Flaw In Netgear Wi-Fi Routers Exposes Admin Password, WLAN Details 57
An anonymous reader writes A number of Netgear home wireless routers sport a vulnerability that can be misused by unauthenticated attackers [here's the report at seclists.org] to obtain the administrator password, device serial number, WLAN details, and various details regarding clients connected to the device, claims systems/network engineer Peter Adkins. The vulnerability is found in the embedded SOAP service, which is a service that interacts with the Netgear Genie application that allows users to control (change WLAN credentials, SSIDs, parental control settings, etc.) their routers via their smartphones or computers.
Why would any novice (Score:5, Informative)
Re:Why would any novice (Score:4, Informative)
isn't it easy enough to use dd-wrt or openwrt? I find the hard part to be installing it, if like me you try to install on random yard sale routers. I have a high success rate, but it has wasted a lot of time
Re:Why would any novice (Score:5, Interesting)
I love DD-WRT and have used it for years, but I get the impression it's a fragile project. The bulk of the work seems to rest on the shoulders of one or two people who only have so much time. I have always preferred Netgear's hardware with DD-WRT on top of it, but Netgear's latest product line (which has a TON of different router models ... way too many, IMO) has only partial support from the DD-WRT project. Netgear's fanciest two routers, the R7500 and R8000, aren't yet supported. All we can do is sit and beg Brainslayer or Kong to spend time on them, but they've got a lot of irons in the fire.
I really wish Netgear would just give up on Genie and pay DD-WRT to support development and license it as their official firmware. Rebrand it or something if you want, but give us the power of a real firmware. I've used Genie lately on the R6100 and found quite frustrating for anything fancier than a typical home wifi router use case. Security bugs like this only prove that they're failing to get it right on their own.
It makes sense that Cisco doesn't want their Linksys-branded routers to be too powerful, since it might hurt sales of fancier Cisco stuff, but what's Netgear's excuse?
Re:Why would any novice (Score:5, Interesting)
DD-WRT seems so splintered: A million different builds, of a million different versions, for a million different things.
For comparison, Tomato is more monolithic. When a new version is prepared for release, all of the different builds are updated to that version. The builds themselves are genericized as much as possible: All old Broadcom-based MIPS routers (think WRT54G) get the MIPSR1 release, for instance.
For everything else, there's OpenWRT.
For my own purposes, I'm sticking with Asus routers. It seems like solid kit, and they sell the same hardware for years and years without the sneakiness that Linksys and Netgear do with routinely completely changing the underlying hardware while keeping the same model number.
(Oh, and Belkin has owned Linksys for almost 2 years now.)
Re: (Score:2)
(Oh, and Belkin has owned Linksys for almost 2 years now.)
That explains Everything. Well...almost. Linksys had been at Belkin's quality level for a few years before that.
Re: Why would any novice (Score:2, Flamebait)
Hasn't that always been the case?
They struck gold with the WRT54G and WRT54GS (I still have a modded GS as a spare). But everything before or since has been garbage.
Their nics are garbage, their switches always suck, and their early routers largely didn't route.
Just sayin'.
Re: (Score:3)
OK - to be fair, while the WRT54G line was in production, I only used those. Never used anything else until they were done. Once the antenna was built-in rather than user-replaceable was the beginning of the end.
I did own a BEFSR41 before that and that was garbage, but I don't think I had even heard of DD-WRT then.
I've moved on to Asus (and Tomato) for now.
Re: (Score:2)
They struck gold with the WRT54G and WRT54GS (I still have a modded GS as a spare).
You added cooling, right? Forgive me if we discussed this recently and I forgot, ISTR a conversation like that. But I've even done that, albeit half-assedly, and it didn't help. I did make places for the air to come from and go, but I don't know how much air actually flowed across the sinks or if there were other components overheating. I didn't have an IR thermometer then.
I've had probably a dozen WRT54Gs, some of them GSes, and I think they pretty much suck too. They overheat reliably, that or their wall
Re: (Score:2)
Hmm. You know, I've never had an old, proper WRT54G/S (or the current GL model) die from heat death. I've got dozens of them scattered around. Radios get weak or strange after awhile (electron migration of somesuch), and maaaaybe I remember some swollen filter caps on one (which got repaired), but I don't consider any of that heat-death (and it's not like bad caps weren't ridiculously common for a time from almost every manufacturer of almost anything).
I've had the power supplies dive on me, which is pro
Re: (Score:2)
For comparison, Tomato is more monolithic.
It does? There's many different flavors of tomato. That's one of the things that put me off to begin with.
OpenWRT is like you describe, though. I've just put it on a routerboard rb411 and on a cute little PC (WebDT DT168) and in both cases the documentation is a big fragmentary so that's annoying, but once installed the experience is much alike and all the wiki pages are under one roof.
Re: (Score:3, Interesting)
But the company has not done themselves any favours in their choices of distribution channels.
If they want more penetration they need to start pushing product into the mass market distributors like Ingram Micro, Synnex, Tech Data, and D&H. These are who most of the retailers do 99% of their purchasing through. That is who they have integrated their point of sale systems with to populate their web stores, and do EDI for inventory management so that's who they tend to deal with wh
Re: (Score:3)
I just received two of their APs over the weekend. Unfortunately, one of them fried somehow and won't come on the network anymore. Any idea how I go about getting support? I suppose I could return to Amazon, but I don't feel like that would be appropriate as I do want a replacement, not just a return (as Amazon seems to assume).
The other AP works perfectly, and was immediately able to replace one of the Netgear routers I was using that never did the job correctly.
Re:Why would any novice (Score:4, Informative)
Well, the R7000 and R8000 are "open routers" per Netgear. The R7500... not so much.
In fact, the R8000 has a DD-WRT port [myopenrouter.com]. As does the R7000 [myopenrouter.com].
And while it takes a bit of hunting, Netgear's source code firmware for those are available as well. (Well, most of it, given the amount of proprietary drivers that are binary only).
MyOpenRouter is usually where I go first when deciding if there's a particular Netgear router I want. (Netgear runs the site as a central place for all their "open" routers and alternative firmware. At least the routers they officially support as being "open").
Re: (Score:2)
My favorite wireless router is the Asus RT-N12. It's got two external antenna ports (SMA-type) and readily runs Tomato. Remote access via https and ssh, not to mention everything else that can be fine-tuned (like RF power output) I wouldn't have it any other way.
Re: (Score:3)
The second you say "firmware" or even worse "tftp" you've lost +99.9% of people out there.
Re: (Score:2)
The second you say "firmware" or even worse "tftp" you've lost +99.9% of people out there.
Right, the install is the hard part. I mean, I just got a DIR-330 at a yard sale. It looks like it's going to be useful to me, but I've got to wire a CA-42 cable up to it. Just getting that part right is tricky enough since there's no standardization to those except at the business end. But if it came with openwrt, or dd-wrt, or tomato, I don't see that being a dealbreaker. Any of those are simple enough to configure, assuming the user is going to change the configuration anyway. I've found luci on openwrt
Re: (Score:2)
Re: (Score:2)
One reason might be to manage which ports are forwarded, when not on-site.
Say the noobie is running a hame host, or some other daemonized process, but hasnt figured out that he needs to keep those devices on static IPs inside his private network for ease of management. As a consequence, his game server might suddenly stop responding to remote requests, because the NAT table is pointing to an IP that the device no longer owns.
Granted, this is a stretch. The noobie should have a remote management host insid
Re: (Score:3)
The fact is since this is a web vulnerability it will be exploited by XSS attacks from compromised ad networks and also will be included in many exploit kits, you won't have to have remote management enabled for this to be exploited, it will just make it slightly more difficult if you don't.
As to DD-WRT, if they supported the OpenDNS family settings with bypass accounts like the stock firmware I'd consider it, but for me it's a killer feature, and MAC based exceptions aren't an answer because we have shared
Re: (Score:2)
All the models listed except the WNR2500 are supported by DD-WRT.
Upgrade people! [dd-wrt.com]
Re: (Score:2)
To the cloud! (Score:2)
Once again, "cloud connected" devices are not properly secured.
Shocker.
Re: (Score:2)
The Internet of rushed to market, horribly secured, never updated, easily pwn3d things.
Re: (Score:2)
Is that a new problem? [cert.org]
(To answer my own question: No, it's not. [wikipedia.org]
Re: (Score:2)
Of course it's not new ... but every day we see further examples how consumer electronics are pushed out with gaping security holes.
Until corporations bear some penalty for doing security incompetently, this will continue.
But what has to happen is actually holding corporations accountable for stuff like that ... instead of a click-through license which say "we make no promises our product doesn't suck or that we're not lying to you".
Oddly, people seem opposed to corporations being accountable for their acti
Re: (Score:2)
Uh, none of the listed models are cloud connected (that's reserved for the WNDR3800).
Default password (Score:5, Insightful)
Is that what /. is using? (Score:3)
Re: (Score:2)
Did you guys get hacked or what? It seems like this site has been down as much as it has been up lately...
They went to get something to replace the NETGEAR. They'll be back from Walmart shortly.
Assume all proprietary router software compromised (Score:3, Insightful)
Do not buy a router unless OPENWRT supports it.
Always overwrite what ever firmware came with the router with a new install of free software.
The days when Joe Sixpack can just buy a router an plug it in are over! You must do this.
Security experts need to take a close at uboot software commonly used to install alternate firmware. And check if NSA has hacked that up as well.
Re:Assume all proprietary router software compromi (Score:4, Interesting)
Most consumer device deployments of uboot have a short (3 second) window in which they look for a tftp server broadcasting an update. This is very useful for developers of openwrt and pals, because it allows them to push a test image to the device's memory and boot on it.
However, it could also be used as an attack vector against home grade routers, if the NSA had a REALLY invested interest in you. Orchestrating a system reboot of your open firmware back to uboot (say, by causing a severe memory corruption event or something similar which panics the kernel-- maybe a hidden function in the LAN asic perhaps) followed by tftp of a new compromised image using say, a compromised windows workstation in the target network to do the serving.
You would have to completely replace the stock uboot on such routers to remove the small 3 second window.
Re: (Score:2)
Usually the only network interface UBoot is configured to use is on the local network side, on a wired interface and the IP address used is non-routable. You are not getting your alternate firmware loaded without being physically present with the router, connected by a wire, so some external party isn't going to compromise your router this way...
Which means if they powned a machine on your LAN.. (Score:2)
Usually the only network interface UBoot is configured to use is on the local network side, on a wired interface and the IP address used is non-routable.
Which means if they compromised a machine on your LAN you're hosed. They now have your router firmware firmly under their control.
Who needs an intercept in the ISP, lawful or otherwise, when they can have your router send them copies of whatever they want. (Not to mention using it to attack any other devices behind it and cooperate with malware on them.)
Re: (Score:2)
If they have a compromised machine on your network, you are hosed in more ways than them being able to change your router firmware. I think the bigest risk at that point is someplace else...
Re: (Score:2)
You would have to completely replace the stock uboot on such routers to remove the small 3 second window.
There are replacement uboots for many devices. I'm not up on which routers have 'em. I replaced the uboot on my pogoplugs to make them better debian hosts. I may even start using the net booting feature.
What about Apple? (Score:2)
It seems every few months someone discovers a vulnerability in a home router, and some websites even test multiple routers in a security "shoot-out". I've been reading these reports for years, but I've never seen an Apple router mentioned. Are Apple routers that much more secure or does no-one bother to test them?
"Incredible" seems about right. (Score:2)
incredibly secure
I think that qualifier demands you back this claim with some sort of source..
Nah. Just use the literal meaning of "incredible". B-)
Re: (Score:3)
You call it a flaw, the NSA calls it a feature (Score:1)
Based on what my family knows from the intel agencies we worked in, it's a feature.
What, you thought you lived in a Free Society, with Rights?
Re: (Score:2)
Very true.. They do load their own UI instead of LUCI but it's an older scaled down version of OpenWRT. Most will also let you login using a "secret" handshake packet that turns on ssh I think, so you can login to the console and play around with the thing.
My 4300 with OpenWRT and the default LUCI install is worlds better though. I get all sorts of cool features that the stock firmware only dreams of. I get 802.11Q VLANs, so I can have multiple wired networks, separate control of the radios where I can c
Re: (Score:2)
So does Netgear.
For example, You cannot manage a wndr3800 with HTTPS.
You must use HTTP ONLY.
Firmware not a priority to dollars (Score:2, Interesting)
I think most consumer grade routers are more inclined to be designed for simplicity of setup then security. Even today, a lot of tech challenged consumers find setting up a router challenging. But most router makers at least default to a secure wireless connection. Although plenty of end users never bother to change the Administrative password. Unfortunately security is not just about device makers taking steps. But rather the end user becoming smarter about how they should protect themselves. I think consu
Wireless Disabled (Score:2)
I have a Netgear N300 Wireless Router Model WNR2000v2. I have no WiFi devices.
In the router manager Web pages, I unchecked the checkboxes for "Enable Wireless Router Radio" and "Turn Remote Management On". I also unchecked all of the checkboxes under "Guest Network Settings", "Wireless Settings", and "Wireless Repeating Function". The wireless LED indicator on the router is not lighted.
Therefore, I expect this is not a problem for me.
Don't you love NETGEAR support? (Score:2)
Don't you love the professionalism and issue escalation of the NETGEAR support team? Shows that we, the mere mortals, are not alone here at all!
If even the security research guy can't get them to stop sitting on their arses, what the mere mortals without such pressing issues are left to do when they encounter the various bugs here and there?