Privacy-Related Inquires: GL DDNS and GoodCloud

Hi folks,

I have been lately experimenting with GL’s DDNS and GoodCloud. I have some concerns for these services and the way they are set up:

  • When you bind your modem to the, the password that is going to be used is the device serial number (S/N).

    • That’s fine. But I noticed there is another serial number that is called device_sn_bk. I tried to bind to the DDNS using it, but failed. So what is the use of this backup serial?! I am afraid that someone would use it to remotely login to my modem!
  • The other concern is that the username for binding to the DDNS is the device_id. Again, the device id has a prefix two characters. For example, a device from Greece would have its id like: grxxxxx. Where did these two chars came from? It seems to me they are the Country Code! If so, then some attacker who manages to find your modem can also identify your country!

NOTE: I also tried to bind to GoodCloud with the backup serial number but it did not work.

I hope we have clear answers form GL engineers so that we have more trust to use these great services!

  • The device_sn_bk is not used by the platform, it just generates the fields reserved by the system.
  • The prefix two characters of the Device ID are random characters and are not country code.

Can someone login to my ddns or goodcloud using the device_sn_bk ?

As for the device_sn, can someone brute force it to login to my account ?

  1. The SN of backup never used in GoodCloud.
  2. The device SN is not for login. We don’t use MAC/SN for any login operations.

I have one more thing to clarify: we have the device ID and the device SN, then how random is the serial number ? If someone knows my device ID (which is publicly known in goodcloud) how easily he can derive the serial number ?

But don’t you consider the bind process as a login or authentication?

We don’t use MAC/SN for user login operations, but had used it for bind process, need to check device info to authentication ilegal or not. The device can not be binded by user more that 1 person.

The serial number is generated completely independently of the device ID / MAC. So It is impossible.

1 Like