Netgear Adds Support For "Collecting Analytics Data" To Popular R7000 Router

An anonymous reader writes: Netgear's latest firmware update for the R7000 includes new support for collecting analytics data. The update release notes include this caution:

NOTE:It is strongly recommended that after the firmware is updated to this version, log back in to the router s web GUI and configure the settings for this feature.

An article on Netgear's KB states updated last week that Netgear collects information including IP addresses, MAC, certain WiFi information, and information about connected devices.

Wow!

I guess it is time to switch to a different brand.

Re: Wow!

[Z00L00K]

Same here - I'm using a Linux box with iptables to select which traffic that I allow.

And it even more highlights that using DD-WRT is what you should look into if you want to get some level of security on your wireless.

Re: Wow!

There's nil/zero/nada reason for Netgear to be collecting this information. In Europe most of this is flat out illegal.

I think we're reaching the point of negative value now. Devices seem to do everything *but* the thing printed on the box. Most of the Chinese IoT devices are basically badly coded malware in a single. Remind me how the Internet is enriching our lives again?

Re:Wow!

[jazzdude00021]

How did an AC get modded insightful with that comment? Especially on this site. Or are there that many people with mod points that don't already know how to switch firmware on their router?

Seriously, most people here know that stock router firmware sucks. It's not a secret. If you read the linked KB, you'll see Netgear might actually be working to make their hardware/firmware better using this and not just collecting advertising data like the tinfoil hats are suggesting. Working to make a better functioning, more secure product is NOT a bad thing ESPECIALLY in the SOHO router market.

  If you're paranoid, switch to DD-WRT, Open-WRT, Tomato or any other number of alternative firmwares and use the hardware that works for you, whether it be Negear or even (gasp) Linksys.

Re:Wow!

[peawormsworth]

If you're paranoid, switch to DD-WRT, Open-WRT, Tomato

This is not paranoid. I have a netgear router and I installed DD-WRT on it. Now I have a router with many features that were not available with the stock software.

Installing your own software on your router is not paranoid, it is what smart people do because it makes their router work better. Relieving paranoia is a side benefit.

I should know, I am paranoid. The real thing that relieves paranoia is NOT using a router supplied by your ISP. Connecting an ISP supplied device to your home network is for happy naive people.

This is supposed to be a security device

And it's leaking the owner's personal information over the internet.

Re:This is supposed to be a security device

[Svartalf]

Ah, but must will stupidly agree to it.

Yup

[rholtzjr]

Not sure I like the "feature" if it is not configurable to either enable or disable (e.g. opt in/out).

Re:Yup

[Z00L00K]

Since most such "services" are opt-out most people wouldn't understand it and are afraid to disable it. Same with this UPnP service which is a security hole the size of Valles Marineris.

Re:Yup

Not sure I like the "feature" if it is not configurable to either enable or disable (e.g. opt in/out).

Configurability is nothing to do with this. This feature will now be turned on by default at all your friend's houses. It will be turned on at all internet cafe's. I guess the only thing that can be said for this is that it reminds us that VPNs are not just for bypassing region limitations and that we should all be using one which guarantees user privacy.

Notgear...

[Svartalf]

I'm unsure I even like this "feature" with it being controllable.

Re:Notgear...

[rholtzjr]

Good point

Clarification: Netgear collects your data

[the_other_chewey]

It's not made clear at all in TFS, and could be read as if Netgear routers now supported more network stats available to the router's owner.

That's not it: "Analytics Data" collection is done by Netgear, remotely.

Re:Clarification: Netgear collects your data

[GrumpySteen]

If you'd clicked on the link,, or even hovered over it to see the url, you'd have seen "What router analytics data is collected and how is the data being used by NETGEAR?" which makes it pretty obvious that they're talking about data that's sent to the company.

It's a fad!

IMHO this shouldn't be more of an outrage than all of the tracking companies involved in collecting user data on various websites, i would dare to say that the biggest online companies make the most of if not all of their revenue selling user data. Not to mention that certain alphabet soup agency affiliate outreach that seems to have had a hand in most of the startup companies from the mid 90's or so.

I try to avoid using that certain operating system that wants to "get to know me" through online telemetry, voice analysis, typing and inking.
Though recently i have started to notice that more and more websites require you to log in to even get any sort of access, preferably through Facebook or Twitter. When a popular web-browser all of a sudden asked me to "log in" so i could share my history and bookmarks with more devices and wanted me to download stuff not to my own computer but to their cloud service it just sort of clicked on me. It's a fad!

If you can make it to the top of the fortune 500 with your only source of revenue being selling user data and telemetry then that's the way that other companies are going to conduct their business. I wouldn't be surprised if you would find the equivalent terms mentioned in the EULA in various fruit or robot associated brands of mobile technology either.

The question is. If surveillance sells who's buying?

Re:It's a fad!

[arth1]

IMHO this shouldn't be more of an outrage than all of the tracking companies involved in collecting user data on various websites,

Well, yes, it should. A web site only tracks users who visit it, using web browsers that cooperate.
A router sees all traffic to and from all addresses for all users.

The collected data from a router would also be of great help to anyone trying to penetrate the network.

Re:It's a fad!

[JaredOfEuropa]

Also, if some desirable but naughty IoT device* sends my data to the mothership, I can block it at the firewall (i.e. in the router), in fact I make sure that's the default. But if the firewall itself decides to phone home, you're SOL.
How about a law: collecting data and sending it off-LAN works strictly opt-in only, unless transmitting that data is critical to the advertised functionality of the device or app.

*) please, no discussions or remarks about how no IoT device could ever be desirable.

Re:It's a fad!

[Khyber]

"unless transmitting that data is critical to the advertised functionality of the device or app. "

In case you haven't paid attention, app makers are already kinda doing that so they can collect data they should not be collecting.

Re:It's a fad!

[Motherfucking+Shit]

The question is. If surveillance sells who's buying?

Your insurance company, who'll discover that your wife searched for "breast lump" and then jack up your monthly premiums accordingly, even though it turned out to be nothing.

Your employer, who wants to clean house of any employees who practice a certain religion, but can't exactly go around asking everyone about it.

Your employer, who might be interested to know that you subscribe to both Netflix and Hulu; you obviously have too much disposable income, and can be passed over for a raise.

Your father-in-law, who's never liked you and can't wait to use your porn surfing habits to embarrass you at Thanksgiving dinner this year.

Your company's competition, who would love to brag about how you visit their website dozens of times a day.

We haven't even started with the government yet. Get creative. Your enemies are.

Re:It's a fad!

[JaredOfEuropa]

I'd say blocking core functionality (Netflix and local media) unless you enable data harvesting amounts to the same thing as not allowing customers to opt out.

Their answer

[markdavis]

"What router analytics data is collected and how is the data being used by NETGEAR? Technical data about the functioning and use of our routers and their WiFi network can help us to more quickly isolate and debug general technical issues, improve router features and functionality, and improve the performance and usability of our routers. Such data may include information regarding the routerâ(TM)s running status, number of devices connected to the router, types of connections, LAN/WAN status, WiFi bands and channels, IP address, MAC address, serial number, and similar technical data about the use and functioning of the router, as well as its WiFi network."

Re:Their answer

[Z00L00K]

And how is the data transferred? If your ISP do a MITM attack on it then they can see a lot about your local network as well.

Re:Their answer

[dknj]

can still MITM encrypted connections if the router doesn't do certificate verification

-dk

Re:Their answer

The key phrase is "improve router features and functionality". This includes legitimate things such as e.g. malware detection and blocking, which they won't actually get round to and anti-customer "features" like advertising targeting, which, since it pays well, they will get done pretty soon.

Hence my new pet name for them...

[Svartalf]

Notgear.

Good idea

[110010001000]

I had this idea a while back. When you collect analytic data like this and feed it back into a correlation engine you can do analysis and look for things like widespread attacks, malware propagation.

It would be nice to have an open source answer to this.

You can turn that off

[Deadstick]

..and they tell you so in, y'know, the update message.

Re:You can turn that off

[cats-paw]

be sure and check to see if it's really turned off.

also, bug which keeps it on all the time or exposes a vulnerability when enabled in 3 2 1...

Re:You can turn that off

[Neuronwelder]

More than that.. Is it really, really, turned off? After all, they had the guts to do it.

Re:You can turn that off

[Deadstick]

What's the difference between that and any other setting in your router or browser?

Re:You can turn that off

[danomac]

You mean you currently can turn that off. That may not be so true in the future.

Re:You can turn that off

[epyT-R]

That doesn't make it all ok.

Home brew router.

[Rockoon]

I wonder how inexpensive it would be to replace these commercial routers with equivalent home-built ones.

Re-purposing an old desktop isn't equivalent due to both space and power consumption. A Raspberry Pi although both small and low power, would need to be augmented with significant further hardware in order to perform an equivalent task.

Throwing an open-source firmware onto a commercial router is a good idea, but in no way really protects you from a hostile hardware maker (or more accurately, a hostile hardware industry.)

Re:Home brew router.

[Gaygirlie]

A standard router is better optimized H/W-wise for these tasks, just get one that is supported by OpenWRT and/or LEDE. OpenWRT/LEDE gives you SSH and everything else just as well, if you want that, plus it's actually all optimized for router-use.

Re:Home brew router.

[ledow]

I have run entire schools from a single desktop re-purposed as a router. It easily handled everything necessary, including captive transparent web filter and firewalling.

There are a number of Mini-ITX and Pico-ITX boards that are packaged in router-like or UTM cases , some with several Ethernet ports on board making them perfect. It's what people like Smoothwall and Watchguard sell as commercial products - Linux or equivalent on a UTM.

Trying to cobble them together from RPi makes no sense. Connectivity and speed of response (e.g. VPN's) are critical. The more gigabit ports, the better.

But the best option has always been "just use a PC in some form", even since the days of DOS / floppy disks / 10Base2 networking. Lookup Freesco. You used to be able to do more on an old throwaway desktop with two ISA NICs and a live-floppy-disk version of Linux than you could for anywhere near the same kind of price with a dedicated device.

Even NAS etc. are nothing more than embedded boards that you can buy and build your own Mini-ITX equivalent of, and buy a NAS chassis for it that connects to all the drives as plain SATA. FreeNAS is basically built for that too.

You buy commercial when you want support warranties and no tinkering. Anything else, you deploy yourself.

Hell, the primary router/firewall/web filter at my current school is nothing more than a Smoothwall VM running on a Windows hypervisor. The network limits incoming lines to a VLAN, only that VM can talk on that VLAN. And it has several other virtual network interfaces for NATing and connecting to, e.g. telephony networks (QoS'd VLAN), guest wifi networks, printer networks, etc. It all "just works" managing several leased lines, hundreds of users Internet access, VPNs for all kinds of things, and an entire telephony/SIP network - and apart from a decent switch with VLAN capability, you don't need any specialist hardware at all.

Re:Home brew router.

[spire3661]

You use x86 itx motherboards with dual NICs. Stuff like this https://www.amazon.com/Intel-F... Actually this isnt equivalent, it destroys any ARM based router in performance and reliability.

Re: Home brew router.

[Lvdata]

Not sure I'd trust the onboard nicks due to Intel management security holes. The primary Intel NIC is now worthless.

Re:Home brew router.

[epyT-R]

Not if you have gigabit service, esp not if you're using QoS and other filtering.

Re:Home brew router.

[Gaygirlie]

What's stopping you from using QoS and other kinds of filtering-techniques on OpenWRT/LEDE? I use QoS on my router running LEDE without an issue.

Re:Home brew router.

[aXis100]

I would argue that most home/SOHO routers are not specialized for the task. Many of them have quite underwhelming specs and don't even have full bandwidth access to their own network interfaces. A old PC with PCI network cards is an order of magnitude more capable.

Re:i dont care

[Z00L00K]

You may be in for a nasty surprise.

Avoid the problem

[FantyMingo]

Advanced Tomato works perfectly on my R7000.

Popular R7000 router bundled with malware

[WaffleMonster]

Love this our product contains malware warning message:

NOTE:It is strongly recommended that after the firmware is updated to this version, log back in to the router's web GUI and configure the settings for this feature.

Nothing screams we're doing something wrong AND WE KNOW IT than cute little notes like these.

How much data is sent to Netgear before this malware can possibly be disabled?

Re:Popular R7000 router bundled with malware

[sexconker]

None, if you unplug the WAN link.

Sounds like a good way to fuck yourself Netgear

[Khyber]

Where is this traffic being sent, DNS and IP-wise? How is the data configured for their systems?

Figure these out, and then you could just flood the shit out of their systems with legit-looking bogus data that appears to come from their routers with whatever data you want.

Bonus points if you use this to gain yourself escalated access inside their own network (which wouldn't surprise me given Netgear's security track record.)

I have a R7000

[Woldscum]

I have a R7000 and had DDWRT on it back during the security hole thing. Max speed was 150-160 ish down on lan and Wi-Fi. I have 300/30 net BTW and got only half speed. DDWRT also kills the WAP button on the router. I have a cheap canon all in one printer. That can only connect to a wireless network by WAP. So DDWRT killed my remote network printer. Also DDWRT kills the R7000s USB3 port. The Dev said it is a custom USB3 implementation that DDWRT will never support. So DDWRT will "work" on a R7000. But severely cripples the hardware. I bought the R7000 on launch with the promise of DDWRT support. I am looking into making a cheap low power PFSense box and turning the R7000 into a wi-fi access point. Other than the firmware security holes and now this BS. The hardware has been good.

Re:I have a R7000

[Guyle]

I think you meant WPA - Wi-Fi Protected Access. It's insecure as hell and should never be used - just Google around and you'll learn why. If that's the only way your printer will connect, get a new printer, or plug it into a cheap PC and share it on your network. You won't get WPA using PFSense anyway. I also don't understand why it's important to have USB 3.0 in a router. If you're wanting to plug in an external hard drive and serve it up as a NAS, the little chip in a router isn't going to be very efficient at distributing that across your network at much higher than USB 2.0 speeds anyway, so IMO it's better to just have a cheap PC serve it up on the network. Hell, Newegg had a basic refurbished PC running on a Celeron with USB 3.0 advertised to me in my email this morning for $90, and even an i3 for $120. Perfect to stick in a corner and have it run basic server tasks for you without running up the light bill, and still cheaper than a lot of fancy ass routers. Sexy? No. Efficient? Yup.

PFSense is pretty solid, but if you're looking for cheap and low powered but still get serious performance, check out the EdgeRouter Lite. Best decision I ever made. Way more bang for your buck.

Re:I have a R7000

[Guyle]

... WPA - Wi-Fi Protected Access.

Dammit, I meant WPS - Wi-Fi Protected Setup.

Re:I have a R7000

[Woldscum]

Yea WPS my bad. Don't make excuses for DDWRT. I have used it from the beginning on a 54WRT then a Buffalo Networks N. Also use OpenWRT at work. Fact is DDWRT kills a lot of the functionally of the hardware. I did set the printer up as a TCP/IP network printer using the R7000s USB2. But Win7 and Win10 only will allow generic Canon drivers. Which only prints. It kills the network scanning and most importantly Air Print. It also forces me to move the printer into cable distance of the R7000. With the USB3 it kills it completely. Does not work. With a printer hanging off the USB2 all the ports are used. I have an old laptop HD in a USB3 enclosure that we use as a household drop box on the R7000. A NAS will be overkill. 4 HTPCs, gaming rig, laptop, 2 pads and 3 phones. All of that needs to hit the printer. I have everything in a Windows homegroup. It is a PIA to need to boot everything at the same time to share something. It is just easier to grab it off of the router the next time a HTPC is turned on.

A low power PC + a Intel PCI nic + PFS is the plan. Then configure the R7000 behind PFS. I want to play with and learn PFS. But that Ubiquiti EdgeRouter Lite looks about perfect. Newegg has it for $92.

Re:I have a R7000

[zOper]

Sadly, that's the problem with Netgear; the only thing good about the R7000 is (was?) the hardware. Security holes asside, I experienced wifi stability problems with FW 1.05 and 1.06 (I had to downgrade to 1.04 each time). And I was only using it as a WIFI bridge! Ok, I was running stuff that was super sensitive to packet drops but still... I can't imagine how many bugs there was with all the features turned on. The fact that they are now collecting analytics does not surprise me; it is likely that they retained that solution to try improve the quality of their software.

Never did much care for Netgear

[rsilvergun]

I always found their stuff cheaply made but expensive to buy. But a couple times I've seen something for a really good price and been tempted. Thanks Netgear, for ensuring I'm never tempted to buy anything again.

PfSense

[spire3661]

Time to build that Pfsense box i have been talking about for years.

What if I don't ...

[CaptainDork]

... apply the firmware upgrade?

I checked my Netgear 7000 and it does have an update.

As far as I can determine, there's nothing there for ME.

Also, I don't see any security updates.

So, maybe I just opt to leave it as-is?

Re:What if I don't ...

[CaptainDork]

Also, my 7000 is behind my new Spectrum (old TWC) Internet modem. Does that layer of imsulation protect me t all if I were to allow the firmware upgrade?

Common sense tells me, "No."

Thanks.

Re:What if I don't ...

[SirAdelaide]

Never upgrade something that is working.

(Unless it is a worthwhile security update, obviously)

Re:What if I don't ...

[CaptainDork]

Thanks.

I'm a retired IT guy and I knew to check each server (3Com, Novell, Windows NT, Windows 2xxx) and desktop update before application, but I'm weak in router stuff.

Think I'll pass.

Again, thanks.

Re:Your ISP will choose it

[ooloorie]

Now that its legal to share your private internet access details in the US,

It's legal to share your private Internet access details in most countries; in fact, in most countries, it's required when the government asks for them.

Take it to Anchorhead and get its memory erased

[hwstar]

I won't use any router which I can't load third party firmware on. If this router requires the use of stock firmware, then I would not consider purchasing it. There's too many conflicting interests (i.e. ways to please shareholders) getting in the way of privacy these days. If I pay for something, this I want options to retain my privacy.

Re:Take it to Anchorhead and get its memory erased

[jazzdude00021]

Please someone mod this up to the top comment and leave it there. You've always had 2 choices: 1) Learn to install your own firmware. 2) Take whatever the manufacturer provides. We've known #2 is crap for years, but maybe this time someone is trying to fix that with a little analytics. If you don't like it, see #1. If you can't do #1, buy from someone who can.

I use Tomato firmware, not stock Netgear

[krelvin]

Actually just updated today as the newest firmware was release this week.
1.28.0000 -3.4-140 K26ARM USB AIO-64K, While there is an option (and has been) to turn on statistics, I have never had it turned on.

https://advancedtomato.com/dow...

Works better than stock firmware and dealt with vulnerabilities that the router had with stock firmware long before Netgear caught up.

New business model

[volt4ire]

It's surely no accident that Netgear is releasing this "feature" just 2 months after Congress voted to allow ISPs to sell users' browsing history.