How secure are GLiNET devices?

I think this is fair. At the same time I think the move you’re seeing toward zero trust architectures kind of reflects this. I mean, we’ve got Ubuntu 14.04 boxes still in the field that are EOL and won’t get another update - that haven’t been rebooted in almost 8 years. But we also have complete control over that software environment, over the firewalling in front of it, of the application stack, etc. We can push bespoke updates to core components (e.g. openssl) when we need to, because we can build it. And more importantly, we are constantly having to evaluate our threat profile and react to it because we are contractually required to.

But this is a pretty different situation than most people. And I think it’s also fair to say that something like Ubuntu core has a much more robust security apparatus behind it than OpenWrt. Heck, even something like buildroot or Yocto are more robust from that perspective. Where OpenWrt really excels is wireless devices - and I mean, it’s really second to none there. Like with all things, you just have to know what you’re getting into.

Would I trust the GL.iNet firmware to be secure? I would not. I would trust it to be feature rich, but that’s often at cross purposes with security. I would trust stock OpenWrt more. I would trust Ubuntu Core more still. But on some level I don’t trust anything, and I try to plan defenses in depth accordingly.


So what does that plan include if everything is untrusted? Would you say GL inet puts users at risk of security breaches and if so how do you expect them to be performed? By which I mean do you think GL inet devices are more vulnerable to wifi hacking by someone physically nearby or more vulnerable to exploits which could be loaded through a web browser in the wild?

That’s a little strong, right? I mean, there are only 4 billion IPv4 addresses. The number is large, but I doubt it’s billion(s).

Does internet v1 v2 v3 and so on exist at different levels or is it all mixed together? As in would it be possible to shut down v1 and keep the others running

Internet 1.0 is broadly construed as “everybody runs their own server.” Internet 2.0 is broadly construed as the centralization of a lot of services - think the move from personal self-hosted blogs to blogspot to Facebook / Meta. Web/Internet 3.0 is generally thought of as whatever the hell blockchain is supposed to do, which is… right.

This is a complicated question, right? Again, there are a few different aspects. For me, the biggest issues are:

  1. What are the default security settings? I linked the bad one I know about personally (signing the OpenVPN certs with SHA1 in 20 freaking 22(!?!?!?!). Is this catastrophic? I mean, no, not really. But it shows either really, really bad security awareness if it was unintentional, and if it was intentional suggests that someone deliberately asked for the certificates on the device (which secure all OpenVPN traffic) to be weakened such that they could be compromised if needed. The bigger question to me is what are the other issues - intentional or unintentional - that I haven’t found yet because I don’t have the time to look. Signing certs with SHA1 is either sloppy, incompetent, or nefarious. And I don’t know which one it is.

  2. Look, GL.iNet is originally a HK company and I don’t have any reason to believe they are in bed with the PRC, but I don’t fully trust anything coming out HK or CN at the moment security wise. Especially when there are lots of unaudited processes on the device. It may be totally fine, but I don’t assume that it is.

I doubt that “wifi hacking” is really a concern. I suspect the biggest issues are likely with XSS problems and bad default settings. Again, I haven’t done a full audit and I don’t know that anybody else has either. There are just so many things layered on there that haven’t been fully vetted and/or don’t really work right as is that I’d be hard pressed to slap a “Yup, totally fine!” label on it, especially from a security perspective.


Do not mock my use of the term wifi hacking!

A billion is not that big of a number. Gartner shows over 4 billion units in 2021. If we look at 1st gen IOS and Android numbers up to 2021, I think a billion outdated devices is somewhat conservative.

Add IOT devices that are a dime a dozen with wifi and cellular and a polluted network is just what the kids get nowadays. Its just business.

Someone else will clean up the liter… Or just dump it all and never look back with new networking infrastructure and/or network protocols being the future.

You really do not need to buy a new system to run pfsense or OPNsense. My last home router was much more powerful than anything GL iNet sells, and it was free. It was an x86_64 box that I saved from going into the dumpster. All I added were a couple of cheap NIC cards. Almost any X86_64 system built in the last 10 years has more RAM, more storage, and a faster CPUs then the products GL iNet offers. The advantage for me with for using GL iNet routers is size, weight, and low power, as I use them as TRAVEL routers or as embedded systems/VPNs, and not as my home or business routers.

If I need another home router, it will be an X86_64 based system, as they just have a lot more resources, and there are a lot more choices in which OS/distribution to use for your router.

1 Like

Oh, going forward I wouldn’t dispute that at all. Internet of Shit, afterall.

I’m just thinking outdated legacy internet 1.0 devices. 1B seems strong. I wouldn’t have a problem saying billions of insecure devices on the internet writ large today. I just don’t think there are a billion from that era (if for no other reason than that it’s hard to keep a device actually running for 10+ years).

Even something like starlink had the option to create a new network segregated from Internet 1.0. Infrastructure is getting easier.

Divesting from Internet 1.0 is actually quite easy.

Ding ding!

Pretty much anything from the past 5 years can easily push 1gbps via WireGuard or IPSec. Probably 300-500mbps OpenVPN to a single point. And a lot of people have a piece of hardware that could be repurposed laying around.

Now actually carrying that piece of hardware with you… different story :).

Don’t forget tablets. A billion mobile devices dumped in the trash and abandoned by their manufactures with locked bootloaders still sounds conservative.

Even in 2007, I had a Palm Treo for work and a personal cellphone. Having multiple devices per user has always been common.

A decade is not a long time with technology. I still have a Samsung Tab 3 LTE from 2013 that boots and did not get any updates after 2 years of release. Had I been able to flash an AOSP rom, I may have found a use for it besides using it as an IR remote. I can put a sim in it and it will use band 12 and connect in 2023 with 4G with Android Jellybean.

I doubt Internet 1.0 gets any cleaner. If you got to enjoy the ISH, it was just good timing. The next gen will get to enjoy a similar experience with new infrastructure that is independent of Internet 1.0.

I mean, sure, I’ve got some old stuff too, but I don’t have a lot of it. I’ve got maybe 2 devices on my network (occasionally) from that era, out of 100? I’m a lot more concerned about my 50 connected light bulbs than I am my Samsung Galaxy Tab Pro 8.4 that hardly ever gets turned on. (Which is why they’re all stuck on their own VLAN with their own separate virtual router).

I think my bottom line would be - to channel my inner Orwell - that all systems are insecure, but some systems are more insecure than others.

It is and it isn’t. It’s a really long time if you want/need to support something. Which OS would you pick, right now, today, if you needed to update clients for a decade? It’s not so easy of a choice.

And look, I would absolutely acknowledge that it’s very difficult to feel good about your software supply chain in 2023. There are just too many packages you rely on for a final product - no matter what you do. You’ve got to trust somebody, somewhere, but there are a lot of places for things to go wrong. Heartbleed, log4j - there are no shortage of examples. I was lucky last time because we don’t have any java exposure, but next time it could be python and I’m the one screwed. Have I fully vetted every line of code in the two dozen plugins we use? Nope. Don’t have the time. Same goes for the bazillion Ubuntu packages I rely on. Staying on top of things is hard. You do the best you can and react when stuff goes wrong.

Fun times. Fun times.

Instead of software eating the world, it looks like it cannibalizes itself just fine without any user interactions.

I can’t disagree there.