back to article Netgear router admin hole is WIDE OPEN, but DON'T you dare go in, warns infosec bod

Netgear has promised to release a patch next month to fix a recently discovered vulnerability that lets attackers take control of unguarded kit. Security flaws in the firmware that ships with the latest versions of Netgear's WNDR3700 wireless router mean that miscreants can bypass authentication before accessing the …

COMMENTS

This topic is closed for new posts.
  1. Destroy All Monsters Silver badge
    FAIL

    Gear failure.

    This is 2013. Such things cannot be tolerated. This is on the level of suddenly exploding car tyres. Which should prompt a recall.

  2. Anonymous Coward
    Anonymous Coward

    Netgear - such a wonderful company

    These routers can save their config but it is encrypted. Older ones could save it in human readable form but these new ones... Not a chance.

    I asked them for a utility to 'unscramble' the config data but they said it was proprietary. It is my router and my data in it not yours. ergo, never buy this shite.

    Wonderful Company - my arse.

  3. Anonymous Coward
    Anonymous Coward

    Let me guess, Netgear is a US company?

  4. asdf

    Easy solution

    Stock firmware is almost always garbage on home routers. Want to make this problem go away then check out the link below. There are other excellent choices but this is probably the friendliest for non geeky types.

    http://www.gargoyle-router.com/

    1. asdf

      Re: Easy solution

      Actually my bad. Gargoyle only support WNDR3700v1 and v2 and not v4 which thought the model name stays the same the chipset is totally different (stupid netgear). Looks like have to go with dd-wrt if you have version 4. The first thing you should always do before buying a router is verify there is open source firmware available for the model you are buying.

      http://www.dd-wrt.com/wiki/index.php/Netgear_WNDR3700

  5. chris lively

    Not surprised

    Home / small business networking kit is crap.

    It boggles the mind how bad the coding is on most of these devices. Meanwhile it is a rare day when these manufacturers actually ship an update to fix problems. They put together a product slap it in a pretty box then sell it for about a year or so before retiring it for a new model. In that time they *might* ship a single update.

    You know why Apple kicked the crap out of other phone manufacturers? Simple: their iStuff mostly worked, the only options dealt with capacity, then it was updated time and time again. Simple customer service

    The networking industry is ripe for a company to do the same thing: make it easy to setup and be secure. Instead they are stuck on "product differentiation" using terms the vast majority of the public has no clue to the meaning. Guess what: Nokia pulled that garbage and where are they now? Certainly not in my hands nor anyone else I know.

    1. phuzz Silver badge

      Re: Not surprised

      Draytek make good kit for the small office market, and they release regular firmware updates even for their older kit.

      Mind you, they are pricier than an el cheapo netgear router, but you do get what you pay for...

      (I don't work for Draytek, but I've used a lot of their kit and generally enjoyed the experience)

  6. John Smith 19 Gold badge
    Thumb Down

    Bad form.

    Title says it all.

  7. Frances Banana
    Thumb Down

    NetGarbage

    That's a pretty nice "deadline" they set for such a failure ;) As it was mentioned before - NetGear isn't really a quality/design master. All ADSL routers & modems I had from them were overheating. Their ReadyNASes are hanging up. After 3 failures in a row I decided to put them on a no-shopping list. That was a good choice back then ;)

    1. justincormack

      Re: NetGarbage

      Some of their stuff is ok if you install openwrt on it - which they support, which is nice.

      1. GBE

        Re: NetGarbage

        I second the endorsement of openwrt -- on whatever hardware you can find that will run it. For the past handful of years, I've been running it on Netgear and Buffalo WAP/routers. Before that I ran it on Linksys hardware for several years.

        1. asdf

          Re: NetGarbage

          Yeah vanilla openwrt has come a long with luci (GUI) so they are a good general solution now. Their GUI used to be so slow as to be masturbating with a cheese grater painful to use. I know real greeks use the command line only but not everyone likes spending hours futzing with tc qos rule scripts in vi.

  8. Nya
    Joke

    Secure option

    Last week D-Link, now it's Netgear. Is the only secure option available these days Huaweu?!

    1. Velv
      Joke

      Re: Secure option

      Not quite sure why you used the joke icon - at least with Huawei kit you'll know its so well coded against detectable faults that the only back door belongs to the Chinese government

  9. Brian Miller
    FAIL

    But DARPA is going to rescue us!!

    Didn't anybody check out the DARPA challenge? Yes, the future will be secure!

    BWAHAHAHAHAHAHAHAHAHAHAHA!!!!

    Go for it, DARPA! Fix that firmware! Yeah! It's the stinking network that's the bug!!! How do you create a work-around when the router is garbage?

    DARPA says: CHECK ENGINE

    Oh, all right, back to tin cans and string, and IP over pigeon.

    1. Anonymous Coward
      Facepalm

      Re: But DARPA is going to rescue us!!

      On a previous "How to protect your stuff from the NSA" thread, I jokingly referred to the foundation of a new ISP (International Secure Pigeon) industry. Maybe I was on to something?

      I'll start running a geno-typed secure pigeon service out of my garage. The goal will be to put other garage-founded data comms players out of business. Ironic considering they were founded to put such crude data transmission methods out of business. I guess we're coming full circle.

  10. Version 1.0 Silver badge

    Muppets

    You buy kit from a vendor and you BELIEVE them when they say it's secure? You connect said kit to the network and let ANYONE from outside at it's interface? You deserve what you get.

    If you MUST have admin access from outside the network then you NEVER go straight into the kit interface - you always tunnel though something that you trust and that logs everything.

    1. Charles 9

      Re: Muppets

      "If you MUST have admin access from outside the network then you NEVER go straight into the kit interface - you always tunnel though something that you trust and that logs everything."

      Would if I could, but IF a router has a VPN server built in (basically, cheap ones don't--not enough memory), it's almost always a bridging one (TAP mode). Unfortunately, Android's VPN client only supports tunneling (TUN mode).

      1. Velv

        Re: Muppets

        "Cheap" is a relative term. If you're only prepared to pay £20 then don't expect much. But there are plenty "good" routers for <£100 that allow you to install open source firmware, or offer decent VPN options.

        Is your security really only worth £20

  11. Prndll

    "A malicious DNS server could be configured, exposing users to web browser exploits."

    I just thought this was interesting considering that the vast majority of users will end up using their ISP's DNS servers as default without ever thinking about it.

    or

    is this only to be seen as an issue if the user selects a questionable system?

    How much do you trust your ISP?

    1. Mephistro

      " the vast majority of users will end up using their ISP's DNS servers as default without ever thinking about it."

      Sorry to disagree, but a rooted router can easily include software to spoof-redirect external DNS servers to wherever the miscreants please.

      How much do you trust your ISP?

      Not a single atom, not a single bit. But I reckon that, for their own good, ISPs will try to keep good defences so criminally-minded 'independent' hackers don't pwn the ISP's systems.

      The question of ISPs deep inspecting our data and selling them to marketing companies and intelligence agencies is a different matter, and is being discussed a lot these days. :-(

      1. Prndll

        "Sorry to disagree, but a rooted router can easily include software to spoof-redirect external DNS servers to wherever the miscreants please."

        You disagree that most people use their ISP's DNS as a default without thinking about?

        interesting

        I have no doubt that a rooted router could be given redirect instructions. My thinking is more in the other direction. A backdoor into your network.....

        1. Mephistro

          "You disagree that most people use their ISP's DNS as a default without thinking about?"

          Obviously not.

          From your original comment:

          "A malicious DNS server could be configured, exposing users to web browser exploits."

          I just thought this was interesting considering that the vast majority of users will end up using their ISP's DNS servers as default without ever thinking about it.

          I read that paragraph in your comment as if you were stating that users using their ISP's DNS servers would be safe from this. If that wasn't what you meant, please clarify.

          1. Prndll

            I'm not saying that ISP's DNS servers are safe at all.

            I'm actually saying that they are not safe and I'm also suggesting that people (in general) wake up and smell the coffee. It's becoming more and more important that people NOT just blow these things off anymore. Those that will not learn something about these machines will end up getting eatin' alive by them (at the behest of an unseen authority).

  12. ecofeco Silver badge
    Facepalm

    Wait, let me guess

    admin

    admin123

    Again?

    Or maybe this one was the "admin" - "password" one I was thinking of last week.

    And have you heard the IZON camera telnet vuln, yet?

  13. Anonymous Coward
    Anonymous Coward

    Remote Management

    Does this issue only apply to v4 or all the 3700 models?

    Surely all one has to do to secure the router is to turn off remote management and have decent admin and wifi passwords. Or am I being too trusting?

  14. berserko1

    SOHO = Garbage

    I gave up on this SOHO garbage years ago when I wasn't cursing dd-wrt for hanging I was doing recovery from backups because its configuration was corrupt. I decided to get a Cisco PIX 515e (can be had for a song on ebay) and recently upgraded to a ASA 5510 and "set it and forgot it" I rebooted the PIX once in in the 3 years I had it in production and haven't needed to bounce the ASA yet. And used Cisco POE powered AP's are worth every penny. I might not have the latest "N" technology but I find my "G" faster than most peoples "N" garbage anyways.

    1. Steven Raith

      Re: SOHO = Garbage

      I tend to agree. I used Netgear stuff for a while but it's stupid UI (Port forwarding? Nah, Firewall, services, create service, apply to Firewall, can't modify it when it's in use etc...) and hardware failings when doing big stuff got on my tits.

      Picked up a Draytek 2830, couldn't be happier with it. Might not be the fastest wireless in the world, but it can handle 100mb WAN throughput, do lots of awesume VPN stuff (proper IPSEC stuff, too) and is - if you're familiar with the terminology - very straightforward to set up and configure.

      Best bit, it's been sitting on my living room floor by the phone point for over two years now, only needs resetting when I make changes to it for major stuff (PPP settings etc).

      It'll be getting replaced with a 2860, which I've used for work, and I'm very, very impressed with.

      Does anyone do prosumer/SMB routers/gateways better than Draytek, assuming you don't want to go firmware fiddling (DDWRT etc)? My mind is open, but I'm struggling to think of anything in the circa £200 range that does more, better...

      Steven "Wants to have Drayteks babies' Raith.

    2. Tridac

      Re: SOHO = Garbage

      Yes, older cisco stuff like the 515 is cheap on ebay, but the reason is that the asdm gui interface is really hard work and primitive. If you want a reliable and inuitive open source firewall router, try pfSense, a freeBSD effort. Have tried probably all the o/s router projects over the last 10 years or so, but pfsense just gets the job done and has configuration options covering just about every need. You can also install the snort package and all the tables, which gives you dpi that works for free. Coincidentally, cisco have just bought out the rights to snort, or similar, so perhaps not such a bad choice. Compared with the Cisco's Asdm, setup is a breeze and you can have something functional in less than an hour. You probably won't need to read the manual at all, other than for the more arcane details.

      The only problem with building your own router is that older low consumption P3 and celeron class machines are all getting a bit long in the tooth now. The only way to get reliable and cheap hardware is via P4 or later class machines, but they do draw a lot of power. Solution here was to replace the (socket 478) 3GHz cpu with the 1.6GHZ version, which reduced the power consumption from 90-100w to 40w, with power saving enabled.

      There's good stuff out there, if you are prepared to do a bit of work yourself and learn a lot as well...

  15. batfastad

    LOL @ internet of things

    See title.

  16. batfastad

    WNDR3700v2 owner here...

    And very happy with it... The OpenWRT installation was a breeze! Bought specifically to run OpenWRT and it installs using upgrade firmware page of the Netgear interface.

    1. Hayden Clark Silver badge
      Happy

      Re: WNDR3700v2 owner here...

      When you buy a router to reflash with decent firmware, you only care about hardware and memory size. The TP-Link WR1043ND has 8M of flash and 32M of RAM, plus 3 aerials on it's wireless-N adaptor. 42 quid, and you can them make it do anything. I've got a few TP-Link devices, and they're cheap and reliable. Firmware's sh**e, but I never use it!

  17. Anonymous Coward
    Anonymous Coward

    After buying a ProSafe router of theirs I had to apply a firmware update to resolve an issue with the router. I followed the instructions to the letter and the device ended up bricked, you can use the CLI to get into the router as an Admin but not the web interface. Their replacement warranty doesn't apply if you aren't the original purchaser, even though I provided the receipts they asked for. Gave up with their support in the end and haven't bought any of their devices since. I should have learnt after buying one of their SC-101 storage boxes years ago, it used some junk software RAID that was extremely slow. It went back to the supplier after a day.

    If any one wants a bricked SRXN3205 router... :-))

  18. paulf
    FAIL

    Netgear

    I finally admitted defeat with Netgear when I bought a DGND3700v1 in Dec 2011. The v1 model was 10 months old at that time and it was EOL'd about 1 month after I bought when v2 came out.

    The v1 has lots of ADSL bugs in it which can either not cause problems or cause lots of dropped connections with the dreaded red light lock up (where the firmware just can't be bothered to re-establish the connection, the connection status LED shows constant red, and a power cycle is required). I've been lucky in that it hardly happens to me, but plenty of others have had problems.

    I did get some firmware updates from Netgear support, but they were beta versions (which were never generally released) and they sent them using various dodgy file sharing site that in one case pinged up on my anti-virus software!

    I've had lots of Netgear stuff - my 10 year old DG834Gv2 is still going! Their home 8-port 1Gbs switches work well, and I have four SPARC driven Ready NAS Duo v1 boxes (all rock solid and still getting updates 3-years after I bought). But not any more. Netgear you've caught the HTC disease - punt new stuff out as often as you can and EOL the previous one with no more support because its 6-months since release.

This topic is closed for new posts.

Other stories you might like