back to article If you own one of these 45 Netgear devices, replace it: Kit maker won't patch vulnerable gear despite live proof-of-concept code

Netgear has quietly decided not to patch more than 40 home routers to plug a remote code execution vulnerability – despite security researchers having published proof-of-concept exploit code. The vuln was revealed publicly in June by Trend Micro's Zero Day Initiative (ZDI) following six months spent chivvying Netgear behind …

  1. Anonymous Coward
    Meh

    I wonder

    How many rebadged ISP-supplied routers are in that list.

    1. Anonymous Coward
      Anonymous Coward

      Re: I wonder

      Some of these are not routers, though. For example the WNCE3001 is a simple wifi-ethernet bridge, USB powered, which was useful to connect devices without their own WiFi (i.e. my Sky box).

      Even difficult to replace now because this kind of device is mostly extinct, usually smaller and cheaper extender come with a built in AC plug making putting them where reception is good an issue, and buying a whole AP or mesh node just to connect a single device is more expensive.

      For now I firewall it to keep it safe.

    2. DS999 Silver badge

      Re: I wonder

      If you have an ISP supplied router you should run it in bridge mode (if supported, if not see if they have a different model that does support it) and use your own router instead. Then you can insure it is kept up to date and secure (ideally with DD-WRT, OpenWRT, or similar)

      Unfortunately while this is trivial for the typical reader of a site like this, it isn't really feasible for the average consumer who ends up doubly screwed by their ISP using a product that's no longer patched, or even if it is patched that the ISP doesn't deliver those patches to customer devices.

      1. steviebuk Silver badge

        Re: I wonder

        I've tried, with my shit Virgin up that has the shitest built in aerials but, the Draytek it is bridged too, gets an IP address yet doesn't ever go out to the Internet. I don't know what Virgin are doing to it but it refuses to get an Internet connection so I'm still stuck with the shitty Virgin hub.

        1. tanktarta

          Re: I wonder

          I feel your pain with that terrible Virgin hardware, but trying to replace with DD-WRT on an Archer C9. It's only been relatively recently it's been that hard to use modem mode with a Virgin super hub, so I guess some firmware update messed things.

          This https://community.virginmedia.com/t5/QuickStart-set-up-and/Superhub-3-Modem-Mode-No-Internet-No-WAN-IP/td-p/3379154/page/2 was the magic post for me. Although a few others had useful hints.

          * Make sure you use the same LAN port on the back of the superhub, the one closest to the coax cable seems to be the consensus

          * Reset the router into HUB mode with only your PC connected, let it get the MAC address

          * Plug everything back in and clone MAC address from PC to your intended replacement router

          * Make sure you are not requesting a hostname in the DHCP address.

          * Switch the superhub back to modem mode and reboot router.

          Cloning sometimes seemed to work, sometimes not. I just know it's some magic combination of the above. YMMV.

          1. EnviableOne

            Re: I wonder

            FFS they are still using MAC Based restrictions, I thought they went out with the advent of Virgin Media...

            Back at uni I made a little cash each year by networking student places and spoofing MACs to the router, so they didnt have to pay for multiple subscriptions....

  2. PTW

    Time to check how many on the list support DD/Open-WRT?

    And to pick up a bargain on fleabay. In an effort to save waste/landfill obviously, not because I'm a tight git.

    Edit to add: Mixed bag, some are, some aren't, see https://wiki.dd-wrt.com/wiki/index.php/Supported_Devices#Netgear

    1. Anonymous Coward
      Anonymous Coward

      Re: Time to check how many on the list support DD/Open-WRT?

      Not strictly related but I have a couple of BT HomeHubs but as is my luck, they are both of the version that isn't suppoorted by Open-WRT.

      Maybe that's why BT didn't want them back :-)

      If you do want to upgrade to OpenWRT - which I'd strongly recommend you look at BTW, make sure that the hardware you get IS supported. It can literally be a difference between a '-A' and a '-A2' in the part number :-(

    2. Anonymous Coward
      Anonymous Coward

      Re: DD/Open-WRT?

      My tplink router is supported by DD/Open-WRT - indeed I checked before I bought it. However, the upgrade (side-grade?) gymnastics (for my particular device) turned out to be more than a little contorted, and so it has stayed with the manufacturer firmware. And I'm not that sure I want to risk a sudden "device-bricking related internet outage brouhaha" (aka D-BRIOB) during the current must-work-from-home situation.

    3. Len
      Happy

      Re: Time to check how many on the list support DD/Open-WRT?

      For OpenWRT on Netgear devices just check if your device is on this list and supports at least 19.07*.

      * If it says snapshot it is likely to be supported in a future release

    4. Lennart Sorensen

      Re: Time to check how many on the list support DD/Open-WRT?

      Quite a few of them are broadcom based which tends to mean openwrt is not an option due to lack of open source drivers. dd-wrt handles some of them though.

      Amazing anyone buys their products anymore given how it seems every year a major security hole is found in just about all their products, and then they fix half or 2/3 or them, and ignore the rest.

      1. John Geek

        Re: Time to check how many on the list support DD/Open-WRT?

        um, my WNDR3700v3 is Broadcom based, and has OpenWrt support. I know this because I just got it working in OpenWrt...

  3. Anonymous Coward
    Anonymous Coward

    It'd be interesting

    ... to see how old those de-supported routers on the list are (but not so interesting that I'd actually go to check them up)

    1. Lennart Sorensen

      Re: It'd be interesting

      I looked up one, the AC1450, and it is from 2013.

  4. Anonymous Coward
    Anonymous Coward

    Well I guess I won't ever be buying any more netgear kit then.

    And I suppose I also won't be able to recommend them for business use in good conscience.

    Pity.

    1. Andy Non Silver badge

      Yep, Netgear onto the "do not buy list" along with Sonos sound bars and a few others.

      1. Anonymous Coward
        Anonymous Coward

        I contacted them to advise them that they'd been added to the "do not buy" list.

        Damn, their support website is embarrassingly terrible: trying to validate input while I'm still entering it, sending me verification emails with no verification link(?!), and when I try to upload a screenshot to illustrate how their support site is broken and terrible, I get a 403. Lol.

        Maybe avoiding their kit won't be a pity after all.

        1. Anonymous Coward
          Anonymous Coward

          The CSS on that advisory page linked to in the article is horribly broken too. The right edge of the text is unreadable in Pale Moon.

          I'm not interested in doing any more business with a company that not only won't support its products, but can't even employ a competent web author. (There's no need for a "web designer" for something this trivial.) I've only had one Netgear product, but it'll be the last and only one.

          The problem, of course, is finding anything better. People used to recommend Ubiquiti but their prominent recent failures in support and privacy have put them too on my do-not-buy list. It's hard to find one of the specific models that are supported well by DD-WRT because vendors change them so often.

          1. Anonymous Coward
            FAIL

            The right edge of the text is unreadable in Pale Moon

            Well obviously that's your fault for not using chrome. Duh. You can hardly expect people to write CSS that works in a compatible way. It's not like it's a well-defined standard and pretty straightforward to do for anybody half-way competent.

            overflow-x is sooo overrated and soooo 2017. No way anybody could possibly want to scroll horizontally on a table full of data. Didn't you know? Everybody uses chrome running maximised on a desktop at 1920x1080.

            I almost expected a "This page best viewed in IE6" logo at the bottom of the page.

            There's no need for a "web designer" for something this trivial

            Yeah. Like the input validation thing: if they had done any UAT at all this would have shown up.

            I said in my support ticket that it looks like somebody's twelve-year-old nephew has just figured out how to install Visual Studio. Now I'm thinking that I overestimated them and it was actually an eight-year-old.

            The problem, of course, is finding anything better.

            Indeed. Cisco perhaps? Are they terrible as well as expensive?

            But I think this sounds like a problem for future AntiSol to deal with - I think I'll just hope that none of my current kit breaks. Ever ;)

            1. Anonymous Coward
              Anonymous Coward

              dammit, of course I noticed 11 mins after posting that it's actually not overflow-x, it's widths set in element styles on every td element in the table (zomg!), combined with nowrap. I can't decide whether that has been added by a braindead web author or a braindead javascript library.

              Interestingly, the table only displays properly in chrome because chrome is ignoring the nowrap attribute they've added for some reason I can't be bothered to debug.

              it affects waterfox, too, not just pale moon. I'd be curious to know whether it shows up in the latest firefox (but not curious enough to install the latest firefox).

    2. paulf
      Paris Hilton

      Netgear has been off my “buy” list ever since the DGND3700 v1 ADSL Router I bought in 2011 was EOLd 13 months after release even though the ADSL support was still fucked and not working properly. I managed to get it mostly reliable thanks to a beta version of the firmware, that was never officially released, from support after much nagging. Even then I had to download it from that well know legit file distribution service Dropbox. Support was switched to the v2 Hardware released 6 months later.

      They abandoned HW they knew was not working to spec because selling stuff is more profitable than supporting it afterwards. Netgear can go fuck themselves with a big rusty razor blade.

      In comparison my Draytek router is 3+ years old and still getting new features plus bug fixes.

    3. EnviableOne

      their modems were great, i remeber a DG834g getting sync on a line that might as well have been wet string....

      but times change, and all the suppliers iu used to rely on have either been bought or mis mangled into being useless now.

      Might have to do some research and replace my aging business grade box with something new....

  5. chivo243 Silver badge

    Netgear flew off of our list years ago.

    Out with the low-end components for us... We've had so few issues with our new vendor, that I'm forgetting how to do things on their interfaces. Seems like we were always hunting down a performance issue\setting with NG and I was poking round regularly.

    1. Muskiier

      Re: Netgear flew off of our list years ago.

      And who's your new vendor may I ask?

    2. Jeffrey Nonken

      Re: Netgear flew off of our list years ago.

      Off my personal list as well. From what I can tell, the WiFi radios tend not to last past a year or so. True or not, the "refurbished" one I bought stopped working for WiFi soon after I bought it; I ended up buying an RT-N56U and setting it up as an access point to handle the WiFi.

      Not sure how much I'm liking Asus right now, either. I recently bought a GT-AC5300 and paired it with an RT-AC68R via AiMesh. My duplex is small enough that AiMesh should be overkill, but I had the 68R, so why not? Turns out the 5300's WiFi continually disconnects, even from devices less than two meters away. OTOH the 68R is rock-solid, so I moved it to a more central location and we've been happily using it ever since.

      So much for MU-MIMO being the be-all to end all. My high-end WiFi router doesn't even WORK.

  6. Anonymous Coward
    Anonymous Coward

    force manufacturers to reveal device lifespans

    "calls from government agencies for new laws forcing manufacturers to reveal devices' design lifespans at the point of purchase"

    How will PCWorld/Currys survive?

    "Would you like to extend the guarantee on that router that we just found in the back of the warehouse?"

    1. Chris G

      Re: force manufacturers to reveal device lifespans

      A better legislation would be to enforce a minimum guaranteed lifetime with support, particularly for consumer level products as the buyer is really only interested in buying an item and switching it on. Expecting the average consumer to keep up with security and continuing updates when most of them don't really understand how their electric kettle works, is asking a lot.

      1. EnviableOne

        Re: force manufacturers to reveal device lifespans

        Like in Norway, where consumer electronics are required to be supported by the manufacturer for 5 years (depends on how long you should reasonable expect them to last)

  7. G R Goslin

    How I'd like to....

    Upgrade my D6400 router. But every time I try, it fails with "unknown error" "unknown error" doesn't give much of a clue to resolving the problem. So, my D6400 is due for the junk box, anytime now.

    1. Anonymous Coward
      Anonymous Coward

      Re: How I'd like to....

      I found I couldn't get the update to update on my D6400 by using the check for new firmware but when I downloaded the update from Netgear's website and then uploaded it to the router it did take.

      1. Adair Silver badge

        Re: How I'd like to....

        Likewise. The 'Update' feature has never worked, but if I do the whole process manually it works fine.

  8. Anonymous Coward
    Anonymous Coward

    EU directive 1999/44/EC

    Seeing as it's clear (and I imagine admitted by Netgear) that the fault has always existed and so existed at time of purchase, I wonder how they can reconcile refusing to fix the problem with EU directive 1999/44/EC?

    AIUI, after 6 months the consumer needs to prove the fault existed at time of purchase (which I imagine is now trivial) and so the consumer is entitled to repair / replacement / refund within 5 years (or a reasonable period for the product).

    My (admittedly lay) interpretation would be that a router should reasonably last 5 years and so for those newer than this Netgear could find themselves on the receiving end of a lot of returns... to the point I imagine it would be cheaper just to roll out firmware updates!

    1. tiggity Silver badge

      Re: EU directive 1999/44/EC

      Indeed, most home consumers would expect to use a router until it breaks, you do not expect them to be short lifespan products.

      1. Anonymous Coward Silver badge
        Big Brother

        Re: EU directive 1999/44/EC

        Most home consumers would expect to use a router until they switch ISP and the new one sends them a new router. So that'll be just after the initial 18 month offer expires, probably.

        They don't tend to purchase their own kit.

    2. DS999 Silver badge

      Re: EU directive 1999/44/EC

      I don't know about all those, but I used one of the ones on the list (WNDR4000) for my business at one point. I bought it MUCH longer than five years ago, so that EU directive won't apply to it and presumably any of the WNDRxxxx with lower numbers.

    3. Claverhouse Silver badge

      Re: EU directive 1999/44/EC

      All very well, but do we need foreigners offering us protection ?

      We have taken back control, and Boris's crack intellectual powerhouse of ministers and MPs will take care of us in a world-beating fashion.

      1. hutchism

        Re: EU directive 1999/44/EC

        Can't argue with you there. I'm using pfsense myself.

        However, I'm still not sure whether Netgear not bothering to patch a vuln which likely has little real world application and isn't hitting any devices newer than 5 years old is really something to keep me up at night.

  9. heyrick Silver badge
    FAIL

    Thank you Netgear

    Your courteous display of ethics towards your faulty goods has made me take special note of your company...

    ...as a brand to avoid purchasing.

    1. RM Myers
      FAIL

      Re: Thank you Netgear

      Netgear may not support old kit, but are any of the other vendors of consumer grade routers that much better? I've had 6 different routers over the years, from 5 different vendors, and my current ASUS router has had the longest support of any of them at just over 3 years and counting - not that impressive. The last two before the ASUS, from Linksys and D-Link, didn't get much more than a year of firmware updates. And no I don't believe their routers didn't need updates - they just didn't want to spend the money.

      Consumer routers, and internet-of-shit-things is just a disaster in the making.

      1. John Miles

        Re: ASUS router

        I have an ASUS RT-N66U which I brought back in July 2013 (I think had been out a year or so) and the ASUS webpage lists latest firmware as of June 2020 - it is now being used in media bridge mode as I have upgraded to a tri-band AX router where it was dropping out (mainly I think due to other routers close by)

      2. Claverhouse Silver badge

        Re: Thank you Netgear

        Billion do seem to offer updates with appliances past their EOL.

        Quite popular in Australia; and generally well made. Also expensive.

        .

        Even if a model is EOL (End Of Life) we will support where we can, however for older models where Billion HQ is no longer producing firmware we can only support to the same level that HQ supports us.

        https://forum.billion.uk.com/viewtopic.php?t=11136

        .

        Weirdly, that randomly found thread started off with a user slagging Netgear...

        .

        Billion for whatever other issues they have, are one company that do supply firmware updates across there whole range of routers. So even for products already long EOL they can still add firmware updates.

        Apple are also another company that do update all products that match a series.

        For instance all the N wireless routers.. will have firmware updates right across the board. Not that they are necessarily a great idea.. 7.6.3 newly released update, (and the previous 7.6.2 which disappeared super fast so the series now jumps that version) have more bugs than the average insect zoo.

        https://forums.whirlpool.net.au/archive/2055342

        .

        .

        I like Billion.

    2. J. Cook Silver badge
      Go

      Re: Thank you Netgear

      Yep. They cranked out a model of their Nighthawk X6S for one of the warehouse club chains, the model R7960P. Apparently, a large number of these have a problem where they don't actually save their configuration properly, so when the power is removed from the device, it resets back to factory. Netgear's official response was "pay us XX for a support ticket, and we'll RMA it with another unit that may or may not have the same exact problem". And while I could take it back to the warehouse club to RMA it there, (this particular chain has a fairly generous returns policy!), it was easier for me to just buy something else that was DD-WRT compatible (a TP-Link AC1750, which has a 'beta' firmware on DDWRT that seems to work just fine.)

      Linksys was crap since cisco bought them, although I will state that I have a stack of D-WRT'd WRT-54G/GL routers that work rather well, despite being very obsolete. (which was the primary driving force behind getting something that supported both 2.4 and 5Ghz radios and was a little more modern.)

  10. steamnut

    Not just Netgear

    Yes, Netgear are being naughty but what about all of these so-called "smart Home" devices? They too need updating from time to time.

    What is worse, is the fact that a lot of them use a closed cloud provided by the manufacturer and, when the manufacturer decides to force an upgrade / move on / go bust / get taken over, then the, usually dumb, users are left with non-working systems and more land-fill.

    We are sleep walking into a real problem for consumers and there must be stiff and enforceable legislation to stop this happening.

  11. Graham 32

    Can this be exploited from the WAN side or just the LAN? If it's only the LAN side then you'll need a malicious device on the network and that depends on how secure your stuff is. If you keep away from IoT junk and don't try to download a whole app store then you might be ok. Less diligent family members will increase the risk. If it can be exploited on the WAN side then let the router meet the bin ASAP.

    1. Anonymous Coward
      Anonymous Coward

      Zap

      Browser + Javascript = Malicious device , with you supplying the electricity.

      1. DS999 Silver badge

        Re: Zap

        While it is "security through obscurity" I'm wiling to bet that 90%+ of such automated Javascript attacks could be foiled by using an address other than 192.168.1.1 for your router.

    2. doublelayer Silver badge

      From the reports, it sounds like it's only LAN-accessible unless the user has done something really stupid. Still, there are too many ways of getting LAN access and too many worrisome ways of exploiting root access to the network device, so it's still important.

  12. Steve Davies 3 Silver badge
    Mushroom

    Where are the class actions?

    This sort of behaviour is normally guaranteed to start several class actions.

    Otherwise.... Netgear can go suck this [see icon]

  13. Duncan Macdonald
    FAIL

    Netgear used to have a good reputation

    Many years back I used Netgear switches at work - they were cheap and reliable and robust. I have since recommended their products to others as devices that work reliably. It unfortunately seems that the current management has decided that it is not worth spending money to keep a good reputation. With this move it becomes clear that they are now no better than "no name" Chinese firms.

    1. Dvon of Edzore

      Re: Netgear used to have a good reputation

      Yes, and it's still one of the few reasonably-priced vendors I can install in USA businesses, because Netgear is one of the very few who perform Dept. of Labor mandated safety tests, getting the UL, ETL, TuV, or other government-approved 'Listed' marking. I'd love to use any number of other vendors but they just aren't compliant with the law. If D-Link can certify a $15 dumb switch, why can't $Highly-Reviewed-Vendor do the same for a $500 smart switch?

  14. Anonymous Coward
    Anonymous Coward

    What about the nightmare of configuring current hardware?

    - http://jeramiah.net/2014/01/it-doesnt-matter-what-you-think-setting-up-the-linksys-ea6900/

    *

    There are REAL problems with Linksys routers. My experience with the EA7500 was exactly as described above.

    *

    In summary, the ONLY EASY way to configure was to set up a customer account on a Linksys server, so that the customer (and also Linksys) could manage the router from anywhere in the universe.

    *

    The alternative was a NIGHTMARE....see the link above for details of the nightmare.

    *

    My solution -- hit the factory reset button and give the EA7500 to the local charity shop.

    1. EnviableOne

      Re: What about the nightmare of configuring current hardware?

      the problem is that Cisco sold the Lnksys consumer kit to Belkin....

      they kept the small business stuff and it was rapidly improving.

  15. DMcDonnell

    Re-branded WGR614 units

    The WGR614 (various versions) have been widely re-branded

    Comcast is one major ISP supplying them to their customers.

    1. NetBlackOps

      Re: Re-branded WGR614 units

      Surprised? Nope.

  16. Dwarf

    And they wonder why open source matters

    +1 for any form of open source firmware on such devices. dd-wrt, OpenWRT / LEDE all work well.

    At least the community cares about longer-term than the corporate view of "did I sell a unit to some sucker", "how can I minimise the ongoing support cost" along with "fuck the planet, sell them a new one next year when they realise that this one is crap"

    The initial install of any open source firmware on such devices may take a bit of effort, but short, medium and long term, you are better off with ongoing maintained firmware and generally a far better feature set than the brain-dead firmware for Mr average with "Can I watch Netflix and porn"

    The big challenge is how to take people that don't understand even the basics (like how to plug it in or update firmware) and explain why this is in their own interests.

    What is interesting though is how those that have experienced the open source firmware are always happy with the result and will often share a bottle of wine or two whilst you configure it all up and explain the concepts to them and I know from experience that many remember some of the important bits from their informal training.

    1. Anonymous Coward
      Anonymous Coward

      Re: And they wonder why open source matters

      Yup, you will always get the optimum configuration if you do it after chugging back a couple of bottles of wine.

    2. heyrick Silver badge

      Re: And they wonder why open source matters

      "sell them a new one next year when they realise that this one is crap"

      I wonder how many times they can pull that before the average person wises up and chooses a different brand?

      [don't hit reply, it's a rhetorical question with a likely very depressing answer]

      1. mego

        Re: And they wonder why open source matters

        I don't think you're wrong, I just wouldn't expect small home-grade devices over a decade old (which the couple samples I took from the list are) would be supportable. I don't like Netgear, as they tend to be cheap on features and quality, but this seems to be a bit too much to expect.

      2. BitEagle

        Re: And they wonder why open source matters

        As it's an industry-wide approach, with few honourable exceptions, there's no net loss to them - any customers they lose will be replaced by those fleeing from other vendors.

  17. Bob Dunlop

    WNR3500Lv1 works with OpenWRT

    Been using a couple for seems like 10 years, First with Tomato then DD-WRT, LEDE and now OpenWRT.

    Software has evolved over time, now use a locally compiled snapshot with custom (stripped down) config.

    I know their limitations and how to side step issues in the upgrade but starting afresh I wouldn't start from here.

  18. mego

    I took a sample from the list...

    and the majority of these are many years old - some over 12 years. Are you really griping about ancient devices not being supportable with new code?

    1. mego

      Re: I took a sample from the list...

      I'm truly curious about what's disagreeable; surely you don't expect +10 year old cheap home-grade equipment to still be able to be patched?

  19. crowbuddy

    The best router is ...

    The best router is a separate computer that runs OpenBSD. OpenBSD has exceptionally good support and the included PF firewall is just perfect.

    Also, the included unbound caching dns resolver is very nice.

    All you need is a separate computer, motherboard and memory and small ssd. I use ssh to log into mine for configuration, update issues. No keyboard or monitor required for normal use. Doesn't have to be big but it is nice if it has built in video on the processor. AMD 3400G is overkill but an excellent choice, I didn't want an intel anymore (gag). Also, a 2 port network card is required obviously. The intel one works very well.

    I used to use linksys wrt64gl as a router but is long since out of date. The successors don't compare to the openbsd setup for reliability and performance.

    1. NetBlackOps

      Re: The best router is ...

      Serve The Home is running a series evaluating microboxen that you can find cheap as refurbs.

    2. jtaylor

      Re: The best router is ...

      I like OpenBSD as much as anyone, but it requires a bit of skill and knowledge to set up and use. Patching is difficult. That's a very different market from Netgear home routers.

      A separate PC with multiple NICs is not strictly necessary. I've done the "router on a stick" thing with multiple interfaces that share a single Ethernet port. I've even run an OpenBSD firewall as a VM. Okay, I wouldn't run a business through that, but again look at the audience. It's not a bad way to get started.

  20. sysconfig

    The headline should read...

    If you knowingly own any Netgear device, replace it.

    Sorry feeling a bit snarky, but if a manufacturer knows of a flaw and chooses to shrug it off, they should only be spoken to in the one single language they understand: money, or lack thereof.

  21. razorfishsl

    Netgear= western equivalent of Asian TP-Link....

  22. Stuart Halliday

    It would help enormously if product Reviewers asked this support question during the review.

    Might make the manufacturers take it seriously.

    1. 9Rune5

      Alternatively: One of us should collate this information and create a --it list of vulnerable and unsupported devices, grouped by manufacturer. (and reviewers could then consult this list and say a few words about what the consumer can expect)

      OTOH. I do not care if some 10BASE2 gear from the 90s no longer receives any security updates. Then again, OEMs ought to publish sufficient information so that the open source community can have a fighting chance of providing support should the need arise.

  23. hutchism

    Http Wan...?

    Does anyone actually have their router portals open on the wan side? Is this even a risk on a consumer level device?

    Seems like anyone who may be at risk here has probably got way bigger issues on their network and most likely will never care.

    1. jtaylor

      Re: Http Wan...?

      Does anyone actually have their router portals open on the wan side? Is this even a risk on a consumer level device? [They have] probably got way bigger issues on their network.

      This can be exploited by a malicious web site sending javascript to a web browser. We could debate whether web browsers are a "big issue," but it's a common one.

  24. John Geek

    and a week ago I'd just dug up my old WNDR3700v3 to use as an extra WAP to provide coverage for the north end of my rather long and linear house...

    .... so as of a couple hours ago, its running OpenWrt 19.07.3

    Speaking of annoying Netgear features, the same 'model' WNDR3700 could have any of 3 or 4 different chipsets depending on the version. v1, v2 were Atheros, V3 is Broadcom, V4 is a different Atheros, and V5 is a MediaTek. *yuck*.

  25. George Spiggott

    Age old maxim applies, if it's connected to the Internet then it's vulnerable, patched or not.

  26. DownUndaRob

    Certificate issue

    Is it just my Firefox that tags the kb link with an insecure certificate?

  27. Anonymous Coward
    Anonymous Coward

    Some of those devices are well over 10 years old, warranty is 1 or 2 years. No surprise they aren't being patched, technology has improved dramatically, if you still have one of those old devices install DD-WRT on it or buy a more modern device!

    This particular bug is a beatup anyway, its only an issue if you turn on Remote Management in the Web GUI, which probably almost no one does!

    1. NetBlackOps

      You'd be surprised what people activate, or perhaps not, thinking it's a good idea at the time.

  28. tcmonkey

    For those looking for ways out of the traditional consumer grade modem game, these have recently become more widely available https://www.proscend.com/en/product/180-T.html

    Given that they're apparently just a media converter, I'm not even sure if they have a CPU, let alone firmware. Certainly a huge reduction on attack and maintenance surfaces at any rate.

    There's also this, but it's really just a conventional modem on a card so has some disadvantages https://www.draytek.com.au/products/adsl-vdsl-modem-routers/vigornic-132f/

    Neither of these are any use in securing your Aunt Mabel of course, but for the more technically inclined of us they represent a viable alternative to ISP supplied tat.

  29. Anonymous Coward
    Flame

    Dick move there, Netgear!

    Yes, some of these routers are very old, and if it is more than 4 or 5 years since they were being sold, I can understand not offering new patches. But as El Reg states in the story, some of these can be bought in the marketplace right now.

    Remind me to not buy Netgear's gear.

  30. The Dogs Meevonks Silver badge

    Time to change the law

    It's about time that the laws were changed to 'force' companies to address critical flaws that can compromise peoples hardware... regardless of the so called 'support window'. Security is not something that can be tossed aside because it's 'inconvenient to profit margins'...

    Or how about fines for each device that is found to have a critical security flaw.... and by each device... I mean every single one they sell. 20% of the retail cost per device if it's not patched within 30-60 days of them being notified of it.

    Of course it will never happen... if you can't get the companies that make these devices to take security seriously... how the fuck can you ever expect your average muppet on the street too.

  31. Anonymous Coward
    Anonymous Coward

    Meh!

    In 2014 I was working in the UK when I got a phone call from my ISP. It turns out my consumer wireless router was spewing spam.

    (It was 2:00 am in the UK) I called, told my wife to unplug it. When I came back to the states for my break, I had purchased a Meraki which was already sitting there. I set it up and never looked back.

    Is it overkill for the average home? Maybe.

    However in times like this (COVID-19) where working from home is becoming the norm... the commercial grade products make more sense. (Especially since we do all sorts of things online these days)

    You pay a subscription fee... but lets face it... you probably spend more money in a pub over a month.

  32. BGatez

    yet another wtf moment in tech - anyone enjoying those "lifetime" warranties?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like