Privacy-Related Inquires: GL DDNS and GoodCloud

SpitzAX3000 · June 24, 2023, 9:35pm

Hi folks,

I have been lately experimenting with GL’s DDNS and GoodCloud. I have some concerns for these services and the way they are set up:

When you bind your modem to the glddns.com, the password that is going to be used is the device serial number (S/N).
- That’s fine. But I noticed there is another serial number that is called device_sn_bk. I tried to bind to the DDNS using it, but failed. So what is the use of this backup serial?! I am afraid that someone would use it to remotely login to my modem!
The other concern is that the username for binding to the DDNS is the device_id. Again, the device id has a prefix two characters. For example, a device from Greece would have its id like: grxxxxx. Where did these two chars came from? It seems to me they are the Country Code! If so, then some attacker who manages to find your modem can also identify your country!

NOTE: I also tried to bind to GoodCloud with the backup serial number but it did not work.

I hope we have clear answers form GL engineers so that we have more trust to use these great services!

yuxin.zou · June 25, 2023, 2:27am

The device_sn_bk is not used by the platform, it just generates the fields reserved by the system.
The prefix two characters of the Device ID are random characters and are not country code.

SpitzAX3000 · June 25, 2023, 3:24am

Can someone login to my ddns or goodcloud using the device_sn_bk ?

As for the device_sn, can someone brute force it to login to my account ?

clannad · June 25, 2023, 3:39am

The SN of backup never used in GoodCloud.
The device SN is not for login. We don’t use MAC/SN for any login operations.

SpitzAX3000 · July 3, 2023, 2:54pm

I have one more thing to clarify: we have the device ID and the device SN, then how random is the serial number ? If someone knows my device ID (which is publicly known in goodcloud) how easily he can derive the serial number ?

SpitzAX3000 · July 3, 2023, 2:54pm

But don’t you consider the bind process as a login or authentication?

clannad · July 4, 2023, 1:44am

We don’t use MAC/SN for user login operations, but had used it for bind process, need to check device info to authentication ilegal or not. The device can not be binded by user more that 1 person.

yuxin.zou · July 4, 2023, 1:56am

The serial number is generated completely independently of the device ID / MAC. So It is impossible.