The National Institute of Standards and Technology (US Government) lists a vulnerability in GL.iNet GL-AR300M firmware. See here.
In view of this, I have three questions:
- What assurances doe we have as customers that later or other versions of GL.iNet firmware and/or software don’t have similar vulnerabilities and or backdoors?
- What assurances do we have that GL.iNet is not an instrument of the Chinese Government, aka the Communist Party of China?
- What interdependent testing with publicly available reports, has there been of GL.iNet products from a security perspective?
Well i can’t answer for GL but i can give my perspective.
The bug was from a very old firmware version, and it was actually found by a researcher that posted it here if i remember correctly. It was reported by GL and fixed shortly after.
GL is actually Hong Kong based, with the factory in China. As with all companies, its not possible to say. They can switch on a dime. You as a user should protect your data. You can easily bypass any kind of spying using a VPN on the device, so that traffic through the router is secured, if you worry about that. GL also supplies the source code for the base system on github, and if the user doesn’t want that either, there are binaries on the official OpenWRT site for most of the routers, and the user can compile it him/herself.
Hardware pictures are available on the FCC site for most routers too, that are publicly visible.
This is fixed in v2.271 and v3.x