Slashdot Mirror

← Back to Stories (view on slashdot.org)

Netgear Exploit Found in 31 Models Lets Hackers Turn Your Router Into a Botnet (thenextweb.com)

Posted by msmash on from the security-woes dept.

An anonymous reader shares a report: You might want to upgrade the firmware of your router if it happens to sport the Netgear brand. Researchers have discovered a severe security hole that potentially puts hundreds of thousands of Netgear devices at risk. Disclosed by cybersecurity firm Trustwave, the vulnerability essentially allows attackers to exploit the router's password recovery system to bypass authentication and hijack admin credentials, giving them full access to the device and its settings. What is particularly alarming is that the bug affects at least 31 different Netgear models, with the total magnitude of the vulnerability potentially leaving over a million users open to attacks. Even more unsettling is the fact that affected devices could in certain cases be breached remotely. As Trustwave researcher Simon Kenin explains, any router that has the remote management option switched on is ultimately vulnerable to hacks.

9 of 57 comments (clear)

  1. The end of Netgear? by Futurepower(R) · · Score: 2, Informative

    My extensive post to a previous story about Netgear, hoping to help Netgear improve: The end of Netgear?

    1. Re:The end of Netgear? by Cronq · · Score: 2

      CVE-2017-5521 is a new problem unfortunately.

  2. Re:Out of the box configuration by drinkypoo · · Score: 5, Insightful

    Consumer routers should either require setup prior to use, with "remote access" off by default.

    I have literally never seen a consumer router which has remote management turned on by default, neither with the original firmware nor community firmware. I am willing to believe that they exist, but I've even owned two or three Netgear APs and none of them had remote management activated by default either. Especially now that so many devices have an easy setup button, most people probably never actually go into their router config after following the included instructions to change the network name and maybe the channel.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  3. Re:ddwrt / openwrt / or some variant by bobbied · · Score: 2

    RGR that... DD-WRT for those who like the common feature set, flashy GUI and their hardware is supported and OpenWRT for the rest of us control freaks... Use them both.

    --
    "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
  4. Re:What you might want to do by bobbied · · Score: 5, Informative

    Is stop buying consumer grade WiFi routers that are poorly supported and get a plain access point and stick it behind a real router.

    Naw, As an owner of some really nice Cisco routers, stick with the consumer router at home unless you have time to learn how to configure it (or do Cisco work for a living). "Professional" gear isn't worth the trouble or cost for most of us. Not to mention that some of Cisco's offerings are really just their version of a consumer level device (that 500 series) and are pretty hard to configure for normal home use. You can do it (I managed) but it was painful to get all those video applications and games to work as expected.

    I do like your access point BEHIND the router as a separate device, but he security you get is really minimal.

    What you SHOULD do is buy hardware that is supported by DD-WRT or OpenWRT and erase the manufacturers firmware at your first opportunity. If you really want to be secure, buy 2 and set up a DMZ network behind a firewall for all the consumer devices you cannot control (video players for Netflix, home automation devices, cable boxes, ec) and put all your secure stuff behind another NATed subnet with a firewall.

    --
    "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
  5. Switch to turris omnia router by Cronq · · Score: 2

    Switched from netgear to turris omnia. Netgear firmware and the way they "support" it is a big joke (broken version released; reverting versions; no real testing etc).

    So now happy turris omnia router user.

  6. Re:What you might want to do by m0gely · · Score: 3, Informative

    You use Ubiquiti but haven't found a wired only solution? Looked at EdgeRouter? If your AP is UniFi then look at their USG. It's basically the same hardware as the EdgeRouter Lite but running the UniFi software.

  7. Re:What you might want to do by darkain · · Score: 2

    pfSense. Roll your own. All it takes is any old generic x86 machine with 2 NICs in it at the bare minimum. (dual-port gigabit Intel NICs are like $20 on eBay). Or, you can buy pre-built pfSense boxes. Fast, secure, feature rich, and constantly up-to-date.

  8. Re:What you might want to do by The-Ixian · · Score: 2

    I have heard that the Ubiquiti Edgerouter is a low cost, fully featured piece of hardware.

    https://www.ubnt.com/edgemax/e...

    Never owned one myself, but a lot of people who listen to Security Now seem to like it.

    --
    My eyes reflect the stars and a smile lights up my face.