Four ways Ubiquiti Networks is creatively violating the GPL

Four ways Ubiquiti Networks is creatively violating the GPL

Ubiquiti Networks is a company which makes long-range wireless equipment. Admittedly, you can do some pretty amazing stuff with it, but the company has a dark history of securities fraud, violation of U.S. sanctions, trademark and copyright lawsuits and software patents, which isn't as amazing.

In addition to this, they have been violating the GPL. However, because they did it creatively, most people don't know about it, and Ubiquiti still hasn't come into compliance.

Here are four ways that they have succeeded in making the violations hard to notice, and even harder to act upon.

1. Giving the appearance of compliance

'You can find the complete and corresponding source in the GPL archive.'

Ubiquiti had a website set up where you can download tarballs purportedly containing all GPL source for each and every firmware release. (I can't find it any more, but that doesn't mean that it isn't still there.) When you look through these tarballs, they appear to be complete, and there are build instructions which allow you to make your own custom firmware.

It's only when you look closer that you start to notice problems, such as...

2. Refusing to provide the source to their modified bootloader, even though they made changes that introduced security vulnerabilities

Security keys

Up until version 5.5.4 of Ubiquiti's airOS, the locally-modified u-boot bootloader contained a security issue - It was possible to extract the plain-text config from devices running the firmware, without leaving a trace. And the plain-text config contains unencrypted WPA/WPA2/RADIUS passwords.

Even worse than this security issue, was Ubiquiti's response to it. Namely, they:

  • Refused to provide the source code, even though u-boot is under the GPL
  • Didn't fix the security issue for a long time after it was publicly disclosed
To this day, Ubiquiti still has not provided the u-boot source code.
3. Providing source code to a version of Linux, just not the one that they actually ship, and hoping that nobody notices
Ubiquiti Source Ubiquiti Binaries
It would be natural to think that the binaries that Ubiquiti provides were compiled from the source code that Ubiquti provides. As it turns out, for a large number of their releases, the kernel source given does not correspond to the kernel in the official firmware images.

As evidence, consider that in version 5.5.4 of the AirMax firmware, the kernel was modified such that the MTD partitions would be read only, however this change cannot be found in the corresponding kernel patches or source.


Update: Some people have expressed doubt that this is done in the kernel, and could have been done in userspace. In response, I would like to note a violation that is easier to verify. ag7240-eth.ko is a binary-only kernel module contained in Ubiquiti's firmware. Instructions on how to confirm this are here.

Such practices make finding violations extremely difficult, and we can't know for certain that they haven't done this with anything else in the GPL tarball. It's possible that this was just a mistake, but remember that people have complained about this without much of a response.

And speaking of complaining...

4. Dragging out GPL code requests for months on end, then inexplicably going silent

Bureaucracy is a challenge to be conquered with a righteous
attitude, a tolerance for stupidity, and a bulldozer when necessary

In case you think that I am being mean to Ubiquiti by going public, please note that I have been trying to contact Ubiquiti for the past year about the issue of the u-boot source code. You can see my attempts here, here and here.

In fact, I even got a copyright holder of u-boot to ask for the source, and they still haven't provided it.

From my conversations with Ubiquiti, I have found that they claimed that it's alright to refuse to provide source code to GPL-licensed software if "This decision was taken with the security of the users in mind". Furthermore, my conversations were endlessly delayed by the supposed necessity to forward my query to another, unnamed, team.

And ultimately, the relevant team never responded, hoping that I would simply forget about it or give up.

However, if we want the GPL to retain its power, this is precisely what we cannot do. If you can spare a minute, please do any or all of the following so that we can retain the GPL's power to help the community:

  • Raise awareness - upvote it, send it to friends or write a blog post about it
  • Write to Ubiquiti requesting the source - their email addresses are support@ubnt.com and info@ubnt.com. You should try both.
  • Become a member of the Software Freedom Conservancy - they work to enforce the GPL and they need your support.
  • Send me an email telling me what you've done. My email address is riley@openmailbox.org

The image of the keys is Copyright Cantaloupe2 at English Wikipedia, CC BY-SA 3.0.
The image of Tux without glasses is Copyright Larry Ewing, Simon Budig and Anja Gerwinski, and can be used provided that attribution is given.
The image of Tux with glasses is Copyright Subcommandante at Wikimedia Commons, CC BY-SA 3.0
The bureaucracy quote photo is Copyright Ben Woosley, CC BY-SA 2.0.
The text was written by Riley Baird (me). I, Riley Baird, the copyright holder of the text on this webpage, hereby release this text into the public domain. This applies worldwide. In case this is not legally possible, I grant any entity the right to use this work for any purpose, without any conditions, unless such conditions are required by law.