Netgear 'fixes' router by adding phone-home features that record your IP and MAC address Netgear NightHawk R7000 users who ran last week's firmware upgrade need to check their settings, because the company added a remote data collection feature to the units. A sharp-eyed user posted the T&Cs change to Slashdot. Netgear lumps the slurp as routine diagnostic data. “Such data may include information regarding the …
I guess that monitoring your "customer's" every damned move is now a case of "Everyone does it because everyone does it".
It's an achievement those router owners even got an update (yes, I know that's not the point). I swore off Netgear several years ago when my top of the range wireless ADSL router (DGND3700v1) was EOL'd 12 months after launch (i.e. 6-9 months after purchase) despite them knowing the firmware was still full of fundamental ADSL breaking bugs. The fixes only went into the v2 hardware. The only reason I got passable performance was because Support sent me three Engineering Beta versions of the firmware which resolved most of the ADSL problems. These updates were never released properly so I can only suspect they were made available on a "Keep people quiet who complain to support" basis but not released generally to ensure most people bought a new one to get the fixes.
I've not touched Netgear since. Their old Sparc based NAS boxes were pretty good (and still getting very occasional updates 5+ years later) but the current stuff is just junk.
@AC "Their old Sparc based NAS boxes... Weren't Netgear - they bought a company called "Infrant" who designed the ReadNAS [sic] product range."
I did hear about that after purchase and it does explain why they're uncharacteristically (for Netgear) well built. That said the boxes I bought had Netgear badges on the front, therefore my original point is technically true (i.e. they're Netgear).
@ Killhippie "Its actually opt in, not opt out, and there are also now options for auto update too., seems it was a slow day."
That just shows the info gathering option set to disabled - it doesn't necessarily confirm it is opt-in or opt-out. Same goes for the auto-update option.
I would.
However I'm waiting for someone to integrate VDSL drivers (lantiq open source) with OpenWRT / LEDE.
Hacking on a device that can only be unbricked by soldering a serial interface is a bit more fannying around than I can be bothered with, so I'll wait for an aussie to do it.
yeah, I'm not too pleased with this. I've been kinda prejudiced against Netgear from my 'smart antenna' days. Their so-called "MIMO" routers (that were multi-antenna G) and some of their other claims were pure ridiculousness and, in many ways, FALSE ADVERTISING.
example, HERE: http://documentation.netgear.com/wpn824v2/enu/202-10122-01/wpn824v2-03-03.html
they made OTHER outrageous claims as well, but that one's pretty obvious. From around 10-12 years ago as I recall.
THAT being said, they have a serious credibility gap with me. I've been going wth DLink instead. Inexpensive and effective.
Technical data about the functioning and use of our routers and their WiFi network can help us to more quickly isolate and debug general technical issues, improve router features and functionality, and improve the performance and usability of our routers. Such data may include information regarding the router’s running status, number of devices connected to the router, types of connections, LAN/WAN status, WiFi bands and channels, IP address, MAC address, serial number, and similar technical data about the use and functioning of the router, as well as its WiFi network.
What is "similar technical data"? I might have a mental image of what "similar technical data" might be, but given that hotchpotch of things listed, some of which are hardly "technical", there is no reason why it should coincide with Netgear's. Why can't they be a lot more specific?
"flogging all the MAC addresses [...] to all the geo-IP companies they can find."
Not much use unless you know the location of the router. Netgear don't. The ISP (probably) does. Likewise, the location of connected devices is only useful if you know that they stay connected at that location, and mostly these days they don't.
"Not much use unless you know the location of the router. Netgear don't. The ISP (probably) does."
It doesn't take much to find out roughly which blocks of IPs the ISP have been assigned for passing to their customers. Given that they know the rought country a router has been sold in by it's internal serial number, match that to local ISPs and you may not know the exact street but I reckon with enough tech sorting and solid DB schema you'll quickly build up enough info to know which town or county a particular router is running in.
@FuzzyWuzzys: That sort of hopeless guesswork is probably why I get geo-IP-ed to Bracknell. Perhaps you live in a country where there are such things as "local ISPs". I can't think of any in the UK.
But the real problem with your algorithm is that is uses existing geo-IP knowledge to locate the router, which makes the information that Netgear have collected utterly worthless to people who do geo-IP, which is what was being suggested.
Some countries, you can get a decent Geo-IP fix from the RTT to known servers. There's a research project based on this that I took part in, and one of the possibilities is confirming a Tor-node is in the country it claims to be.
Trouble is, the UK seems to be wired, via BT, so that everywhere is the same distance from everywhere else. So every ISP's address block is in the same fuzzy 30ms block as everything else, and my RTT to servers in California is little different to what it was on the days of dial-up.
The results I got plotted a circle that was about the same radius as the distance from London to Timbuktu.
This post has been deleted by its author
"Not much use unless you know the location of the router"
Geo IPs will buy data that confirms what they already know if it was collected more recently or helps to build out the picture.
"Netgear don't. The ISP (probably) does"
They may not, but they may as Netgear supply ISPs directly. As would many gov agencies, 'cleared' third parties, even their sub-contractors and in some cases, even lowly employees. None of whom are disclosed and have any onus to take much care with what they use or leave behind.
"the location of connected devices is only useful if you know that they stay connected at that location, and mostly these days they don't"
Not sure how you decided this, sure some people hop address but a lot of people stay connected for weeks/months on end nowadays even if their ISP allocates them a new address every time they re-connect. However a lot of ISPs provide static addresses to a significant proportion of customers, and others provide nothing but static addresses, so their customers NEVER change their address. And then there are all the others that manage to stay within the timeout period of their allocated address and receive the same address each time they re-connect.
As of next week I am going to live on a motorhome and travelling with a dongle. Good luck to anyone trying to work out my Geo-IP address. One week I could be here, another week I could be abroad in England or even in Scotland.
Sometimes I feel we should be swapping phones and routers with people at random.
This post has been deleted by its author
I was stupid enough to purchase the D7000 from Netgear, so I'd already decided to consider all other brands first in the future... This however adds them to the pile of vendors that won't even be entertained for any of my networking needs (and who will be my example of bad choices to anyone I support, or who asks).
As for the 'we did this for support' argument; Netgear offers 90 days iirc... so I'm assuming they turn this feature off after 90 days? ;)
Seriously, I could grow roses in half of the excuses companies come out with.
I did quite a lot of research on routers as I required my SOHO one to have a baked-in OpenVPN client with the CPU horsepower to deal with the encryption overhead, but that could also support multiple VPN profiles with bypass for dedicated connected devices, but that also didn't cost the Earth. This limited the field considerably. In the end I went for an ASUS RT-AC88U and then flashed it with the 3rd party Merlin version of ASUSWRT. It's been great so far.
And other information.
Well as you ask, in reality it's not of any value to them. But flip it around, and ask why collect it in the first place ?
The first rule of data management is that if you don't collect data then it can't leak. If you do collect it, then you need to secure it. We can't trust Netgear to keep it secure (given their track record), and they've turned on this collection without asking the user first. It does NOT matter in the least if there is a way to turn it off, nor does it matter in the least if it's in the release notes - this was turned on without the users consent.
But the article says they collect more than just IP and MAC, and in reality we don't know what they collect. What if they decided it would be useful to collect DNS query information ? No problem ? Have a read of this article which might just change your mind.
So it's not really about WHAT they collect, it's about the fact that they collect anything at all, and without asking the user first.
This post has been deleted by its author
Well 1st off a list of mac addresses and the list of visible access points locate you very nicely. But its not just you, your tattling on your neighbors! Ok you say, Google's phones do this every day, all you need is some twit driving by with GPS and location services on and they have the information anyway,
2nd A list of connected mac addresses. So now any device that connects to the Internet needs mac address randomization turned on, or every household member can be profiled. When they come and go, what sites they like.
3rd actually recording stuff like regular dns queries, email addresses (all the junky detail if you want to focus on them, rather than just track them)
Law enforcement would love it, as they don't need a warrant to buy data. Marketeers would love to know the hours your at home, and what your interested in. Political parties are increasingly highly targeted marketeers (a few % in the right electorates can swing an election, so why waste you time on actual policy when you can target KEY INDIVIDUALS). Even selling the data to true criminals could be safely done without exposing netgear.
Now what do you call it when you live in a state where your every movement is tracked, your vices are recorded, your neighbors inform on you, and at a moments notice it can all be taken away from you (I've seen people suffer fines for stuffing up paperwork equate to years of their actual income. Slavery anyone?)
This post has been deleted by its author
That word has become dirty like "smart". Of course you can't downvote the support article unless JS is enabled because the buttons aren't plain links (just like here), and as soon as you temp-whitelist JS on the Netgear site, it tries to pull in more scripts-- from visualwebsiteoptimizer.com and of course google-analytics.com (just like here). Ima sheep, hurr durr. No, not a sheep herder, that's just silly
Same here. Firmware version V1.0.1.44_1.0.1 and no option that I can find for this. I clicked update because I figured better to get the new version now and turn this off than to have it come down later on and be overlooked. But it's not finding any newer firmware! It thinks this one is the latest! Something not right here if you have 1.0.7.12 and mine can't find an update from 1.0.1.44. Could it be updated by region? UK user here.
It looks like they decided they needed to document the analytics.
This probably is region specific, - in the US with V1.0.7.10_1.2.3 listed at the top of the UI, firmware update assistant was showing something about 1.0.7.12, but it looks like there has been another update. New features were shown as New Features and Enhancements:
Supports Dynamic QoS.
Supports Dynamic QoS database update
Bug Fixes:
Fixes for security issues.
Note: Firmware starting 1.0.7.12 will not include Arlo functionality
---
now seems to be referencing 1.0.8.34 for whatever reason - specifically it shows:
Current GUI Language Version: 1.0.7.10_2.1.38.1
New GUI Language Version: 1.0.8.34_2.1.38.1
Current Firmware Version 1.0.7.10
New Firmware Version 1.0.8.34_1.2.15
Release Notes:
1. [New Feature] Supports collection of router analytics data.
2. NOTE:It is strongly recommended that after the firmware is updated to this version, log back in to the router s web GUI and configure the settings for this feature.
But for the truly sensitive stuff how does it differ from Shodan? You can get IPs and MACs from there easily.
It wouldn't take much effort to link the Shodan API to your own client database and logs to work out which kit a specific user has and on which ISP it is connected.
With a bit of Javascript you could even go as far as inferring their connection speed.
You could probably go as far as linking a leaked client database to Shodan and cross check all the leaked passwords against the devices.
Whilst this data collection is shameful I can't help but feel people apply too many gasps to issues like this without thinking about the big picture.
A person buying a netgear router, routers known for being extremely average and borderline crap, isn't considering the bigger picture.
Last netgear kit I had was a DG834...it was fucking shit.
Since then, properly configured Draytek all the way unless in a DC, in which case I build the router based on Linux and keep it as barebones as possible. It doesnt need a web front end, it doesnt need telnet, it doesnt need to support X vpn client, it doesnt need SSH exposed tonthe web no frills it just needs to route and firewall. In front of that a good IDS built on Snort or an equivalent to weed out shifty traffic before it even hits the router.
But cost I hear you cry. Tough shit I say. A solid ethernet based router should last you for years its a minimum requirement if security is of concern.
You wouldnt cheap out on a polystyrene door for your house, why cheap out on what is effectively the front door to your network?
MAC addresses are a big assistance to a hacker as they expose the manufacturer and therefore known bugs and backdoors..
Google maps seems to know almost exactly where my desktop PC is, no GPS or WiFi, so I presume somebody is doing some data mining from smartphones on the same network.
Start mining the MAC addresses and you can start figuring out the location and movement patterns of individuals who don't carry smartphones for security reasons in sensitive sites.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
