is a company which makes long-range wireless equipment. Admittedly, you can do
pretty amazing stuff
with it, but the company has a dark history of
violation of U.S. sanctions,
trademark and copyright lawsuits
which isn't as amazing.
In addition to this, they have been violating the GPL. However, because they did it creatively, most people don't know about it, and Ubiquiti still hasn't come into compliance.
Here are four ways that they have succeeded in making the violations hard to notice, and even harder to act upon.
1. Giving the appearance of compliance
Ubiquiti had a website set up where you can download tarballs purportedly
containing all GPL source for each and every firmware release. (I can't find it
any more, but that doesn't mean that it isn't still there.) When you look
through these tarballs, they appear to be complete, and there are build
instructions which allow you to make your own custom firmware.
It's only when you look closer that you start to notice problems, such as...
2. Refusing to provide the source to their modified bootloader, even
though they made changes that introduced security vulnerabilities
Up until version 5.5.4 of Ubiquiti's airOS, the locally-modified
bootloader contained a
- It was possible to extract the plain-text config from devices running the
firmware, without leaving a trace. And the plain-text config contains
unencrypted WPA/WPA2/RADIUS passwords.
Even worse than this security issue, was Ubiquiti's response to it. Namely, they:
3. Providing source code to a version of Linux, just not the one that they
actually ship, and hoping that nobody notices
It would be natural to think that the binaries that Ubiquiti provides were
compiled from the source code that Ubiquti provides. As it turns out, for a
large number of their releases, the kernel source given does not correspond
to the kernel in the official firmware images.
As evidence, consider that in version 5.5.4 of the AirMax firmware, the kernel was modified such that the MTD partitions would be read only, however this change cannot be found in the corresponding kernel patches or source.
Update: Some people have expressed doubt that this is done in the kernel, and could have been done in userspace. In response, I would like to note a violation that is easier to verify. ag7240-eth.ko is a binary-only kernel module contained in Ubiquiti's firmware. Instructions on how to confirm this are here.
Such practices make finding violations extremely difficult, and we can't know for certain that they haven't done this with anything else in the GPL tarball. It's possible that this was just a mistake, but remember that people have complained about this without much of a response.
And speaking of complaining...
4. Dragging out GPL code requests for months on end, then inexplicably going
In case you think that I am being mean to Ubiquiti by going public, please note
I have been trying to contact Ubiquiti for the past year about the issue of
the u-boot source code. You can see my attempts
In fact, I even got a copyright holder of u-boot to ask for the source, and they still haven't provided it.
From my conversations with Ubiquiti, I have found that they claimed that it's alright to refuse to provide source code to GPL-licensed software if "This decision was taken with the security of the users in mind". Furthermore, my conversations were endlessly delayed by the supposed necessity to forward my query to another, unnamed, team.
And ultimately, the relevant team never responded, hoping that I would simply forget about it or give up.
However, if we want the GPL to retain its power, this is precisely what we cannot do. If you can spare a minute, please do any or all of the following so that we can retain the GPL's power to help the community: