Netgear Exploit Found in 31 Models Lets Hackers Turn Your Router Into a Botnet (thenextweb.com)

← Back to Stories (view on slashdot.org)

Netgear Exploit Found in 31 Models Lets Hackers Turn Your Router Into a Botnet (thenextweb.com)

Posted by msmash on Tuesday January 31, 2017 @02:40AM from the security-woes dept.

An anonymous reader shares a report: You might want to upgrade the firmware of your router if it happens to sport the Netgear brand. Researchers have discovered a severe security hole that potentially puts hundreds of thousands of Netgear devices at risk. Disclosed by cybersecurity firm Trustwave, the vulnerability essentially allows attackers to exploit the router's password recovery system to bypass authentication and hijack admin credentials, giving them full access to the device and its settings. What is particularly alarming is that the bug affects at least 31 different Netgear models, with the total magnitude of the vulnerability potentially leaving over a million users open to attacks. Even more unsettling is the fact that affected devices could in certain cases be breached remotely. As Trustwave researcher Simon Kenin explains, any router that has the remote management option switched on is ultimately vulnerable to hacks.

57 comments

Min score:

Reason:

Sort:

The end of Netgear? by Futurepower(R) · 2017-01-31 02:47 · Score: 2, Informative

My extensive post to a previous story about Netgear, hoping to help Netgear improve: The end of Netgear?
1. Re:The end of Netgear? by Anonymous Coward · 2017-01-31 03:05 · Score: 0
  
  The end of Netgear should have come from the moment this deliberate backdoor story broke out (the story is also linked from Netgear's wikipedia page).
  I'm not sure any of the alternatives are much better than Netgear, but I haven't seen anything so bad among the competition. What do you think of the alternatives?
2. Re:The end of Netgear? by thomn8r · 2017-01-31 03:37 · Score: 1
  
  The story about netgear vulnerabilities broke last year (and I had read your post on them - thanks!) so why is this getting posting again to /.?
3. Re:The end of Netgear? by Anonymous Coward · 2017-01-31 03:54 · Score: 0
  
  Because there's *another* vulnerability, so you need to update *again*. How hard is that to understand?
4. Re:The end of Netgear? by Joce640k · 2017-01-31 04:07 · Score: 1
  
  Why would a consumer-grade router even have remote-admin?
  And why on earth would it be enabled by default?
  If it was a car they'd be forcing a recall.
  
  --
  No sig today...
5. Re:The end of Netgear? by Cronq · 2017-01-31 04:12 · Score: 2
  
  CVE-2017-5521 is a new problem unfortunately.
6. Re:The end of Netgear? by Anonymous Coward · 2017-01-31 07:46 · Score: 0
  
  Why would a consumer-grade router even have remote-admin?
  It's been a pretty standard feature for consumer grade routers for a very long time.
  
  And why on earth would it be enabled by default?
  No idea, normally it's not.
  But I don't buy netgear products for a lot of other reasons already.
7. Re:The end of Netgear? by Kremmy · 2017-01-31 08:28 · Score: 1
  
  Generally when this sort of thing breaks, it keeps breaking for a while. There are a lot of new routers on that list that weren't on it the last time I looked at it. I tell you what, it's not possible to do tech effectively if you filter this stuff as reposts.
ddwrt / openwrt / or some variant by Anonymous Coward · 2017-01-31 02:47 · Score: 0

protect yourself
1. Re:ddwrt / openwrt / or some variant by bobbied · 2017-01-31 03:51 · Score: 2
  
  RGR that... DD-WRT for those who like the common feature set, flashy GUI and their hardware is supported and OpenWRT for the rest of us control freaks... Use them both.
  
  --
  "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
2. Re:ddwrt / openwrt / or some variant by Woldscum · 2017-01-31 06:19 · Score: 1
  
  RGR that... DD-WRT for those who like the common feature set, flashy GUI and their hardware is supported and OpenWRT for the rest of us control freaks... Use them both.
  The problem is for me on a R7000. DD WRT breaks the USB 3 port and the WAP button. My $50 Canon all in one will only connect to my wireless with WAP. I needed to use the R7000s USB 2 port and set up the printer as a IP network printer. But this killed Airprint and scanner on network. DD WRT will not support the USB 3 port because a custom driver needs to be reverse engineered. Also with DD I have a 150-160M cap on speed on both 5 and 2.4. I have used both Open and DD for years and like them. BUT it does not use the R7000 hardware fully.
3. Re:ddwrt / openwrt / or some variant by EvilSS · 2017-01-31 07:02 · Score: 1
  
  protect yourself
  Yep, running a Netgear Nighthawk but it's been running Tomato Shibby since day one. The feature set is way beyond anything in the stock firmware, and I don't have to worry about Netgear's incompetence.
  
  --
  I browse on +1 so AC's need not respond, I won't see it.
4. Re:ddwrt / openwrt / or some variant by bobbied · 2017-01-31 09:23 · Score: 1
  
  Buy some real router hardware that is supported by DD-WRT or Open-WRT so you have a choice....
  I NEVER buy a router that is not already supported (or likely will be supported) by either of these. My last router was from Linksys and was part of their WRT line so OpenWRT was pretty much a given (being that's what it already runs under the Linksys web GUI anyway). My WRT-3200AN is a good choice if you catch it on sale. It has SATA, USB3 and last I saw the WAP button worked if you needed it too, even on the factory firmware.
  
  --
  "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
Have we patched the last vulnerability yet? by Anonymous Coward · 2017-01-31 02:50 · Score: 1, Funny

FFS, it wasn't long ago that a basic security vulnerability left 300+ million people vulnerable to attack, simply by hacking their election, both emails and the registration servers, attackers were able to insert in a bright orange trojan into office.
Have we patched that yet? Because an exploit for that is out in the wild wreaking havoc on basic security.
The virus attack package it carries lets an impersonation attack happen, it appears to be a real, except it doesn't obey any laws and seizing control of the network by seeding other devices with trojan rootkits under its control.
The malware originates from known Russian hackers.
1. Re:Have we patched the last vulnerability yet? by Neuroelectronic · 2017-01-31 03:15 · Score: 1
  
  Nice wordcloud bot.
2. Re:Have we patched the last vulnerability yet? by Anonymous Coward · 2017-01-31 05:56 · Score: 0
  
  no no no, it was a was not a hack it was simply an intended firmware update, the previous firmware was broken and cost too much
3. Re:Have we patched the last vulnerability yet? by operator_error · 2017-01-31 10:00 · Score: 1
  
  Why bother with creating effective malware when social engineering can yield far more, while consuming fewer resources?
Botnets of the world by Anonymous Coward · 2017-01-31 02:56 · Score: 0

unite!
What you might want to do by naughtynaughty · 2017-01-31 03:10 · Score: 1

Is stop buying consumer grade WiFi routers that are poorly supported and get a plain access point and stick it behind a real router.
1. Re:What you might want to do by b0bby · 2017-01-31 03:38 · Score: 1
  
  What real router would you advise which is well supported enough that it's trustworthy? I have a Ubiquiti AP which I'm happy with, but I haven't found a good small solid wired router.
  Also, I would say that since the fix has actually been released, these are not "poorly supported". Every router has the potential to need to be updated, the problem comes when you have things like internet connected DVRs which will never get a firmware update. Even better would be an auto-update system for these things since while you and I might update our routers, the vast majority of people will set them up and never look at them again. Of course you and I might not trust such a system...
2. Re:What you might want to do by bobbied · 2017-01-31 04:03 · Score: 5, Informative
  
  Is stop buying consumer grade WiFi routers that are poorly supported and get a plain access point and stick it behind a real router.
  Naw, As an owner of some really nice Cisco routers, stick with the consumer router at home unless you have time to learn how to configure it (or do Cisco work for a living). "Professional" gear isn't worth the trouble or cost for most of us. Not to mention that some of Cisco's offerings are really just their version of a consumer level device (that 500 series) and are pretty hard to configure for normal home use. You can do it (I managed) but it was painful to get all those video applications and games to work as expected.
  I do like your access point BEHIND the router as a separate device, but he security you get is really minimal.
  What you SHOULD do is buy hardware that is supported by DD-WRT or OpenWRT and erase the manufacturers firmware at your first opportunity. If you really want to be secure, buy 2 and set up a DMZ network behind a firewall for all the consumer devices you cannot control (video players for Netflix, home automation devices, cable boxes, ec) and put all your secure stuff behind another NATed subnet with a firewall.
  
  --
  "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
3. Re:What you might want to do by TheGratefulNet · 2017-01-31 04:13 · Score: 1
  
  mcdebian and linksys - check it out.
  apt-get goodness for the win!
  
  --
  
  --
  "It is now safe to switch off your computer."
4. Re:What you might want to do by Anonymous Coward · 2017-01-31 04:15 · Score: 0
  
  I've largely switched the edge to Fortigate for anything more complex than packet shuffling. Cisco Router -> Fortigate FW -> (largely) Cisco infrastructure. The Fortigates are relatively cheap like something in the 30 - 60 range is fine for small installations and way more throuhput/$ than the ASAs it replaced. It's still a few hundred, but it's damn solid. (I use 90's for the egdes)
5. Re:What you might want to do by m0gely · 2017-01-31 04:20 · Score: 3, Informative
  
  You use Ubiquiti but haven't found a wired only solution? Looked at EdgeRouter? If your AP is UniFi then look at their USG. It's basically the same hardware as the EdgeRouter Lite but running the UniFi software.
6. Re:What you might want to do by b0bby · 2017-01-31 04:38 · Score: 1
  
  I'm happy with my current setup (consumer WiFi router + Ubiquiti AP); I did look at the EdgeRouter but didn't think it would improve my setup enough to bother with it.
  The Ubiquiti routers have been vulnerable to worms in the past too, so it's not like the onumer routers are the only ones with vulnerabilities.
7. Re:What you might want to do by b0bby · 2017-01-31 04:39 · Score: 1
  
  Yeah, I used tomato for a long time, this looks neat too.
8. Re:What you might want to do by darkain · 2017-01-31 04:49 · Score: 2
  
  pfSense. Roll your own. All it takes is any old generic x86 machine with 2 NICs in it at the bare minimum. (dual-port gigabit Intel NICs are like $20 on eBay). Or, you can buy pre-built pfSense boxes. Fast, secure, feature rich, and constantly up-to-date.
9. Re:What you might want to do by darkain · 2017-01-31 04:50 · Score: 1
  
  This is why I prefer pfSense. It has Cisco like features, but with a DD-WRT/OpenWRT like interface. It is the best of both worlds!
10. Re:What you might want to do by The-Ixian · 2017-01-31 05:06 · Score: 2
  
  I have heard that the Ubiquiti Edgerouter is a low cost, fully featured piece of hardware.
  https://www.ubnt.com/edgemax/e...
  Never owned one myself, but a lot of people who listen to Security Now seem to like it.
  
  --
  My eyes reflect the stars and a smile lights up my face.
11. Re:What you might want to do by The-Ixian · 2017-01-31 05:08 · Score: 1
  
  Real weenies write their own iptables rules!
  Of course... I am not a real weenie so I use fwbuilder (https://sourceforge.net/projects/fwbuilder/)
  
  --
  My eyes reflect the stars and a smile lights up my face.
12. Re:What you might want to do by TheGratefulNet · 2017-01-31 05:39 · Score: 1
  
  I gave up on pfsense. it does not fail gracefully. lose power and reboot and eventually you get corrupted boot media. when that happens, remote mgmt task crashes and you have to reinstall.
  too bad. monowall was good but pfsense was horrible for me.
  
  --
  
  --
  "It is now safe to switch off your computer."
13. Re:What you might want to do by T.E.D. · 2017-01-31 06:04 · Score: 1
  
  What if my main concern isn't really "security" on my back end, but not contributing to the botnet problem on the front end?
14. Re:What you might want to do by aaarrrgggh · 2017-01-31 06:13 · Score: 1
  
  Ubiquiti has the EdgeRouter-X ($50), and there is always pfsense/netgate sg-100 ($150). Plenty of reliable, well supported hardware out there.
15. Re:What you might want to do by naughtynaughty · 2017-01-31 08:55 · Score: 1
  
  I solve loss of power issues with a UPS.
  But before I had the UPS I had regular power outages at my OCONUS location and it has rebooted fine every time. Current uptime 110 days with about 4TB of I/O through it. All on a cheap 10W box that cost $120 + a SODIMM and mSATA card. Pairs with another identical box in the US for a full house always on VPN so I can bypass all the geo restrictions.
  Stick my AP and everything else behind it.
  Easy to use, easy to manage.
16. Re:What you might want to do by TechyImmigrant · 2017-01-31 09:09 · Score: 1
  
  >What real router would you advise which is well supported enough that it's trustworthy?
  I use an NUC with Linux and set up routing tables, firewall, a fail2ban listener (so my servers can tell it to do the filtering) and NAT. None of this is hard and step by step instructions are widely available. I added a second ethernet port to the NUC via the M.2 port and a 3d printed base to hold the connector. The router doesn't mess with DNS and all things point to Google's DNS. It's simple and doesn't rely on vendor support beyond Linux and support for that is as good as it gets.
  I use ubiquity APs because they don't suck too much.
  
  --
  I should use this sig to advertise my book ISBN-13 : 978-1501515132.
17. Re:What you might want to do by bobbied · 2017-01-31 09:19 · Score: 1
  
  Run OpenWRT or DD-WRT and don't enable remote management...Like I said... If you want to run Cisco gear, knock yourself out, but it's over priced and over complicated for use at home.
  NEXT!
  
  --
  "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
18. Re:What you might want to do by antdude · 2017-01-31 10:16 · Score: 1
  
  What are good cheap consumer grade wifi routers that are fully supported then?
  
  --
  Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
19. Re:What you might want to do by Anonymous Coward · 2017-01-31 12:59 · Score: 0
  
  Perhaps it fails the trustworthy part because of this
  
  CONSENT TO USE OF DATA
  You agree that Ubiquiti may from time to time collect and use device information (such as hardware model, firmware version, device identifiers, device performance information and device operation parameters), collected in a form that does not personally identify you, to facilitate the provision of Ubiquiti Firmware updates, authenticate Ubiquiti products, verify compliance with the terms of this Agreement, and improve Ubiquiti's products and services
20. Re:What you might want to do by AHuxley · 2017-01-31 14:10 · Score: 1
  
  Get more OS brands and AV firms to offer something like Avast 2015 new feature: Home Network Security scanning (4 November 2014)
  https://blog.avast.com/2014/11...
  Find any device that responds to a list of well understood admin/passwords settings.
  That won't help with all device issues but it might help a bit.
  
  --
  Domestic spying is now "Benign Information Gathering"
Out of the box configuration by davidwr · 2017-01-31 03:11 · Score: 1

Consumer routers should either require setup prior to use, with "remote access" off by default.
In the alternative, they should be pre-configured with remote access off and local access turned off unless the user presses a button on the router shortly before logging into the router from the LAN side - something akin to the "WPS" push-button-to-connect-to-WiFi setup. The latter is needed to prevent malware from silently logging into the router with default credentials.

--
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
1. Re:Out of the box configuration by Anonymous Coward · 2017-01-31 03:18 · Score: 1
  
  Spectacular idea! The only bad thing is the cost of the extra support personnel to man the phone lines when people don't bother to read the detailed instructions on how you've obfuscated what used to be a straightforward task will be coming from your paycheck. Sorry. But great idea!
2. Re:Out of the box configuration by Neuronwelder · 2017-01-31 03:33 · Score: 1
  
  I'm all for buttons. They keep people who should not be there, out!
3. Re:Out of the box configuration by drinkypoo · 2017-01-31 03:35 · Score: 5, Insightful
  
  Consumer routers should either require setup prior to use, with "remote access" off by default.
  I have literally never seen a consumer router which has remote management turned on by default, neither with the original firmware nor community firmware. I am willing to believe that they exist, but I've even owned two or three Netgear APs and none of them had remote management activated by default either. Especially now that so many devices have an easy setup button, most people probably never actually go into their router config after following the included instructions to change the network name and maybe the channel.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
4. Re:Out of the box configuration by b0bby · 2017-01-31 03:41 · Score: 1
  
  Almost all (including these Netgears) ship with remote access off by default. This isn't going to be a huge problem for most people who won't have turned that on unless they have malware already on their systems which could exploit this locally.
5. Re:Out of the box configuration by JustNiz · 2017-01-31 04:39 · Score: 1
  
  The button thing is a great idea, at least until the router no longer has a default admin password. Alternatively it could require a usb memory stick with a "token" on it to be inserted in the router. You would get the token when you register the device on the manufaturers website.
6. Re:Out of the box configuration by Anonymous Coward · 2017-01-31 06:47 · Score: 0
  
  Yes, this is why you never turn remote access on.
  Duh!
7. Re:Out of the box configuration by Anonymous Coward · 2017-01-31 12:27 · Score: 0
  
  Some ISP provided routers have remote access turned on so the ISP can mess around with it.
Have Netgear router... by Anonymous Coward · 2017-01-31 03:50 · Score: 0

Just updated. Thanks for the heads up, Slashdot!
Switch to turris omnia router by Cronq · 2017-01-31 04:10 · Score: 2

Switched from netgear to turris omnia. Netgear firmware and the way they "support" it is a big joke (broken version released; reverting versions; no real testing etc).
So now happy turris omnia router user.
Ubiquiti by zerofoo · 2017-01-31 05:26 · Score: 1

Cheap - easy - reliable - secure. This is what most home users should run.
Their Amplifi line looks fantastic for most home use.
Wow Rick by Anonymous Coward · 2017-01-31 05:27 · Score: 0

Can you imagine that? A whole botnet in my router! What'll they think of next?
Asus routers? by Futurepower(R) · 2017-01-31 06:18 · Score: 1

"I'm not sure any of the alternatives are much better than Netgear..."

Someone told me Asus routers are better. I looked and they do seem good.
ransomeware by Anonymous Coward · 2017-01-31 06:20 · Score: 0

+32K for keys + incidentals like $$?? to hire someone to recover deleted backups, + $$?? to hire another company just to help with terabytes of Exchange emails + $$?? OT pay, as 2 weeks later company is still working to get customers back to where they were before it happened. oh my
Another misleading "fact" from slashdot. by Anonymous Coward · 2017-01-31 07:14 · Score: 0

No, your family router is safe if you practice safe computing. But if your silly enough to turn on remote management on your router than you might be open for a surprise. Why do people do this? I haven't a clue. I set my router up to allow me to do what I need to do remotely and leave it be. Set up your port forwarding, and what ever before you leave the house and be smart.
Don't be a MILLENNIAL!!
While the remote management feature is disabled by default in most devices, the firm has found more than 10 thousand affected routers, but the actual number could be “over a million.”
upgrade firmware using wireless by Anonymous Coward · 2017-01-31 08:15 · Score: 0

Do not upgrade the firmware using a wireless connection. Please perform firmware upgrade with "wired" or Ethernet connection only
Ehhhh, I'm sure wireless will be fine..................
LOST CARRIER
Looks like tomato shitty to me by Anonymous Coward · 2017-02-01 02:44 · Score: 0

Saw your post history. Apk blew you away on it and adblock you stupidly use many times https://it.slashdot.org/comments.pl?sid=10172213&cid=53779741/ , https://it.slashdot.org/comments.pl?sid=10172213&cid=53778293/ , https://it.slashdot.org/comments.pl?sid=10172213&cid=53757739/ , https://it.slashdot.org/comments.pl?sid=10172213&cid=53775319/ You ran after that first link, libeled apk out of frustration at your ignorance and failures. Adblock's crippled by default. Hosts do more for lots less. You depend on a single point of failure in routers. They're known to have security issues galore, cost more, have layered filtering drivers overhead in their firewallware, can't block dns threats hosts do (neither can adblock), burn more power creating higher bills and can't store as many protective entries or do speeding up ones avoiding dns security issues too. Bolt on more illogic logic inefficiency and insecurity is you to a tee. I worry about your incompetence.
not a big deal by Anonymous Coward · 2017-02-02 02:47 · Score: 0

So this isn't exploitable if remote administration is turned off? It's turned off on my netgear by default, so i doubt this is as bad as everyone thinks.