Slashdot Mirror

← Back to Stories (view on slashdot.org)

Flaw In Netgear Wi-Fi Routers Exposes Admin Password, WLAN Details

Posted by timothy on from the oops-and-darnit dept.

An anonymous reader writes A number of Netgear home wireless routers sport a vulnerability that can be misused by unauthenticated attackers [here's the report at seclists.org] to obtain the administrator password, device serial number, WLAN details, and various details regarding clients connected to the device, claims systems/network engineer Peter Adkins. The vulnerability is found in the embedded SOAP service, which is a service that interacts with the Netgear Genie application that allows users to control (change WLAN credentials, SSIDs, parental control settings, etc.) their routers via their smartphones or computers.

4 of 57 comments (clear)

  1. Why would any novice by invictusvoyd · · Score: 5, Informative

    want to "remote manage" their home router ? it's inherently dangerous . Someday we'll have a hardened DD-WRT for all major routers , easy enough to be used by anyone. Most of the firmware shipped by manufacturers is closed and is generally of low quality.

    1. Re:Why would any novice by courtarro · · Score: 5, Interesting

      I love DD-WRT and have used it for years, but I get the impression it's a fragile project. The bulk of the work seems to rest on the shoulders of one or two people who only have so much time. I have always preferred Netgear's hardware with DD-WRT on top of it, but Netgear's latest product line (which has a TON of different router models ... way too many, IMO) has only partial support from the DD-WRT project. Netgear's fanciest two routers, the R7500 and R8000, aren't yet supported. All we can do is sit and beg Brainslayer or Kong to spend time on them, but they've got a lot of irons in the fire.

      I really wish Netgear would just give up on Genie and pay DD-WRT to support development and license it as their official firmware. Rebrand it or something if you want, but give us the power of a real firmware. I've used Genie lately on the R6100 and found quite frustrating for anything fancier than a typical home wifi router use case. Security bugs like this only prove that they're failing to get it right on their own.

      It makes sense that Cisco doesn't want their Linksys-branded routers to be too powerful, since it might hurt sales of fancier Cisco stuff, but what's Netgear's excuse?

    2. Re:Why would any novice by adolf · · Score: 5, Interesting

      DD-WRT seems so splintered: A million different builds, of a million different versions, for a million different things.

      For comparison, Tomato is more monolithic. When a new version is prepared for release, all of the different builds are updated to that version. The builds themselves are genericized as much as possible: All old Broadcom-based MIPS routers (think WRT54G) get the MIPSR1 release, for instance.

      For everything else, there's OpenWRT.

      For my own purposes, I'm sticking with Asus routers. It seems like solid kit, and they sell the same hardware for years and years without the sneakiness that Linksys and Netgear do with routinely completely changing the underlying hardware while keeping the same model number.

      (Oh, and Belkin has owned Linksys for almost 2 years now.)

      --
      Kid-proof tablet..
  2. Default password by jfdavis668 · · Score: 5, Insightful

    I am always amazed at the number of times I have logged into wifi access points with the default admin password. I have actually logged in and fixed businesses configuration errors. If we can't even get people to change the password, all the rest of the security is useless.