back to article Wish you could log into someone's Netgear box without a password? Summon a &genie=1

If you're using a Netgear router at home, it's time to get patching. The networking hardware maker has just released a tsunami of patches for a couple of dozen models of its kit. The flaws were found by Martin Rakhmanov at infosec shop Trustwave, which has spent over a year hunting down programming gremlins in Netgear's …

Anonymous Coward

Looks like Amber Rudd has start coding back doors herself.

41
0
Anonymous Coward

Amber Rudd's obsession...

Can't help thinking Rudd's obsession stems from a cheating husband and subsequent divorce. I'm sure you become obsessed with any encrypted devices/data you can't see the contents of, in those situations and it never leaves you.

Still, no reason to impose your beliefs on a whole nation, with the cost that entails, with far better ways to spend that money on other forms of technology to enhance people lives, rather than more monitoring/surveillance.

15
0
Bronze badge

Re: Amber Rudd's obsession...

I think it just stems from her being an idiot and simply not understanding how IT works.

29
0

Re: Amber Rudd's obsession...

Something a very clever Scottish Edinburgh graduate said to me while sitting in the Meadows (park), (that I took onboard, never forgot and has proved it worth) - Never assume there is someone of intelligence behind a posh clipped English accent.

It makes you see Amber Rudd/Theresa May/BoJo types in a whole new light.

12
8
Anonymous Coward

>Looks like Amber Rudd has start coding back doors herself.

It was contracted out.......

to Mickey Mouse.

1
0
Silver badge

Re: Amber Rudd's obsession...

I think it just stems from her being an idiot and simply not understanding how IT works.

...and, as such, being very, very useful to the senior civil service types that want to ensure that they[1] can get data on anyone, anywhere at any time. Along the lines of "give me 6 words by an innocent man and I will be able to find something to hang him by".

[1] After all, it's a remarkably common theme amongst home secretaries of all political colours for many years. Even ones that should stand for reduction of Government interferance on the private lives of people.

4
0
Anonymous Coward

Go on, install that 'update'.

Just thought I'd post the mickey mouse link:

https://www.cyberaware.gov.uk/software-updates

Great to think the Government (backed by clueless Amber Rudd obviously) can spend a fortune paying advertising execs to come up their latest campaign to install software updates but do nothing to force fcukers like Netgear to provide the firmware/security updates for 6 years minimum in the first place.

You can't help think too, that blindly telling users to installing the latest update isn't necessarily the best approach. The same approach to force a user into installing an update, can be used to enable backdoors (and Governments), in the same way as peeling an onion layer by layer, so slowly, that you don't notice your data is being exposed, i.e. the data slurping, that has changed from opt-in to opt-out over newer versions of Windows 10, data slurping updates added to Win7 and also browsers like Firefox adding the default option "Allow Firefox to install and run studies", aswell as adding a 'screenshots' screen grab technology directly into the browser, that by default uploads to the cloud, no password.

Blind updating per se (without due diligence to what you're installing), isn't a good thing either.

2
1
Silver badge

Security by Stupidity

I have heard of 'security by obscurity'. Netgear must have a new idea - security by stupidity. No one would be that stupid would they?

34
0
Anonymous Coward

Re: Security by Stupidity

IMHO Netgear have a decades long reputation for lack of security, I personally thought it was only the IT ignorant who still bought them

17
7
Silver badge

Re: Security by Stupidity

Given Netgear is readily available at most retailers, it is not surprising that many by them. Also, I am not sure even with 'security by stupidity' that their competition is any better overall in the home/home office market.

3
0
Anonymous Coward

Exactly why I don't use OEM firmware.

Exactly why I don't use OEM firmware. Poor quality and support is non-existant.

pfSense firewall and/or LEDE (or OpenWRT, DD-WRT, etc).

15
5
Anonymous Coward

Re: Exactly why I don't use OEM firmware.

"Security through arrogance." is no defence either.

Don't get me wrong I'm a huge fan of FOSS, I do use DD-WRT, but just because the code is freely available doesn't mean it's not got bugs, it still needs to be verified it's safe by someone. Don't give me that, "If if enough people use the bugs will come out.", hmmm that worked out well for the SSL bugs a yeat or two back. Too many FOSS-fanbois walking around with their fingers in their ears quoting the mantra, "It's open source so it has to be safer by design.". I can buy a steak at TESCO, looks OK and I can see it perfectly through the plastic, doesn't mean it hasn't just spent the last 3 hours out of the fridge and won't give me the guts ache if I eat it.

41
3

Re: Exactly why I don't use OEM firmware.

> I do use DD-WRT, but just because the code is freely available doesn't mean it's not got bugs...

Correct - those platforms (like most) absolutely have bugs. The practical advantage of those third party FOSS options is that the bugs are normally more complex, and more importantly the patches are released quickly; support usually continues longer after the manufacturer gave up on the hardware.

16
6
Anonymous Coward

Re: Exactly why I don't use OEM firmware.

"Don't give me that, "If if enough people use the bugs will come out.", hmmm that worked out well for the SSL bugs a yeat or two back."

That was openssl bugs not SSL bugs ... Openssl is quite an exceptional case of level of obfuscation in the code, preventing anyone to perform peer review, therefore the indeed appalling bugs ...

This is for one, admittedly very used, implementation only ...

9
6
Silver badge

Re: Exactly why I don't use OEM firmware.

Openssl is quite an exceptional case of level of obfuscation in the code,

Concur - whoever modded that down has never ever had to read it and look for bugs. I have had to do that twice, finding issues in both case and I needed some PTSD therapy after both cases. As far as code base goes it is somewhere between GodAwful and the Zebra/Quagga/Frr code base (that one qualifies for the 8th circle of hell).

9
0
Silver badge

Use DD-WRT/OpenWRT for longer support life, not better security

The reason to use open source on your router isn't better security. While really boneheaded stuff like this isn't present, DD-WRT and OpenWRT don't and can't have perfect security.

What they do have over vendor software on routers is longer term support. Anyone care to bet whether the list of routers in that Netgear advisory is ALL the ones affected, or only the more recent models they have chosen to keep supporting? Netgear isn't going to put out a press release stating "we have fixes for this list of affected routers, and we will not be providing fixes for this list of slightly older routers which are also affected."

17
0
Silver badge

Re: Exactly why I don't use OEM firmware.

@Venerable AC

FFS, you do not get it.

How many models have Netgear patched ? How many are still vulnerable and are not going to be patched because, well, routers reach EOL after 2 or so years ? Make it open source, and I can grab the diff, apply it, build and deploy ... if I want to become a hero, I create a github repo with ready-to-use firmware for everyone else who's been left out in the cold by reckless corporate scum who don't care about their customer base ... Netgear, D-Link, you name it ... once the box has reached EOL, you better get a new shiny ...

What stuns me is the ?genie=1 ... what a bunch of arrogant 1d1ots ...

2
1
Silver badge

Re: Exactly why I don't use OEM firmware.

That was openssl bugs not SSL bugs ... Openssl is quite an exceptional case of level of obfuscation in the code, preventing anyone to perform peer review, therefore the indeed appalling bugs ...

Every major TLS implementation was publicly found to have at least one severe, security-compromising bug in 2014 alone. Every one.

You might try learning a little recent history before pontificating.

0
0
Silver badge

Re: Exactly why I don't use OEM firmware.

whoever modded that down has never ever had to read it and look for bugs

I'm quite familiar with the OpenSSL code - I've spent hours reading through it and debugging it.

I modded OP down because the comment is historically ignorant and dumb.

0
0

That's no vulnerability

It's a deliberately coded backdoor. Time to start investigating why it was added to the firmware, and who was behind it.

32
0
Silver badge

Re: That's no vulnerability

Most likely added during some testing phase and they forgot to remove it. If it were added as a backdoor I'd think whoever did it would be more subtle about it...

11
1
Silver badge

Re: That's no vulnerability

Most likely added during some testing phase and they forgot to remove it.

Stuff like that should be behind an #IFDEF (or whatever is the equivalent in your favourite language). And the same #IFDEF should also be wrapped around the following functionality:

1) User interface has a prominent "Development Mode" notice displayed on all web pages (or equivalent for a non-web interface).

2) Certain device functionality (in this case, the network connectivity) is disabled at startup.

3) User has to click on "Go Live" (or suitable equivalent) to get normal functioning (but not removal of "Development Mode" warning)

4) On reboot/power cycle, device starts up in Development Mode and is not live until user explicitly invokes step 3.

That should be the case for any "make life easier during development" code. And it should be an instant dismissal offence to put in dev/test code which isn't wrapped in the #IFDEF.

Yeah, there are lots of refinements you could add to the scheme. But something like that should be the bare minimum.

It ain't rocket surgery. In fact, it's so damned obvious it shouldn't have been necessary for me to say it here.

I wonder what I got wrong in the above. There's bound to be something. You can't #IFDEF Murphy's law.

5
2
Silver badge
FAIL

"with remote configuration access enabled"

THERE's your problem. That, and enabling UPNP. *SLAP* *SLAP* *SLAP* with a ginormous green onion... bad, no biscuit!

24
1
Silver badge
Thumb Up

Re: "with remote configuration access enabled"

" *SLAP* *SLAP* *SLAP* with a ginormous green onion... "

Rule 34!!

11
0
Silver badge
Windows

Re: "with remote configuration access enabled"

Bob, your leek is showing.

4
0
Bronze badge
Facepalm

"execute arbitrary code on the router as root over the air"

I don't know where to begin!

It does occur to me that the bugs, backdoors, and flaws are not the priority. At all. The human(s) responsible should be identified, located, and beaconed. Every thing they've touched, before and after, should also be closely scrutinized. It's the only way to be sure.

10
1
Silver badge

I thought nuking from orbit was the only way to be sure.

7
1

This post has been deleted by its author

Thumb Up

Thanks for the heads up

Patched! Phew!

3
0

shhh these aren't bugs they are features.

5
0
Silver badge
Coat

do the senators know?

An American company is providing back doors that are available to the Chinese and Russian governments. No political mileage there though.

14
2
Silver badge

Who needs security

when all we do is watch cat videos?

10
0
Silver badge

Re: Who needs security

A malicious cat could potentially redirect you to dog videos.

38
1
Silver badge

Re: Who needs security

Those cats are Trojan Kitties.

3
0
Anonymous Coward

Full_Ford and other odd devices appearing on Windows 10 networks...

Might explain the reports of phantom devices like "Full_Ford" appearing in Windows 10 Networks, which disappear when quizzed/right click properties.

https://answers.microsoft.com/en-us/windows/forum/windows_10-networking-winpc/unknown-network-device/0e40bec5-c795-476c-ae8a-46bb180a856a?auth=1

I've long suspected Netgear routers were compromised.

What about older Netgear kit? No firmware patches for those, it seems.

Netgear (if you're reading) - In the UK, kit has to be fit for purpose for 6 years under Consumer Law.

7
2
Silver badge

Re: Full_Ford and other odd devices appearing on Windows 10 networks...

Netgear (if you're reading) - In the UK, kit has to be fit for purpose for 6 years under Consumer Law.

No, it's up to 6 years, the actual duration depending on what's reasonable for the type of product - and it's for a court to decide what's reasonable in each case.

0
1

Really?

It's 2018 and it's still deemed acceptableto have these kinds of bypasses? Awesome.

I'm all for a bypass which requires physical access to the device - after all, once you have that it's pretty much game over anyway - but URL bypasses are just so last decade. *cough*

5
0
Silver badge

Yay, more "features" for world+dog to use...

1
0

Name me one home network device maker we can trust nowadays

Why are all home network devices designed by idiots(?) / compromised three letterer paid employees.

I mean, why do they use software stack from 1995? CGI web server. Perl scripts. Funky admin panels.

Name me one home network device maker we can trust nowadays to deliver trustworthy hardware and software.

5
0
Silver badge

Re: Name me one home network device maker we can trust nowadays

Why are all home network devices designed by idiots(?) / compromised three letterer paid employees.

Because they are built down to a price.

4
0
Silver badge
Meh

Re: Name me one home network device maker we can trust nowadays

If someone can*, it certainly won't be Netgear. I bought one of their top spec'd consumer routers (£120) back in 2012 and it was EOL'd within 9 months (barely 12 months after release). The ADSL bugs were never fixed and I bet it's very quickly became a swiss cheese for security holes that have been found in the years since. The only reason mine was bearable to use was because support sent me a Firmware beta that was never released to the unwashed masses. Official fixes were only available if you dropped (£140) on the v2 HW (£140) which was released about the time my v1 HW was EOLd; i.e. Netgear were happy for me to junk HW still in warranty to get updates. That's when I swore off Netgear ever again for anything.

*I have one name in mind because I have one but I can see the OP was posing a rhetorical question (plus I don't want to be accused of being a shill).

5
0

Re: Name me one home network device maker we can trust nowadays

DrayTek - consistently better performance and a positive attitude towards patches and bug fixes. You pay for it, but they have been sat on my perimeter for several years now without issue and with updates (even the oldest unit in our network).

I honestly don't know why the likes of BT, vodafone, TalkTalk etc. don't use these guys for CPE instead of the crap that they do. I've swapped three systems for DrayTek in the past week and the only one that didn't show up a massive connections/second improvement was the BT Infinity6. Everything else, whilst not showing any noticeable difference on a Speedtest, elicited positive responses about how much snappier the internet experience was.

So, you *can* have a responsible modem/router manufacturer, with patches, and great performance.

6
0
Silver badge
Coat

Re: Name me one home network device maker we can trust nowadays

Netgear.

You can trust them to fuck up.

You can't trust the other manufacturers to always fuck up.

Netgear: 10 out of 10 skiddies recommend it.

3
1
Anonymous Coward

Re: Name me one home network device maker we can trust nowadays

>If someone can*, it certainly won't be Netgear. I bought one of their top spec'd consumer routers (£120) back in 2012 and it was EOL'd within 9 months (barely 12 months after release).

Sadly it's an industry wide problem with slipshod attitude to security once the sale is made, FU we've got your money and no longer care unless of course you're interested in our shiny new model. I'm strongly in favour of legislation that says anything connected to the internet should be supported for security and bugs for a duration of 5-7 years, I would favour 7 as often things are in the sales channel for 1-2 years from release.

We're running out of landfill space so we have to make things last longer and also I don't have a bottomless wallet.

8
0
Silver badge

Re: Draytek

My normal play-kit is enterprise level stuff, but even there I've occasionally had to deal with Draytek firewalls.

Whilst it took a bit of working out I managed to get my head around their limitations and get them secured in a similar manner to a full-on enterprise firewall - VPN's, ACL's encryption domains etc.

So for home users they are probably as close to business-grade devices as you are going to get for the price - just be aware that you need to dig under the bonnet a bit to make sure it's actually doing what you think you just told it to do via the GUI - there were a few little gotcha's that I came across in the order of processing (such as NAT/ACL's and enc-dom's etc.).

3
0

Re: Name me one home network device maker we can trust nowadays

Draytek ha you're avin a laugh.

Lots of Draytek experience - couldn't recommend them what-so-ever.

Nor their off spin Zyxel - in case you didn't know ex Dratyek guys invented Zyxel. Wonder where they got the roms from . er maybe.

Would you want a Zyxel?

0
2
Silver badge

Re: Name me one home network device maker we can trust nowadays

I used to have a Zyxel until it died on me, would definitely use one again. The UI was better than most for one thing.

0
0
Silver badge

But...but...but...hard coded back doors are good for security. No one will ever find and/or compromise them and/or put them into the public domain.

Move on folks...nothing to see here!

10
0
Anonymous Coward

If the Apple iBoot firmware can leak, anything can leak.

If the Apple iBoot firmware can leak, anything can leak. There are billions riding on Apple and protecting its IP and it still leaked. It's a real good example of why there shouldn't be backdoors.

Maybe even Apple compromised themselves to prove a point? If you need to argue the point against backdoors in Congress, how better to show the problem, by highlighting compromises against Apple itself. It's old code, so serves the purpose.

Just sayin'. Apple have clever folk working there, that think outside the box. You give up something, to gain something much bigger.

5
0

"We'd also like to thank Netgear for their responsive and communicative product security incident response team team. It's obvious that their participation in bug bounties has helped them improve their internal process for addressing issues like these." ®

3
0

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018