Flaw In Netgear Wi-Fi Routers Exposes Admin Password, WLAN Details

An anonymous reader writes A number of Netgear home wireless routers sport a vulnerability that can be misused by unauthenticated attackers [here's the report at seclists.org] to obtain the administrator password, device serial number, WLAN details, and various details regarding clients connected to the device, claims systems/network engineer Peter Adkins. The vulnerability is found in the embedded SOAP service, which is a service that interacts with the Netgear Genie application that allows users to control (change WLAN credentials, SSIDs, parental control settings, etc.) their routers via their smartphones or computers.

Why would any novice

[invictusvoyd]

want to "remote manage" their home router ? it's inherently dangerous . Someday we'll have a hardened DD-WRT for all major routers , easy enough to be used by anyone. Most of the firmware shipped by manufacturers is closed and is generally of low quality.

Re:Why would any novice

[drinkypoo]

isn't it easy enough to use dd-wrt or openwrt? I find the hard part to be installing it, if like me you try to install on random yard sale routers. I have a high success rate, but it has wasted a lot of time

Re:Why would any novice

[imatter]

This is exactly what a novice might want to do, because they don't fully understand it.

Re:Why would any novice

[courtarro]

I love DD-WRT and have used it for years, but I get the impression it's a fragile project. The bulk of the work seems to rest on the shoulders of one or two people who only have so much time. I have always preferred Netgear's hardware with DD-WRT on top of it, but Netgear's latest product line (which has a TON of different router models ... way too many, IMO) has only partial support from the DD-WRT project. Netgear's fanciest two routers, the R7500 and R8000, aren't yet supported. All we can do is sit and beg Brainslayer or Kong to spend time on them, but they've got a lot of irons in the fire.

I really wish Netgear would just give up on Genie and pay DD-WRT to support development and license it as their official firmware. Rebrand it or something if you want, but give us the power of a real firmware. I've used Genie lately on the R6100 and found quite frustrating for anything fancier than a typical home wifi router use case. Security bugs like this only prove that they're failing to get it right on their own.

It makes sense that Cisco doesn't want their Linksys-branded routers to be too powerful, since it might hurt sales of fancier Cisco stuff, but what's Netgear's excuse?

Re:Why would any novice

[cant_get_a_good_nick]

The second you say "firmware" or even worse "tftp" you've lost +99.9% of people out there.

Re:Why would any novice

[wierd_w]

One reason might be to manage which ports are forwarded, when not on-site.

Say the noobie is running a hame host, or some other daemonized process, but hasnt figured out that he needs to keep those devices on static IPs inside his private network for ease of management. As a consequence, his game server might suddenly stop responding to remote requests, because the NAT table is pointing to an IP that the device no longer owns.

Granted, this is a stretch. The noobie should have a remote management host inside his private network on a static IP that he can use to manage his devices with using a secure tunnel. But then again, this is a noobie.

Device makers like Netgear tailor their devices toward "End users", not site maintainers, or administrators. Whenever possible, I always ditch the consumer grade firmware on such devices for ones that arent made of string and bailing wire, and which dont feel like I am wearing mittens when configuring it. Things like openwrt.

There's something to be said about having a device that can be managed with a pretty GUI in a fairly painless way, however. Sadly, Netgear and pals often neuter functionality to provide this, and leave the system vulnerable to dangerous exploitation.

Re:Why would any novice

[adolf]

DD-WRT seems so splintered: A million different builds, of a million different versions, for a million different things.

For comparison, Tomato is more monolithic. When a new version is prepared for release, all of the different builds are updated to that version. The builds themselves are genericized as much as possible: All old Broadcom-based MIPS routers (think WRT54G) get the MIPSR1 release, for instance.

For everything else, there's OpenWRT.

For my own purposes, I'm sticking with Asus routers. It seems like solid kit, and they sell the same hardware for years and years without the sneakiness that Linksys and Netgear do with routinely completely changing the underlying hardware while keeping the same model number.

(Oh, and Belkin has owned Linksys for almost 2 years now.)

Re:Why would any novice

Anyone have any love for ubiquity routers?

Re:Why would any novice

[afidel]

The fact is since this is a web vulnerability it will be exploited by XSS attacks from compromised ad networks and also will be included in many exploit kits, you won't have to have remote management enabled for this to be exploited, it will just make it slightly more difficult if you don't.

As to DD-WRT, if they supported the OpenDNS family settings with bypass accounts like the stock firmware I'd consider it, but for me it's a killer feature, and MAC based exceptions aren't an answer because we have shared PC's that may be used by both the kids and adults.

Re:Why would any novice

[omnichad]

(Oh, and Belkin has owned Linksys for almost 2 years now.)

That explains Everything. Well...almost. Linksys had been at Belkin's quality level for a few years before that.

Re:Why would any novice

[Que_Ball]

Lots of love.

But the company has not done themselves any favours in their choices of distribution channels.

If they want more penetration they need to start pushing product into the mass market distributors like Ingram Micro, Synnex, Tech Data, and D&H.  These are who most of the retailers do 99% of their purchasing through.  That is who they have integrated their point of sale systems with to populate their web stores, and do EDI for inventory management so that's who they tend to deal with when some customer comes and asks for a new product they don't stock yet.  If they have to go push a bunch of paper to get a new distributor account setup it better be a good sized deal.

So far I just see Ubiquiti dealing with the specialist distributors who deal with wireless radio specialities.  That's not going to get their access points on the shelves of your local computer dealer or the small and medium sized consulting companies who tend to run the IT departments of small businesses where their products really do fit well.

Ubiquiti is doing a bad job of targeting their channel market from what I can tell.  They are designing a product that does away with the complexity of enterprise level equivilants.  They don't need dedicated controllers sitting in an enterprise datacentre to run the stuff, but they give a small business many of the same benefits that the enterprise guys sell at a half of the enterprise price premium but the small businesses that really need that stuff are services by local computer stores and small consultants who are not always wireless specialists.  They are generalists and they deal with the mass market distributors where they can get 99% of their needs filled.  So yeah, they buy the Netgear access point or the Asus wireless router that's in stock and they make due with the consumer grade equipment, consumer grade power supply, and get on with it.

Re:Why would any novice

[Coren22]

I just received two of their APs over the weekend. Unfortunately, one of them fried somehow and won't come on the network anymore. Any idea how I go about getting support? I suppose I could return to Amazon, but I don't feel like that would be appropriate as I do want a replacement, not just a return (as Amazon seems to assume).

The other AP works perfectly, and was immediately able to replace one of the Netgear routers I was using that never did the job correctly.

Re:Why would any novice

[Pontiac]

All the models listed except the WNR2500 are supported by DD-WRT.

Upgrade people!

Re: Why would any novice

[adolf]

Hasn't that always been the case?

They struck gold with the WRT54G and WRT54GS (I still have a modded GS as a spare). But everything before or since has been garbage.

Their nics are garbage, their switches always suck, and their early routers largely didn't route.

Just sayin'.

Re:Why would any novice

[tlhIngan]

Netgear's fanciest two routers, the R7500 and R8000, aren't yet supported. All we can do is sit and beg Brainslayer or Kong to spend time on them, but they've got a lot of irons in the fire.

Well, the R7000 and R8000 are "open routers" per Netgear. The R7500... not so much.

In fact, the R8000 has a DD-WRT port. As does the R7000.

And while it takes a bit of hunting, Netgear's source code firmware for those are available as well. (Well, most of it, given the amount of proprietary drivers that are binary only).

MyOpenRouter is usually where I go first when deciding if there's a particular Netgear router I want. (Netgear runs the site as a central place for all their "open" routers and alternative firmware. At least the routers they officially support as being "open").

Re: Why would any novice

[omnichad]

OK - to be fair, while the WRT54G line was in production, I only used those. Never used anything else until they were done. Once the antenna was built-in rather than user-replaceable was the beginning of the end.

I did own a BEFSR41 before that and that was garbage, but I don't think I had even heard of DD-WRT then.

I've moved on to Asus (and Tomato) for now.

Re: Why would any novice

I've had one of these Netgears for about 2 maybe 3 years. Remote management is off out of the box.

Re:Why would any novice

They get their router from their ISP, and don't even change any settings.

Re:Why would any novice

[drinkypoo]

For comparison, Tomato is more monolithic.

It does? There's many different flavors of tomato. That's one of the things that put me off to begin with.

OpenWRT is like you describe, though. I've just put it on a routerboard rb411 and on a cute little PC (WebDT DT168) and in both cases the documentation is a big fragmentary so that's annoying, but once installed the experience is much alike and all the wiki pages are under one roof.

Re:Why would any novice

Someday we'll have a hardened DD-WRT for all major routers .

The WNDR4700 comes with OpenWRT. Source is available should you wish to harden it yourself.

Re: Why would any novice

[drinkypoo]

They struck gold with the WRT54G and WRT54GS (I still have a modded GS as a spare).

You added cooling, right? Forgive me if we discussed this recently and I forgot, ISTR a conversation like that. But I've even done that, albeit half-assedly, and it didn't help. I did make places for the air to come from and go, but I don't know how much air actually flowed across the sinks or if there were other components overheating. I didn't have an IR thermometer then.

I've had probably a dozen WRT54Gs, some of them GSes, and I think they pretty much suck too. They overheat reliably, that or their wall warts are inadequate. I finally just broke down and put Linux on a PC with a QE PCI card. The only down side is the massive temptation to do more with it than firewalling, to which I have succumbed. I didn't put my storage volume on it, though.

Their nics are garbage, their switches always suck, and their early routers largely didn't route.

Hmm, how early? I mean, the original one did have a bug that could cause that, but let's face it, I've worked at Cisco and I've only ever seen one because TGV had one and they never threw anything away. Therefore, when Cisco bought them it wound up collecting dust in the lab.

Re:Why would any novice

[drinkypoo]

The second you say "firmware" or even worse "tftp" you've lost +99.9% of people out there.

Right, the install is the hard part. I mean, I just got a DIR-330 at a yard sale. It looks like it's going to be useful to me, but I've got to wire a CA-42 cable up to it. Just getting that part right is tricky enough since there's no standardization to those except at the business end. But if it came with openwrt, or dd-wrt, or tomato, I don't see that being a dealbreaker. Any of those are simple enough to configure, assuming the user is going to change the configuration anyway. I've found luci on openwrt to be really pleasant since chaos creeper.

Hmm, yeah, about those version names

Re:Why would any novice

[scottbomb]

My favorite wireless router is the Asus RT-N12. It's got two external antenna ports (SMA-type) and readily runs Tomato. Remote access via https and ssh, not to mention everything else that can be fine-tuned (like RF power output) I wouldn't have it any other way.

Re:Why would any novice

[jaminJay]

I noticed my ISP recently upgraded my router's firmware even though I have kept the remote management feature off...

Re:Why would any novice

You might have missed the memo. Cisco sold Linksys to Belkin back in 2013.

http://www.cisco.com/web/about/ac49/ac0/ac1/ac259/belkin.html

Re:Why would any novice

If you're using an off-the-shelf router you probably remote manage yours too, even if from the LAN side.

The Genie app just allows limited configuration from your phone / iPad / whatever via an app.

Re: Why would any novice

[adolf]

Hmm. You know, I've never had an old, proper WRT54G/S (or the current GL model) die from heat death. I've got dozens of them scattered around. Radios get weak or strange after awhile (electron migration of somesuch), and maaaaybe I remember some swollen filter caps on one (which got repaired), but I don't consider any of that heat-death (and it's not like bad caps weren't ridiculously common for a time from almost every manufacturer of almost anything).

I've had the power supplies dive on me, which is problematic. I find that the old linear supplies are far more reliable than the new switch-mode ones, so I tend to install them with overkill power supplies. (Asus, my current go-to cheap router-wifi-box maker, is no better when it comes to just plain garbage for wall-warts.)

The modded GS I have, I did attach a heatsink to the CPU because I was overclocking it for fun. But that doesn't count. :)

By early routers that didn't route, I mean the BEFSR-whatever-it-was style of garbage that reared its ugly head back when I was still using a *nix PC for routing at home. Grossly inadequate and broken, like a SCSI adapter that never quite works right (even with active termination, new cabling, and the goat blood). Or a client of mine that had a fancy metal-boxed Linksys wired router with many ports and some sort of VPN functionality: It was wonky from day 1, from the complaints. I replaced it with a random (but non-Linksys) switch and a WRT54GL running Tomato, and never had to troubleshoot that side of things ever again.

By switches that suck, I mean blocking 10/100 switches sold for a premium in the day of cheap non-blocking 100mbps with auto MDI/MDI-X. A then-cow-orker bought a bunch of them and scattered them in the field, and they all got replaced with something (anything!) different within a year or two.

To the cloud!

[acoustix]

Once again, "cloud connected" devices are not properly secured.

Shocker.

Re:To the cloud!

[cant_get_a_good_nick]

The Internet of rushed to market, horribly secured, never updated, easily pwn3d things.

Re:To the cloud!

[afidel]

Uh, none of the listed models are cloud connected (that's reserved for the WNDR3800).

Re:To the cloud!

[adolf]

The Internet of rushed to market, horribly secured, never updated, easily pwn3d things.

Is that a new problem?

(To answer my own question: No, it's not.

Re:To the cloud!

[gstoddart]

Of course it's not new ... but every day we see further examples how consumer electronics are pushed out with gaping security holes.

Until corporations bear some penalty for doing security incompetently, this will continue.

But what has to happen is actually holding corporations accountable for stuff like that ... instead of a click-through license which say "we make no promises our product doesn't suck or that we're not lying to you".

Oddly, people seem opposed to corporations being accountable for their actions.

That's because governments are all being bribed and co-opted by corporations, who wield more power than humans do. Because the modern concept of corporations is horribly broken.

Default password

[jfdavis668]

I am always amazed at the number of times I have logged into wifi access points with the default admin password. I have actually logged in and fixed businesses configuration errors. If we can't even get people to change the password, all the rest of the security is useless.

Is that what /. is using?

[XxtraLarGe]

Did you guys get hacked or what? It seems like this site has been down as much as it has been up lately...

Re:Is that what /. is using?

[nightsky30]

Did you guys get hacked or what? It seems like this site has been down as much as it has been up lately...

They went to get something to replace the NETGEAR. They'll be back from Walmart shortly.

Assume all proprietary router software compromised

[anwyn]

Once and for all: all proprietary router software must be assumed to be compromised. The NSA has been totally committed to ruthless information warfare against the population of the planet. There is no way a corporation can resist them. They consider themselves totally above the law.

Do not buy a router unless OPENWRT supports it.

Always overwrite what ever firmware came with the router with a new install of free software.

The days when Joe Sixpack can just buy a router an plug it in are over! You must do this.

Security experts need to take a close at uboot software commonly used to install alternate firmware. And check if NSA has hacked that up as well.

Re:Assume all proprietary router software compromi

[wierd_w]

Most consumer device deployments of uboot have a short (3 second) window in which they look for a tftp server broadcasting an update. This is very useful for developers of openwrt and pals, because it allows them to push a test image to the device's memory and boot on it.

However, it could also be used as an attack vector against home grade routers, if the NSA had a REALLY invested interest in you. Orchestrating a system reboot of your open firmware back to uboot (say, by causing a severe memory corruption event or something similar which panics the kernel-- maybe a hidden function in the LAN asic perhaps) followed by tftp of a new compromised image using say, a compromised windows workstation in the target network to do the serving.

You would have to completely replace the stock uboot on such routers to remove the small 3 second window.

What about Apple?

[willoughby]

It seems every few months someone discovers a vulnerability in a home router, and some websites even test multiple routers in a security "shoot-out". I've been reading these reports for years, but I've never seen an Apple router mentioned. Are Apple routers that much more secure or does no-one bother to test them?

Re:What about Apple?

The Airport Extreme (and Express) are incredibly secure. They auto update nicely and are very stable. Not the most feature filled (anymore sadly).

Re:What about Apple?

incredibly secure

I think that qualifier demands you back this claim with some sort of source..

Re:What about Apple?

[fisted]

They probably aren't relevant (as in widespread) enough to be of real interest.

See the Slashdot monkey have failed ...

Once again, Slashdot takes a big outage in the middle of the day.

Are you guys completely incompetent, or just lazy and reckless?

You call it a flaw, the NSA calls it a feature

[WillAffleckUW]

Based on what my family knows from the intel agencies we worked in, it's a feature.

What, you thought you lived in a Free Society, with Rights?

WNR**** Series all Use OpenWRT

Uh, folks, most of the Netgear WNR**** series routers DO already use DDWRT/openwrt as the base for the firmware.

I have a WNR2000v4, and lo and behold, it runs openWRT.

Re:WNR**** Series all Use OpenWRT

[bobbied]

Very true.. They do load their own UI instead of LUCI but it's an older scaled down version of OpenWRT. Most will also let you login using a "secret" handshake packet that turns on ssh I think, so you can login to the console and play around with the thing.

My 4300 with OpenWRT and the default LUCI install is worlds better though. I get all sorts of cool features that the stock firmware only dreams of. I get 802.11Q VLANs, so I can have multiple wired networks, separate control of the radios where I can create multiple wireless LANs, keep them separated from my wired network, my DMZ and a whole host of really nice to have things. Turns that consumer router into quite the nicely featured router/VPN end point/Firewall/fileserver or what ever I need it to be. For that reason I have 2 of them...

Here's a flaw...

Slashdot still uses http.

Re:Here's a flaw...

[denis-The-menace]

So does Netgear.

For example, You cannot manage a wndr3800 with HTTPS.
You must use HTTP ONLY.

Firmware not a priority to dollars

I think most consumer grade routers are more inclined to be designed for simplicity of setup then security. Even today, a lot of tech challenged consumers find setting up a router challenging. But most router makers at least default to a secure wireless connection. Although plenty of end users never bother to change the Administrative password. Unfortunately security is not just about device makers taking steps. But rather the end user becoming smarter about how they should protect themselves. I think consumers have used the tactic of just adding another weak layer of software security in the form of a firewall or a Anti Virus program.
This most likely helps a singular device, but does nothing to help that big open door called the internet which is always on. I don't think people realize how that always on access can mean a lot of access to someone like a hacker.

not a flaw

'works as intended'

sincerely,
your favorite tla

Re:Assume all proprietary router software compromi

[bobbied]

Usually the only network interface UBoot is configured to use is on the local network side, on a wired interface and the IP address used is non-routable. You are not getting your alternate firmware loaded without being physically present with the router, connected by a wire, so some external party isn't going to compromise your router this way...

Re:Assume all proprietary router software compromi

[drinkypoo]

You would have to completely replace the stock uboot on such routers to remove the small 3 second window.

There are replacement uboots for many devices. I'm not up on which routers have 'em. I replaced the uboot on my pogoplugs to make them better debian hosts. I may even start using the net booting feature.

Wireless Disabled

[DERoss]

I have a Netgear N300 Wireless Router Model WNR2000v2. I have no WiFi devices.

In the router manager Web pages, I unchecked the checkboxes for "Enable Wireless Router Radio" and "Turn Remote Management On". I also unchecked all of the checkboxes under "Guest Network Settings", "Wireless Settings", and "Wireless Repeating Function". The wireless LED indicator on the router is not lighted.

Therefore, I expect this is not a problem for me.

Re:Wireless Disabled

and the world cares... why?

Don't you love NETGEAR support?

[ConstantineM]

Don't you love the professionalism and issue escalation of the NETGEAR support team? Shows that we, the mere mortals, are not alone here at all!

If even the security research guy can't get them to stop sitting on their arses, what the mere mortals without such pressing issues are left to do when they encounter the various bugs here and there?

Which means if they powned a machine on your LAN..

[Ungrounded+Lightning]

Usually the only network interface UBoot is configured to use is on the local network side, on a wired interface and the IP address used is non-routable.

Which means if they compromised a machine on your LAN you're hosed. They now have your router firmware firmly under their control.

Who needs an intercept in the ISP, lawful or otherwise, when they can have your router send them copies of whatever they want. (Not to mention using it to attack any other devices behind it and cooperate with malware on them.)

Re:Which means if they powned a machine on your LA

[bobbied]

If they have a compromised machine on your network, you are hosed in more ways than them being able to change your router firmware. I think the bigest risk at that point is someplace else...

"Incredible" seems about right.

[Ungrounded+Lightning]

incredibly secure

I think that qualifier demands you back this claim with some sort of source..

Nah. Just use the literal meaning of "incredible". B-)