Netgear Exploit Found in 31 Models Lets Hackers Turn Your Router Into a Botnet (thenextweb.com) 57
An anonymous reader shares a report: You might want to upgrade the firmware of your router if it happens to sport the Netgear brand. Researchers have discovered a severe security hole that potentially puts hundreds of thousands of Netgear devices at risk. Disclosed by cybersecurity firm Trustwave, the vulnerability essentially allows attackers to exploit the router's password recovery system to bypass authentication and hijack admin credentials, giving them full access to the device and its settings. What is particularly alarming is that the bug affects at least 31 different Netgear models, with the total magnitude of the vulnerability potentially leaving over a million users open to attacks. Even more unsettling is the fact that affected devices could in certain cases be breached remotely. As Trustwave researcher Simon Kenin explains, any router that has the remote management option switched on is ultimately vulnerable to hacks.
The end of Netgear? (Score:3, Informative)
Asus routers? (Score:2)
Someone [slashdot.org] told me Asus routers are better. I looked and they do seem good.
Re: (Score:1)
Re: (Score:2)
CVE-2017-5521 is a new problem unfortunately.
Re: (Score:2)
Re: (Score:2)
Why would a consumer-grade router even have remote-admin?
And why on earth would it be enabled by default?
If it was a car they'd be forcing a recall.
Re: (Score:3)
Re: (Score:2)
RGR that... DD-WRT for those who like the common feature set, flashy GUI and their hardware is supported and OpenWRT for the rest of us control freaks... Use them both.
The problem is for me on a R7000. DD WRT breaks the USB 3 port and the WAP button. My $50 Canon all in one will only connect to my wireless with WAP. I needed to use the R7000s USB 2 port and set up the printer as a IP network printer. But this killed Airprint and scanner on network. DD WRT will not support the USB 3 port because a custom driver needs to be reverse engineered. Also with DD I have a 150-160M cap on speed on both 5 and 2.4. I have used both Open and DD for years and like them. BUT it does not
Re: (Score:2)
Buy some real router hardware that is supported by DD-WRT or Open-WRT so you have a choice....
I NEVER buy a router that is not already supported (or likely will be supported) by either of these. My last router was from Linksys and was part of their WRT line so OpenWRT was pretty much a given (being that's what it already runs under the Linksys web GUI anyway). My WRT-3200AN is a good choice if you catch it on sale. It has SATA, USB3 and last I saw the WAP button worked if you needed it too, even on the fac
Re: (Score:2)
protect yourself
Yep, running a Netgear Nighthawk but it's been running Tomato Shibby since day one. The feature set is way beyond anything in the stock firmware, and I don't have to worry about Netgear's incompetence.
Have we patched the last vulnerability yet? (Score:1, Funny)
FFS, it wasn't long ago that a basic security vulnerability left 300+ million people vulnerable to attack, simply by hacking their election, both emails and the registration servers, attackers were able to insert in a bright orange trojan into office.
Have we patched that yet? Because an exploit for that is out in the wild wreaking havoc on basic security.
The virus attack package it carries lets an impersonation attack happen, it appears to be a real, except it doesn't obey any laws and seizing control of th
Re: (Score:1)
Nice wordcloud bot.
Re: (Score:2)
What you might want to do (Score:2)
Is stop buying consumer grade WiFi routers that are poorly supported and get a plain access point and stick it behind a real router.
Re: (Score:2)
What real router would you advise which is well supported enough that it's trustworthy? I have a Ubiquiti AP which I'm happy with, but I haven't found a good small solid wired router.
Also, I would say that since the fix has actually been released, these are not "poorly supported". Every router has the potential to need to be updated, the problem comes when you have things like internet connected DVRs which will never get a firmware update. Even better would be an auto-update system for these things since wh
Re: (Score:2)
mcdebian and linksys - check it out.
apt-get goodness for the win!
Re: (Score:2)
Yeah, I used tomato for a long time, this looks neat too.
Re: (Score:3, Informative)
Re: (Score:2)
I'm happy with my current setup (consumer WiFi router + Ubiquiti AP); I did look at the EdgeRouter but didn't think it would improve my setup enough to bother with it.
The Ubiquiti routers have been vulnerable to worms in the past too, so it's not like the onumer routers are the only ones with vulnerabilities.
Re: (Score:3)
pfSense. Roll your own. All it takes is any old generic x86 machine with 2 NICs in it at the bare minimum. (dual-port gigabit Intel NICs are like $20 on eBay). Or, you can buy pre-built pfSense boxes. Fast, secure, feature rich, and constantly up-to-date.
Re: (Score:2)
Real weenies write their own iptables rules!
Of course... I am not a real weenie so I use fwbuilder (https://sourceforge.net/projects/fwbuilder/)
Re: (Score:2)
I gave up on pfsense. it does not fail gracefully. lose power and reboot and eventually you get corrupted boot media. when that happens, remote mgmt task crashes and you have to reinstall.
too bad. monowall was good but pfsense was horrible for me.
Re: (Score:2)
I solve loss of power issues with a UPS.
But before I had the UPS I had regular power outages at my OCONUS location and it has rebooted fine every time. Current uptime 110 days with about 4TB of I/O through it. All on a cheap 10W box that cost $120 + a SODIMM and mSATA card. Pairs with another identical box in the US for a full house always on VPN so I can bypass all the geo restrictions.
Stick my AP and everything else behind it.
Easy to use, easy to manage.
Re: (Score:3)
I have heard that the Ubiquiti Edgerouter is a low cost, fully featured piece of hardware.
https://www.ubnt.com/edgemax/e... [ubnt.com]
Never owned one myself, but a lot of people who listen to Security Now seem to like it.
Re: (Score:2)
Re: (Score:2)
>What real router would you advise which is well supported enough that it's trustworthy?
I use an NUC with Linux and set up routing tables, firewall, a fail2ban listener (so my servers can tell it to do the filtering) and NAT. None of this is hard and step by step instructions are widely available. I added a second ethernet port to the NUC via the M.2 port and a 3d printed base to hold the connector. The router doesn't mess with DNS and all things point to Google's DNS. It's simple and doesn't rely on ven
Re:What you might want to do (Score:5, Informative)
Is stop buying consumer grade WiFi routers that are poorly supported and get a plain access point and stick it behind a real router.
Naw, As an owner of some really nice Cisco routers, stick with the consumer router at home unless you have time to learn how to configure it (or do Cisco work for a living). "Professional" gear isn't worth the trouble or cost for most of us. Not to mention that some of Cisco's offerings are really just their version of a consumer level device (that 500 series) and are pretty hard to configure for normal home use. You can do it (I managed) but it was painful to get all those video applications and games to work as expected.
I do like your access point BEHIND the router as a separate device, but he security you get is really minimal.
What you SHOULD do is buy hardware that is supported by DD-WRT or OpenWRT and erase the manufacturers firmware at your first opportunity. If you really want to be secure, buy 2 and set up a DMZ network behind a firewall for all the consumer devices you cannot control (video players for Netflix, home automation devices, cable boxes, ec) and put all your secure stuff behind another NATed subnet with a firewall.
Re: (Score:2)
This is why I prefer pfSense. It has Cisco like features, but with a DD-WRT/OpenWRT like interface. It is the best of both worlds!
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Run OpenWRT or DD-WRT and don't enable remote management...Like I said... If you want to run Cisco gear, knock yourself out, but it's over priced and over complicated for use at home.
NEXT!
Re: (Score:2)
What are good cheap consumer grade wifi routers that are fully supported then?
Re: (Score:2)
https://blog.avast.com/2014/11... [avast.com]
Find any device that responds to a list of well understood admin/passwords settings.
That won't help with all device issues but it might help a bit.
Out of the box configuration (Score:1)
Consumer routers should either require setup prior to use, with "remote access" off by default.
In the alternative, they should be pre-configured with remote access off and local access turned off unless the user presses a button on the router shortly before logging into the router from the LAN side - something akin to the "WPS" push-button-to-connect-to-WiFi setup. The latter is needed to prevent malware from silently logging into the router with default credentials.
Re: (Score:1)
Re: (Score:1)
Re:Out of the box configuration (Score:5, Insightful)
Consumer routers should either require setup prior to use, with "remote access" off by default.
I have literally never seen a consumer router which has remote management turned on by default, neither with the original firmware nor community firmware. I am willing to believe that they exist, but I've even owned two or three Netgear APs and none of them had remote management activated by default either. Especially now that so many devices have an easy setup button, most people probably never actually go into their router config after following the included instructions to change the network name and maybe the channel.
Re: (Score:2)
Almost all (including these Netgears) ship with remote access off by default. This isn't going to be a huge problem for most people who won't have turned that on unless they have malware already on their systems which could exploit this locally.
Re: (Score:2)
The button thing is a great idea, at least until the router no longer has a default admin password. Alternatively it could require a usb memory stick with a "token" on it to be inserted in the router. You would get the token when you register the device on the manufaturers website.
Switch to turris omnia router (Score:2)
Switched from netgear to turris omnia. Netgear firmware and the way they "support" it is a big joke (broken version released; reverting versions; no real testing etc).
So now happy turris omnia router user.