Can You Or Can't You Unlock Linksys Devices?

I want to take a moment and respond to Garrett Smith's response to yesterday's post I made about Linksys devices not being unlockable. Garrett is right: Linksys devices can be unlocked. However, that depends on how well the provider made use of the plethora of security mechanisms present in their devices. The sad truth is: most providers do not fully avail themselves of all of the security mechanisms.

How these device unlocking schemes work is quite simple: you set up a bogus DNS and configuration server. The bogus DNS ensures the device pulls the device configuration information-normally housed at the service provider-to pull data from the bogus configuration server. The device then loads a bogus configuration file, which basically tells it to "open up."

Did the provider pay Linksys the extra money to burn defaults in at the factory that would essentially cause the device to "relock" itself should it ever be factory reset, even if the device got unlocked? And if the provider went through all this trouble to lock the device, why didn't they bother to do it in properly, using HTTPS provisioning with SSL certificate authentication? You have a much more difficult time spoofing a properly signed SSL certificate than anything else.

Bottom line: there is no guarantee that you can unlock a Linksys device. There's also no guarantee that once you "liberate" a locked Linksys device from a provider that it won't relock on you. If you really want an unlocked device, save yourself some headaches and go buy one. They're cheap enough. Do you agree?