 years. But we also have complete control over that software environment, over the firewalling in front of it, of the application stack, etc. We can push bespoke updates to core components (e.g. openssl) when we need to, because we can build it. And more importantly, we are constantly having to evaluate our threat profile and react to it because we are contractually required to.

But this is a pretty different situation than most people. And I think it’s also fair to say that something like Ubuntu core has a much more robust security apparatus behind it than OpenWrt. Heck, even something like buildroot or Yocto are more robust from that perspective. Where OpenWrt really excels is wireless devices - and I mean, it’s really second to none there. Like with all things, you just have to know what you’re getting into.

Would I trust the GL.iNet firmware to be secure? I would not. I would trust it to be feature rich, but that’s often at cross purposes with security. I would trust stock OpenWrt more. I would trust Ubuntu Core more still. But on some level I don’t trust anything, and I try to plan defenses in depth accordingly.

So what does that plan include if everything is untrusted? Would you say GL inet puts users at risk of security breaches and if so how do you expect them to be performed? By which I mean do you think GL inet devices are more vulnerable to wifi hacking by someone physically nearby or more vulnerable to exploits which could be loaded through a web browser in the wild?

That’s a little strong, right? I mean, there are only 4 billion IPv4 addresses. The number is large, but I doubt it’s billion(s).

Does internet v1 v2 v3 and so on exist at different levels or is it all mixed together? As in would it be possible to shut down v1 and keep the others running

Internet 1.0 is broadly construed as “everybody runs their own server.” Internet 2.0 is broadly construed as the centralization of a lot of services - think the move from personal self-hosted blogs to blogspot to Facebook / Meta. Web/Internet 3.0 is generally thought of as whatever the hell blockchain is supposed to do, which is… right.

This is a complicated question, right? Again, there are a few different aspects. For me, the biggest issues are:

1. What are the default security settings? I linked the bad one I know about personally (signing the OpenVPN certs with SHA1 in 20 freaking 22(!?!?!?!). Is this catastrophic? I mean, no, not really. But it shows either really, really bad security awareness if it was unintentional, and if it was intentional suggests that someone deliberately asked for the certificates on the device (which secure all OpenVPN traffic) to be weakened such that they could be compromised if needed. The bigger question to me is what are the other issues - intentional or unintentional - that I haven’t found yet because I don’t have the time to look. Signing certs with SHA1 is either sloppy, incompetent, or nefarious. And I don’t know which one it is.

2. Look, GL.iNet is originally a HK company and I don’t have any reason to believe they are in bed with the PRC, but I don’t fully trust anything coming out HK or CN at the moment security wise. Especially when there are lots of unaudited processes on the device. It may be totally fine, but I don’t assume that it is.

I doubt that “wifi hacking” is really a concern. I suspect the biggest issues are likely with XSS problems and bad default settings. Again, I haven’t done a full audit and I don’t know that anybody else has either. There are just so many things layered on there that haven’t been fully vetted and/or don’t really work right as is that I’d be hard pressed to slap a “Yup, totally fine!” label on it, especially from a security perspective.

Do not mock my use of the term wifi hacking!