Flaw In Netgear Wi-Fi Routers Exposes Admin Password, WLAN Details

An anonymous reader writes A number of Netgear home wireless routers sport a vulnerability that can be misused by unauthenticated attackers [here's the report at seclists.org] to obtain the administrator password, device serial number, WLAN details, and various details regarding clients connected to the device, claims systems/network engineer Peter Adkins. The vulnerability is found in the embedded SOAP service, which is a service that interacts with the Netgear Genie application that allows users to control (change WLAN credentials, SSIDs, parental control settings, etc.) their routers via their smartphones or computers.

Default password

[jfdavis668]

I am always amazed at the number of times I have logged into wifi access points with the default admin password. I have actually logged in and fixed businesses configuration errors. If we can't even get people to change the password, all the rest of the security is useless.

Assume all proprietary router software compromised

[anwyn]

Once and for all: all proprietary router software must be assumed to be compromised. The NSA has been totally committed to ruthless information warfare against the population of the planet. There is no way a corporation can resist them. They consider themselves totally above the law.

Do not buy a router unless OPENWRT supports it.

Always overwrite what ever firmware came with the router with a new install of free software.

The days when Joe Sixpack can just buy a router an plug it in are over! You must do this.

Security experts need to take a close at uboot software commonly used to install alternate firmware. And check if NSA has hacked that up as well.