Ouch!
How much code do they replicate from device to device, or do they write unique bad code for each one? I want network device code to be better than what I write as it is exposed to the world.
Netgear has patched serious security vulnerabilities in its DGN2200v1 network router, following the discovery of "very odd behaviour" by a Microsoft security research team - a somewhat understated way of saying that attackers can gain "complete control over the router." Unveiled by the company at the Consumer Electronics Show …
They may have improved since then.
I bought one of their routers. The specs were impressive, reviews found the performance was impressive.
Once I had the thing, I found two issues.
Firstly, and this unlike the second issue is rather nebulous, I've lot of experience with large bodies of unmaintainable C code and the UI to configure the device *totally* gave me that vibe. The options, the ways thing were arranged, interacted - it did not feel good.
Secondly, and this to me was the give-away, upgrading the firmware wiped all the settings, *and it was not possible to load saved settings from a previous version of the firmware*.
Settings should of course be saved in something like XML or what-have-you, and you can then load them, parse them, and get as much sane information from them as you can. Not being able to do so means settings were being saved a binary blob, which combined with my bad feelings about the whole thing in the first place. It also meant upgrading the firmware then involved 15 minutes of configuration work (there were a lot of options).
Over the years since then I've noticed quite a few stories of the most basic security blunders, although in fairness you can say that pretty much about all router vendors.
Malformed self-signed certificates, unsecured RMIs, telnet backdoors, trivial DoS by hitting high resource URLs, and a customer support team that will "pass your information on" and never call back. I threw out all of my managed Netgear equipment around 2010 because it was clear that Netgear should not be making network gear. Yeah, the products feel like they're decades of old code duct-taped together and maintained by short-term contractors.
Similar bad experiences with Netgear, but with one exception - their unmanaged switches aka, the little blue metal boxes. I never think twice about lobbing one into the mix and probably have 3 dotted around the house currently. In 20 years I've had one fail - and technically it was the PSU/wall-wart that gave up. In fact they're so ubiquitous, it took me ages to realise what had failed.
I too have given Netgear a miss for quite a while now. They used to make some OK kit, but I had two (different model) ADSL routers in quick succession with the same problem of WiFi stopping working... and then magically springing into life when a wired device switched on.
Their support wasn't great. I ended up talking to someone who said it was a known bug and I should apply a certain version of firmware. The catch was that was for a US device and I had a UK device. When I pointed that out his tune changed and it was as if the previous exchange didn't happen. The router went back for a refund and I ended up with a Linksys. That sucked too, but at least the WiFi worked.
"in fairness you can say that pretty much about all router vendors"
I tend to agree, but over the past 3-4 years I've been using Fritz equipment at home and I'm quite impressed. Not perfect, but settings are in XML at least and you don't lose them when you upgrade firmware, and there are typically one or two firmware updates a year. Old kit is also well supported with updates.
D-Link, Netgear, it doesn't matter they are all unfit for purpose. Home routers are like home AV software. Sad thing is that the small office crap is also terrible, but also paradoxically 4x as expensive.
The whole market segment is ripe for a pitch invasion. Its gotten bad enough that people have started building their own out of a SFF PC that has more than one network port. Most will run circles around the consumer gear to, and can auto update themselves to boot.
Their higher end stuff is no better. I'm no security researcher but even I figured out how to get root access through their telnet interface on the SRX5308 a few years back. It was enough to allow me to flash OpenWRT onto it, despite not being supported by the distro at all, though I never did get the weird network hardware working properly. I was going to report the issue but I realised they'd already fixed it in a subsequent firmware update, probably only by accident though, as they'd changed much of the software stack.