Flaw In Netgear Wi-Fi Routers Exposes Admin Password, WLAN Details

An anonymous reader writes A number of Netgear home wireless routers sport a vulnerability that can be misused by unauthenticated attackers [here's the report at seclists.org] to obtain the administrator password, device serial number, WLAN details, and various details regarding clients connected to the device, claims systems/network engineer Peter Adkins. The vulnerability is found in the embedded SOAP service, which is a service that interacts with the Netgear Genie application that allows users to control (change WLAN credentials, SSIDs, parental control settings, etc.) their routers via their smartphones or computers.

Re:Why would any novice

[courtarro]

I love DD-WRT and have used it for years, but I get the impression it's a fragile project. The bulk of the work seems to rest on the shoulders of one or two people who only have so much time. I have always preferred Netgear's hardware with DD-WRT on top of it, but Netgear's latest product line (which has a TON of different router models ... way too many, IMO) has only partial support from the DD-WRT project. Netgear's fanciest two routers, the R7500 and R8000, aren't yet supported. All we can do is sit and beg Brainslayer or Kong to spend time on them, but they've got a lot of irons in the fire.

I really wish Netgear would just give up on Genie and pay DD-WRT to support development and license it as their official firmware. Rebrand it or something if you want, but give us the power of a real firmware. I've used Genie lately on the R6100 and found quite frustrating for anything fancier than a typical home wifi router use case. Security bugs like this only prove that they're failing to get it right on their own.

It makes sense that Cisco doesn't want their Linksys-branded routers to be too powerful, since it might hurt sales of fancier Cisco stuff, but what's Netgear's excuse?

Re:Assume all proprietary router software compromi

[wierd_w]

Most consumer device deployments of uboot have a short (3 second) window in which they look for a tftp server broadcasting an update. This is very useful for developers of openwrt and pals, because it allows them to push a test image to the device's memory and boot on it.

However, it could also be used as an attack vector against home grade routers, if the NSA had a REALLY invested interest in you. Orchestrating a system reboot of your open firmware back to uboot (say, by causing a severe memory corruption event or something similar which panics the kernel-- maybe a hidden function in the LAN asic perhaps) followed by tftp of a new compromised image using say, a compromised windows workstation in the target network to do the serving.

You would have to completely replace the stock uboot on such routers to remove the small 3 second window.

Re:Why would any novice

[adolf]

DD-WRT seems so splintered: A million different builds, of a million different versions, for a million different things.

For comparison, Tomato is more monolithic. When a new version is prepared for release, all of the different builds are updated to that version. The builds themselves are genericized as much as possible: All old Broadcom-based MIPS routers (think WRT54G) get the MIPSR1 release, for instance.

For everything else, there's OpenWRT.

For my own purposes, I'm sticking with Asus routers. It seems like solid kit, and they sell the same hardware for years and years without the sneakiness that Linksys and Netgear do with routinely completely changing the underlying hardware while keeping the same model number.

(Oh, and Belkin has owned Linksys for almost 2 years now.)

Re:Why would any novice

[Que_Ball]

Lots of love.

But the company has not done themselves any favours in their choices of distribution channels.

If they want more penetration they need to start pushing product into the mass market distributors like Ingram Micro, Synnex, Tech Data, and D&H.  These are who most of the retailers do 99% of their purchasing through.  That is who they have integrated their point of sale systems with to populate their web stores, and do EDI for inventory management so that's who they tend to deal with when some customer comes and asks for a new product they don't stock yet.  If they have to go push a bunch of paper to get a new distributor account setup it better be a good sized deal.

So far I just see Ubiquiti dealing with the specialist distributors who deal with wireless radio specialities.  That's not going to get their access points on the shelves of your local computer dealer or the small and medium sized consulting companies who tend to run the IT departments of small businesses where their products really do fit well.

Ubiquiti is doing a bad job of targeting their channel market from what I can tell.  They are designing a product that does away with the complexity of enterprise level equivilants.  They don't need dedicated controllers sitting in an enterprise datacentre to run the stuff, but they give a small business many of the same benefits that the enterprise guys sell at a half of the enterprise price premium but the small businesses that really need that stuff are services by local computer stores and small consultants who are not always wireless specialists.  They are generalists and they deal with the mass market distributors where they can get 99% of their needs filled.  So yeah, they buy the Netgear access point or the Asus wireless router that's in stock and they make due with the consumer grade equipment, consumer grade power supply, and get on with it.

Firmware not a priority to dollars

I think most consumer grade routers are more inclined to be designed for simplicity of setup then security. Even today, a lot of tech challenged consumers find setting up a router challenging. But most router makers at least default to a secure wireless connection. Although plenty of end users never bother to change the Administrative password. Unfortunately security is not just about device makers taking steps. But rather the end user becoming smarter about how they should protect themselves. I think consumers have used the tactic of just adding another weak layer of software security in the form of a firewall or a Anti Virus program.
This most likely helps a singular device, but does nothing to help that big open door called the internet which is always on. I don't think people realize how that always on access can mean a lot of access to someone like a hacker.