back to article Netgear router flaws exploitable with authentication ... like the default creds on Netgear's website

Two arbitrary code execution vulnerabilities affecting a number of Netgear routers aimed at small businesses have been patched following research by Immersive Labs. The vulns rely on authenticated access to affected devices so aren't an immediate threat. They do, however, allow someone with remote access to the router to pwn …

  1. Version 1.0 Silver badge

    The world needs to be reformatted.

    So many vulnerabilities like this are normal - devices are built to be easy to use, device "security" is just a "feature" - I never saw anything hacked like this back when I had to access devices via an RS232 connection to run administrative setups. I see so much stuff like this, high speed internet access helps too - I'm only seeing about 200 administrative login attempts an hour on the mail-server today, but never saw any back when the access speed was 9600 baud and there were very few spam emails and no malware deliveries either.

    We need to fix these problems by preventing the problems, not just adding a new feature like having the router text your phone when you need to log into it - that's just a security feature that will be hacked.

    1. This post has been deleted by its author

    2. bombastic bob Silver badge
      Devil

      Re: The world needs to be reformatted.

      I recently upgraded to a new ISP (now AT&T) and the modem it uses has a default "alphabet soup" password that is restored on factory reset. It appears to be uniquely assigned, and as it's printed on a sticker on the modem itself, and can ALSO be changed (until the next factory reset), I would think that this might satisfy a reasonable security requirement for NOT using identical default passwords and still provide for recoverability (etc.).

      At least, as far as I know, none of the (uniquely) pre-assigned passwords are "admin" "love" "sex" "money" "password" or "god"

      (so yeah it is one way to do it)

      1. Anonymous Coward
        Anonymous Coward

        Re: The world needs to be reformatted.

        Just in case -

        According to a blog post by security researcher Joseph Hutchins that first went live in August, upwards of 138,000 AT&T wireless routers may have a critical security vulnerability that could leave many of its customers open to an attack.

        Five flaws altogether were discovered in the company’s “Arris”-branded routers, though even more are said to potentially affect other OEM AT&T U-verse modems regardless of make or model. The attack is able to bypass any security measures that a user may have put in place, as well as the internal firewall through a publicly-available set of credentials.

        Once the hacker is in range of the router, he can either use the credential crack or a brute force of the half-completed MAC address to get in. The latter bug may have been a result of AT&T’s staff support methodology, which leaves a channel open that technicians can use to remotely troubleshoot internet issues without having to send someone out to the address physically.

        1. Captain Scarlet Silver badge

          Re: The world needs to be reformatted.

          The dial in out of band modem?

        2. Anonymous Coward
          Anonymous Coward

          Re: The world needs to be reformatted.

          "the company’s 'Arris'-branded routers"

          So they've never heard of Cockney Rhyming Slang...

  2. Cinderellaphant

    Lizzie Borden bought a Mac

    Learned to code and

    Hack Hack Hack

    Alan Turing hacked the enigma machine way before RS232 was developed.

    Hacking has been around since the Stone Age when some caveman took a Maypole, sharpened one end and javelined a wooly mammoth.

    1. My other car WAS an IAV Stryker Silver badge
      Thumb Up

      Bombe

      "Alan Turing hacked the enigma machine"

      Part brute-force attack, part dictionary "attack" (really test/analysis of parameter combinations, if I understand correctly).

      1. Richard 12 Silver badge

        Re: Bombe

        And some known-plaintext, thanks to the brave souls who captured codebooks from U-boats and other places, and the meteorologists who reported the weather.

        1. bombastic bob Silver badge
          Devil

          Re: Bombe

          and, if I remember correctly, we can indirectly thank the way the Nazis often (robotically) included certain phrases at the beginnings and endings of the messages, apparently longer and more consistent phrases than the usual "Dear sir"

          Also if I remember correctly, there were 2 codes used. Code #1 was in the book, and the 2nd code was encoded using the 1st one. but lazy operators might re-use the same code for the 2nd one. And so there you have it... procedural insecurity, ripe for being cracked by brilliant code breakers. (Bletchley Park is such a cool study on ciphers and cracking them)

          1. SCP

            Re: Bombe

            Yes, poor COMSEC is a problem that still remains - though solid progress has been made since WWII.

            It also illustrates a common problem in many fields is the people using the system rather than the system itself [depending on what you count as part of the system].

            [Obviously Enigma did have its big flaw of characters never being encoded to themselves].

  3. Anonymous Coward
    Anonymous Coward

    Linksys?

    A couple of years ago I bought a retail Linksys router. By far the easiest way to configure said router was to do the setup using a Linksys "cloud" password, and then doing the configuration via this handy "cloud" facility. (In fact, doing the configuration with a laptop, a CAT5 cable and NO INTERNET proved to be very difficult....I wonder why!)

    The alleged "benefit" of this scheme was that I could manage my router (by smartphone) from the beach in Brazil. But I did wonder at the time if it allowed anyone who hacked the Linksys "cloud" to manage my LAN (also from the beach in Brazil).

    I passed.....did a factory reset and boxed up the router and gave it to the local charity shop.

    I mention this here because I wonder if retail routers are hackable from the "cloud" services which manufacturers kindly provide? No physical access needed!

    Just saying!

    1. bombastic bob Silver badge
      Devil

      Re: Linksys?

      my very old DLink wifi router (which is ONLY on the LAN) has a checkbox to allow remote admin from outside the LAN, i.e. via the WAN port. Of course it is OFF. I think there's also another one that allows someone on the wifi network to configure it, and I believe THAT one is OFF as well.

      (unfortunately they were ON by default, as I recall - it has been many years since i set it up)

  4. Anonymous Coward
    Anonymous Coward

    A basic approach

    Buying a device like this and connecting it directly to the Internet is a mistake - it's not just Netgear routers, this applies to anything you setup The only moderately safe connection is to use it on your local network so that its' Internet communications flow through a firewall - so most of the time the Internet does not see it but all the users have access (if you create a firewall rule allowing this). The device is still hackable if someone gets the wireless password or you support a guest access but this is only local folk, not a few billion people attempting to hack you.

    1. Aitor 1 Silver badge

      Re: A basic approach

      Problem is if your network provider decides to sign up your router for "seemless" internet, "you wont notice".

      1. Joe Drunk

        Re: A basic approach

        My previous ISP supplied me with an AIO router/modem device which they managed.

        Solution: I plugged my router into one of their device's ethernet ports. Never had any issues for 3 years. I switched ISPs for one that let me purchase my own modem. Best part: Didn't have to make any changes to my LAN since I am using the same router, no passwords/SSIDs had to be modified unless I wanted to.

        I hope most Reg readers here use their own routers rather than ISP supplied. Makes life easier especially when troubleshooting connectivity issues.

        1. Pirate Dave Silver badge

          Re: A basic approach

          Same here using a Netgear Nighthawk connected to Comcast's cable modem. We've switched ISPs three times in the past 4 years (originally on an AT&T DSL, then "upgraded" to U-verse (bleh!), then moved to Comcast), and none of our connected devices even noticed. I've never been one to trust connecting computers/phones/etc directly to the ISPs device, I've always used my own AP/router to at least give the Bad Guys/script kiddies one additional little speed bump to get past in their quest to commandeer my home network.

  5. Joe Drunk
    Facepalm

    Doesn't matter the vendor or device

    Helpfully, Netgear itself publishes default login credentials for "most" of its products on its website. If you haven't been into your Netgear router's admin panel and changed these default creds, you're at increased risk.

    If you haven't changed the default creds on any internet facing device you're at major risk since most vendors' websites publish the default logins with the assumption that they will be changed before use.

    Yea, my router came with the option to manage it via a smartphone app so I could pretend to be cool, y'know, like a millenial.

    Hard pass. Remote access denied. Once you have the router setup the way you want there's nothing else to manage except logging into it periodically from your LAN to check if there's any unauthorized connections.

  6. Henry Wertz 1 Gold badge

    What bombastic bob said

    What bombastic bob said... my older devices had default username and password, posted on the website. My newer stock devices have the what appears to be a randomly generated password, printed on the device so you can still find it after factory reset. dd-wrt (after some version) used user: admin (or maybe root), password: admin but requires you to set the password first time into the web interface (...which you go into to set up the wifi network name etc. so it's not a step people are going to skip unless they really want a network named dd-wrt with no encryption.)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022