back to article Netgear 'fixes' router by adding phone-home features that record your IP and MAC address

Netgear NightHawk R7000 users who ran last week's firmware upgrade need to check their settings, because the company added a remote data collection feature to the units. A sharp-eyed user posted the T&Cs change to Slashdot. Netgear lumps the slurp as routine diagnostic data. “Such data may include information regarding the …

Page:

  1. Aitor 1 Silver badge

    Ok, they spy on their clients

    So they dont consider them their clients.. therefore I wont be one anymore.

    1. Mark 65 Silver badge

      Re: Ok, they spy on their clients

      Most of Netgear's kit uses their firmware take on OpenWRT so, in most cases, you can just flash the router with your own firmware which rids you of such pestilent shite.

      1. tekHedd

        Re: Ok, they spy on their clients

        The R7000 can run DD-RWT, but it can't switch at full speed because the switching core is proprietary. So it's not so much a fix as a downgrade. :(

        I know this off the top of my head because I checked last year. :(

    2. paulf Silver badge
      Unhappy

      Re: Ok, they spy on their clients

      I guess that monitoring your "customer's" every damned move is now a case of "Everyone does it because everyone does it".

      It's an achievement those router owners even got an update (yes, I know that's not the point). I swore off Netgear several years ago when my top of the range wireless ADSL router (DGND3700v1) was EOL'd 12 months after launch (i.e. 6-9 months after purchase) despite them knowing the firmware was still full of fundamental ADSL breaking bugs. The fixes only went into the v2 hardware. The only reason I got passable performance was because Support sent me three Engineering Beta versions of the firmware which resolved most of the ADSL problems. These updates were never released properly so I can only suspect they were made available on a "Keep people quiet who complain to support" basis but not released generally to ensure most people bought a new one to get the fixes.

      I've not touched Netgear since. Their old Sparc based NAS boxes were pretty good (and still getting very occasional updates 5+ years later) but the current stuff is just junk.

      1. Anonymous Coward
        Anonymous Coward

        Their old Sparc based NAS boxes...

        Weren't Netgear - they bought a company called "Infrant" who designed the ReadNAS product range.

        1. paulf Silver badge
          Holmes

          Re: Their old Sparc based NAS boxes...

          @AC "Their old Sparc based NAS boxes... Weren't Netgear - they bought a company called "Infrant" who designed the ReadNAS [sic] product range."

          I did hear about that after purchase and it does explain why they're uncharacteristically (for Netgear) well built. That said the boxes I bought had Netgear badges on the front, therefore my original point is technically true (i.e. they're Netgear).

    3. Killhippie

      Re: Ok, they spy on their clients

      Its actually opt in, not opt out, and there are also now options for auto update too., seems it was a slow day.

      https://ejquo23388.i.lithium.com/t5/image/serverpage/image-id/16007i4BF36CA9E8788CF9/image-size/original?v=1.0&px=-1

      1. paulf Silver badge
        Headmaster

        Re: Ok, they spy on their clients

        @ Killhippie "Its actually opt in, not opt out, and there are also now options for auto update too., seems it was a slow day."

        That just shows the info gathering option set to disabled - it doesn't necessarily confirm it is opt-in or opt-out. Same goes for the auto-update option.

  2. NanoMeter

    Nope Nope Nope

    Ain't going near Netgear products in the future.

    1. Anonymous Coward
      Anonymous Coward

      Re: Nope Nope Nope

      I would.

      However I'm waiting for someone to integrate VDSL drivers (lantiq open source) with OpenWRT / LEDE.

      Hacking on a device that can only be unbricked by soldering a serial interface is a bit more fannying around than I can be bothered with, so I'll wait for an aussie to do it.

    2. bombastic bob Silver badge
      Devil

      Re: Nope Nope Nope

      yeah, I'm not too pleased with this. I've been kinda prejudiced against Netgear from my 'smart antenna' days. Their so-called "MIMO" routers (that were multi-antenna G) and some of their other claims were pure ridiculousness and, in many ways, FALSE ADVERTISING.

      example, HERE: http://documentation.netgear.com/wpn824v2/enu/202-10122-01/wpn824v2-03-03.html

      they made OTHER outrageous claims as well, but that one's pretty obvious. From around 10-12 years ago as I recall.

      THAT being said, they have a serious credibility gap with me. I've been going wth DLink instead. Inexpensive and effective.

    3. macjules Silver badge

      Re: Nope Nope Nope

      Much easier just to put all your private information on Facebook .. saves a lot of trouble from those pesky Ransonware chaps.

  3. Smooth Newt Silver badge
    WTF?

    Similar technical data

    Technical data about the functioning and use of our routers and their WiFi network can help us to more quickly isolate and debug general technical issues, improve router features and functionality, and improve the performance and usability of our routers. Such data may include information regarding the router’s running status, number of devices connected to the router, types of connections, LAN/WAN status, WiFi bands and channels, IP address, MAC address, serial number, and similar technical data about the use and functioning of the router, as well as its WiFi network.

    What is "similar technical data"? I might have a mental image of what "similar technical data" might be, but given that hotchpotch of things listed, some of which are hardly "technical", there is no reason why it should coincide with Netgear's. Why can't they be a lot more specific?

    1. Dan 55 Silver badge

      Re: Similar technical data

      I guess they'll be flogging all the MAC addresses they can find connected to the LAN via WiFi as well as the MAC of the router itself to all the geo-IP companies they can find.

      1. Ken Hagan Gold badge

        Re: Similar technical data

        "flogging all the MAC addresses [...] to all the geo-IP companies they can find."

        Not much use unless you know the location of the router. Netgear don't. The ISP (probably) does. Likewise, the location of connected devices is only useful if you know that they stay connected at that location, and mostly these days they don't.

        1. FuzzyWuzzys Silver badge
          Facepalm

          Re: Similar technical data

          "Not much use unless you know the location of the router. Netgear don't. The ISP (probably) does."

          It doesn't take much to find out roughly which blocks of IPs the ISP have been assigned for passing to their customers. Given that they know the rought country a router has been sold in by it's internal serial number, match that to local ISPs and you may not know the exact street but I reckon with enough tech sorting and solid DB schema you'll quickly build up enough info to know which town or county a particular router is running in.

          1. Ken Hagan Gold badge

            Re: Similar technical data

            @FuzzyWuzzys: That sort of hopeless guesswork is probably why I get geo-IP-ed to Bracknell. Perhaps you live in a country where there are such things as "local ISPs". I can't think of any in the UK.

            But the real problem with your algorithm is that is uses existing geo-IP knowledge to locate the router, which makes the information that Netgear have collected utterly worthless to people who do geo-IP, which is what was being suggested.

            1. Dave Bell

              Re: Similar technical data

              Some countries, you can get a decent Geo-IP fix from the RTT to known servers. There's a research project based on this that I took part in, and one of the possibilities is confirming a Tor-node is in the country it claims to be.

              Trouble is, the UK seems to be wired, via BT, so that everywhere is the same distance from everywhere else. So every ISP's address block is in the same fuzzy 30ms block as everything else, and my RTT to servers in California is little different to what it was on the days of dial-up.

              The results I got plotted a circle that was about the same radius as the distance from London to Timbuktu.

        2. Dan 55 Silver badge

          Re: Similar technical data

          The router could scan for nearby networks' MACs and signal strengths. Third parties could add new MAC addresses to their maps fairly confidently.

        3. This post has been deleted by its author

        4. Pu02
          WTF?

          Re: you can't be serious

          "Not much use unless you know the location of the router"

          Geo IPs will buy data that confirms what they already know if it was collected more recently or helps to build out the picture.

          "Netgear don't. The ISP (probably) does"

          They may not, but they may as Netgear supply ISPs directly. As would many gov agencies, 'cleared' third parties, even their sub-contractors and in some cases, even lowly employees. None of whom are disclosed and have any onus to take much care with what they use or leave behind.

          "the location of connected devices is only useful if you know that they stay connected at that location, and mostly these days they don't"

          Not sure how you decided this, sure some people hop address but a lot of people stay connected for weeks/months on end nowadays even if their ISP allocates them a new address every time they re-connect. However a lot of ISPs provide static addresses to a significant proportion of customers, and others provide nothing but static addresses, so their customers NEVER change their address. And then there are all the others that manage to stay within the timeout period of their allocated address and receive the same address each time they re-connect.

          1. BongoJoe Silver badge

            Re: you can't be serious

            As of next week I am going to live on a motorhome and travelling with a dongle. Good luck to anyone trying to work out my Geo-IP address. One week I could be here, another week I could be abroad in England or even in Scotland.

            Sometimes I feel we should be swapping phones and routers with people at random.

    2. Schultz

      Re: Similar technical data

      The data are integers, strings, floats, and other technical stuff that you really don't have to worry about. Now stop asking those pestering questions.

  4. Sebastian A

    Few people will turn it off, but I bet just as few actually bother updating the firmware on their router.

  5. redpawn Silver badge

    If it seems to work...

    leave it alone, because what you don't know can't hurt you.

    1. Anonymous Coward
      Anonymous Coward

      Re: If it seems to work...

      Ahh, you've got your eye on an upper management job don't you?

      1. redpawn Silver badge

        Re: If it seems to work...

        You sussed me out. But at home I use Tomato Shibby.

        1. This post has been deleted by its author

  6. Winkypop Silver badge
    Trollface

    Hi, just looking thanks

    As you were...don't mind us.

  7. Steve Davies 3 Silver badge

    So we can add Netgear

    to the list of companies that slurp our data as a matter of course.

    Soon, I guess the list of those who will NOT do this will be shorter than those who do.

    A sad reflection on the times but it does worry me.

  8. NiteDragon

    I was stupid enough to purchase the D7000 from Netgear, so I'd already decided to consider all other brands first in the future... This however adds them to the pile of vendors that won't even be entertained for any of my networking needs (and who will be my example of bad choices to anyone I support, or who asks).

    As for the 'we did this for support' argument; Netgear offers 90 days iirc... so I'm assuming they turn this feature off after 90 days? ;)

    Seriously, I could grow roses in half of the excuses companies come out with.

  9. Wiltshire

    Urgh, hang-on, just updating the purchasing blacklist.

    Netgear ShytHawk

    There we are.

    1. sitta_europea

      You forgot BT and Vodafone.

      1. Ken Hagan Gold badge

        "You forgot BT and Vodafone."

        No. The OP said "updating".

  10. Aristotles slow and dimwitted horse Silver badge

    Yup.

    I did quite a lot of research on routers as I required my SOHO one to have a baked-in OpenVPN client with the CPU horsepower to deal with the encryption overhead, but that could also support multiple VPN profiles with bypass for dedicated connected devices, but that also didn't cost the Earth. This limited the field considerably. In the end I went for an ASUS RT-AC88U and then flashed it with the 3rd party Merlin version of ASUSWRT. It's been great so far.

  11. tentimes

    Why is this so bad?

    Can someone explain why this is such an awful thing? This is not a troll - I genuinely don't understand. So they have your MAC and IP address.... what can they do with that?

    1. SImon Hobson Silver badge

      Re: Why is this so bad?

      And other information.

      Well as you ask, in reality it's not of any value to them. But flip it around, and ask why collect it in the first place ?

      The first rule of data management is that if you don't collect data then it can't leak. If you do collect it, then you need to secure it. We can't trust Netgear to keep it secure (given their track record), and they've turned on this collection without asking the user first. It does NOT matter in the least if there is a way to turn it off, nor does it matter in the least if it's in the release notes - this was turned on without the users consent.

      But the article says they collect more than just IP and MAC, and in reality we don't know what they collect. What if they decided it would be useful to collect DNS query information ? No problem ? Have a read of this article which might just change your mind.

      So it's not really about WHAT they collect, it's about the fact that they collect anything at all, and without asking the user first.

      1. This post has been deleted by its author

      2. Anonymous Coward
        Anonymous Coward

        Re: Why is this so bad?

        Well 1st off a list of mac addresses and the list of visible access points locate you very nicely. But its not just you, your tattling on your neighbors! Ok you say, Google's phones do this every day, all you need is some twit driving by with GPS and location services on and they have the information anyway,

        2nd A list of connected mac addresses. So now any device that connects to the Internet needs mac address randomization turned on, or every household member can be profiled. When they come and go, what sites they like.

        3rd actually recording stuff like regular dns queries, email addresses (all the junky detail if you want to focus on them, rather than just track them)

        Law enforcement would love it, as they don't need a warrant to buy data. Marketeers would love to know the hours your at home, and what your interested in. Political parties are increasingly highly targeted marketeers (a few % in the right electorates can swing an election, so why waste you time on actual policy when you can target KEY INDIVIDUALS). Even selling the data to true criminals could be safely done without exposing netgear.

        Now what do you call it when you live in a state where your every movement is tracked, your vices are recorded, your neighbors inform on you, and at a moments notice it can all be taken away from you (I've seen people suffer fines for stuffing up paperwork equate to years of their actual income. Slavery anyone?)

    2. This post has been deleted by its author

  12. dbtx Bronze badge

    Analytics

    That word has become dirty like "smart". Of course you can't downvote the support article unless JS is enabled because the buttons aren't plain links (just like here), and as soon as you temp-whitelist JS on the Netgear site, it tries to pull in more scripts-- from visualwebsiteoptimizer.com and of course google-analytics.com (just like here). Ima sheep, hurr durr. No, not a sheep herder, that's just silly

  13. FuzzyWuzzys Silver badge
    Flame

    One name for you...

    DD-WRT

    Nuff said!

  14. TrumpSlurp the Troll Silver badge

    Yet again

    A strong incentive to buy a generic hardware platform and install router software.

    However probably not off the shelf in Argos so not for 99% plus of the population.

  15. Gezza

    Anyone here actually own one of these?

    Reason being I have one with the latest firmware and there is no such Analytics section on the page advised in the Netgear Kb article you link to (Advanced > Administration > Router Update). Would like to switch it off but it ain't there!

    1. Anonymous Coward
      Anonymous Coward

      Re: Anyone here actually own one of these?

      My R7000 has firmware version R7000-V1.0.7.12_1.2.5 installed. Just checked their website and it says that is the latest version.

      However, I can't find any "Router Analytics Data Collection" section either.

      1. h4rm0ny
        Paris Hilton

        Re: Anyone here actually own one of these?

        Same here. Firmware version V1.0.1.44_1.0.1 and no option that I can find for this. I clicked update because I figured better to get the new version now and turn this off than to have it come down later on and be overlooked. But it's not finding any newer firmware! It thinks this one is the latest! Something not right here if you have 1.0.7.12 and mine can't find an update from 1.0.1.44. Could it be updated by region? UK user here.

        1. Anonymous Coward
          Anonymous Coward

          Re: Anyone here actually own one of these?

          @h4rm0ny: UK here also. My R7000 had been out of use for several months and I wanted to bring it up-to-date before reinstating it. I downloaded the 1.0.7.12 firmware from the Netgear website last week and installed from file.

        2. dgc03052

          Re: Anyone here actually own one of these?

          It looks like they decided they needed to document the analytics.

          This probably is region specific, - in the US with V1.0.7.10_1.2.3 listed at the top of the UI, firmware update assistant was showing something about 1.0.7.12, but it looks like there has been another update. New features were shown as New Features and Enhancements:

          Supports Dynamic QoS.

          Supports Dynamic QoS database update

          Bug Fixes:

          Fixes for security issues.

          Note: Firmware starting 1.0.7.12 will not include Arlo functionality

          ---

          now seems to be referencing 1.0.8.34 for whatever reason - specifically it shows:

          Current GUI Language Version: 1.0.7.10_2.1.38.1

          New GUI Language Version: 1.0.8.34_2.1.38.1

          Current Firmware Version 1.0.7.10

          New Firmware Version 1.0.8.34_1.2.15

          Release Notes:

          1. [New Feature] Supports collection of router analytics data.

          2. NOTE:It is strongly recommended that after the firmware is updated to this version, log back in to the router s web GUI and configure the settings for this feature.

  16. Anonymous Coward
    Anonymous Coward

    Yes this sucks...

    But for the truly sensitive stuff how does it differ from Shodan? You can get IPs and MACs from there easily.

    It wouldn't take much effort to link the Shodan API to your own client database and logs to work out which kit a specific user has and on which ISP it is connected.

    With a bit of Javascript you could even go as far as inferring their connection speed.

    You could probably go as far as linking a leaked client database to Shodan and cross check all the leaked passwords against the devices.

    Whilst this data collection is shameful I can't help but feel people apply too many gasps to issues like this without thinking about the big picture.

    A person buying a netgear router, routers known for being extremely average and borderline crap, isn't considering the bigger picture.

    Last netgear kit I had was a DG834...it was fucking shit.

    Since then, properly configured Draytek all the way unless in a DC, in which case I build the router based on Linux and keep it as barebones as possible. It doesnt need a web front end, it doesnt need telnet, it doesnt need to support X vpn client, it doesnt need SSH exposed tonthe web no frills it just needs to route and firewall. In front of that a good IDS built on Snort or an equivalent to weed out shifty traffic before it even hits the router.

    But cost I hear you cry. Tough shit I say. A solid ethernet based router should last you for years its a minimum requirement if security is of concern.

    You wouldnt cheap out on a polystyrene door for your house, why cheap out on what is effectively the front door to your network?

  17. David Pearce

    MAC addresses are a big assistance to a hacker as they expose the manufacturer and therefore known bugs and backdoors..

    Google maps seems to know almost exactly where my desktop PC is, no GPS or WiFi, so I presume somebody is doing some data mining from smartphones on the same network.

    Start mining the MAC addresses and you can start figuring out the location and movement patterns of individuals who don't carry smartphones for security reasons in sensitive sites.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019