back to article Register-Orbi-damned: Netgear account order irks infosec bods

Netgear has irked some security pros by demanding people register accounts before they can use a mobile app to control their Orbi mesh routers. Thus, you'll need a Netgear customer account to manage your network infrastructure, thereby "advertising to hackers everywhere that there’s a nice little honeypot on their servers, …

  1. Kevin McMurtrie Silver badge

    You're not concerned about security if you're using Netgear. It's a bit late to complain about it.

    Segev can create a technical support ticket that may provide access to internal builds. My experience is that the internal builds are hardcoded to allow telnet access on the default password. It's super fun.

    1. JohnFen Silver badge

      Indeed. Netgear hasn't been a trustworthy brand for a long while now, and it looks like they still aren't interested in becoming trustworthy.

    2. EranSegev

      Of course you are right about Netgear, but it's secure enough for the specific use it's being put to, and I've taken other precautions.

  2. Neoc

    "The tech is not necessarily there to gather marketing data, contrary to the suspicions of our tipster. Some Mesh Wi-Fi competitors also require an account be set up to associate with their Wi-Fi networks, El Reg further understands"

    Hmmm, no. Unless any one of these companies shows cause, as far as I am concerned they ALL are gathering marketing data and Netgear went "there's a good idea" and jumped on the bandwagon. Just because other companies were doing it doesn't make it any less creepy.

    1. Shadow Systems Silver badge

      If I had to register...

      My name would become ShadowNetGear NetGearSystems & my email ShadowSystems+NetGear. That way when (not if) the account got compromised or NetGear decided to sell my data to third party marketers, anyone that called me "ShadowNetGear" would immediately get flagged as marketing shite to get flushed down the bog & I'd have proof that NetGear's servers were a steaming pile of security garbage. I'd be back to NetGear to kill my account so fast it would probably leave a plasma wake trail. NetGear device would get pruned from my network like a surgeon with a scalpel.

      Sometimes it pays to be a paranoid bastard...

      1. Doctor Syntax Silver badge

        Re: If I had to register...

        I'd be back to NetGear to try to kill my account

        FTFY

        "Sometimes it pays to be a paranoid bastard"

        But are you paranoid enough?

      2. Fred Daggy

        Re: If I had to register...

        Yeah, nice idea that, tagging email addresses. However more often than not I see that web forms either reject the plus sign, or strip anything to right of it, until they hit the @ .

        So, this one is working at less and less places.

        10minutemail if I need to register for something needed once. Or a whole list of throw away accounts, one per vendor. Yes, PITA, but using something like keypass helps.

    2. 78910
      Thumb Down

      Absolutely 100% If they want to give me the option of registering for accessing additional warranty or remote-management features then fine. But there's NO technical reason I should be forced to register online somewhere just to configure or monitor a bit of equipment that's local to me.

      Imagine if you had to check-in with Toyota or BMW in order to change the radio presets or A/C settings in your car. How about registering an account and touching base with Sony before being allowed to setup your new telly to watch the news? It's ridiculous. For what possible reason other than to tell them what you're doing and when and how often? I'm thinking of a word right now, it begins with double-eww and ends with ess.

      1. Long John Brass Silver badge
        Flame

        Imagine if you had to check-in with Toyota or BMW

        Don't image; That's already happening! A few EL-Reg articles ago they were talking about the problems de/re-registering connected cars with the mother-ship.

        This kind of stupid is everywhere now. I think I'll be hanging on to my '94 Civic until the wheels fall off. Unfortunately that could be any day now :(

      2. NorthIowan

        Registering to setup your new telly to watch the news

        I almost had to do that.

        I remember setting up my kids new Element TV a few years ago. Had to call into support for a special code to unlock the tuner to scan digital (or was it analog?) stations. Gave some BS reason about making it "simpler" to setup.

        Yup, it was SO much simpler. Had make a phone call during business hours to enable scanning both kinds of channels. Of course it was Saturday afternoon and the kid had cable with both analog and digital channels. Couldn't get it all set up until Monday.

        I was surprised to see in an ad that they still sell Element TVs. In fairness, Googling at the time showed that at least one other TV maker made a TVs with that "feature".

  3. David 132 Silver badge
    Facepalm

    Worse than that...

    The management/configuration portal for the Orbi hub is at Orbilogin.net (entered on a machine connected to the orbi wifi, it does a local DNS redirect to the hub’s IP).

    Netgear didn’t have the foresight to register obvious variations such as Orbilogon.net, orbilogin.com etc., which of course have all now been registered by squatters/scammers.

    To compound their stupidity, they actually reference one of the “wrong” URLs in one of their online guides.

    1. Spazturtle

      Re: Worse than that...

      If they want to be cheeky then there is no need to register the URL, you can redirect it with local DNS without owning the URL.

  4. a_yank_lurker Silver badge

    Fox in the Hen House

    Sounds like the marketing failures are running NetGear which makes it a good reason to avoid them.

  5. Anonymous Coward
    Anonymous Coward

    Netgear - Another once great brand gone

    Recently bought an Arlo set of security CAMs; They fucking *REQUIRE* fucking adobe fucking flash to make the fucking thing work.

    1. Velv Silver badge

      Re: Netgear - Another once great brand gone

      No it doesn’t. Arlo works perfectly on my iPad and that famously doesn’t have Flash available.

      1. Anonymous Coward
        Anonymous Coward

        Re: Netgear - Another once great brand gone

        Android/IOS app doesn't seem to require it(I'm willing to bet it has an embedded flash run-time); Try it with a web browser.

  6. Velv Silver badge
    Terminator

    Hmm, an app to give remote management access to your sensitive network equipment. Not sure registration with the vendor is your biggest security risk there buddy...

    1. Joe W Silver badge

      My first thought exactly. If you really think you need to mange your network infrastructure from a cell phone over the internet without even logging in to a VPN (the article sounds like that) you have much bigger security problems already. And it also tells me that you will not manage any of my critical network infrastructure (if I had one, that is....)

      1. DropBear Silver badge

        "If you really think you need to mange your network infrastructure from a cell phone over the internet"

        Not necessarily. I don't know the exact circumstances of his specific piece of kit and its app, but generally speaking there seems to be a trend towards making routers configurable through a smartphone directly connected to their WiFi hotspot, which is indeed a bit less hassle than the traditional "unplug your PC, reconfigure it to 192.168..., plug it into the router and configure it, restore your original IP on your PC, etc...". That does not immediately imply said app is connecting to said router trough the internet or that the router even has any configuration interfaces open to the internet by default - it might, but it may well not. Of course, none of that requires one to register, so that part here might be linked with remote access - or it might just be marketing greed. Still, it's not really clear cut...

    2. Korev Silver badge

      Hmm, an app to give remote management access to your sensitive network equipment. Not sure registration with the vendor is your biggest security risk there buddy...

      I can see how sometimes this would be useful. If you're running networks for a load of SMEs then having them all in the same place is a huge time saver (Ubiquiti's Unifi lets you do this*); the alternative would be to have to VPN in to each site in turn to see how things are going on.

      *I do have the Cloud side of things on my setup disabled though (and also on Netgear Nighthawk gear it replaced)

    3. EranSegev

      False assumption here - we're not talking about remote access. This is strictly within the local network, which makes the requirement to register externally even more galling.

  7. Anonymous Coward
    Anonymous Coward

    Linksys -- Just Say No

    Last year I bought a Linksys EA7500. The Linksys recommended way TO INSTALL THE ROUTER was to set up a Linksys account IN THE CLOUD and do all the set up through the Linksys server.....and that's before you downloaded the app.

    *

    After a huge amount of trouble I found a way of configuring the router completely off the internet -- you know, the old fashioned way with a laptop and an ethernet cable and no internet connection.

    *

    Then I did a factory reset and gave the thing to the local charity shop. SEP.

    *

    By the way, the Archer C7 device which I now use has none of the "cloud-based management" problems mentioned above....unless you specifically opt in. Maybe Netgear should take a look!

  8. Steve K Silver badge

    Voice Control???

    .. enable voice controls,..

    Just why? What's the use case? How can you do anything involving networking via voice (apart from "disable voice control")...?

  9. vtcodger Silver badge

    marketing data?

    On what planet does marketing need data or use it if it exists? Surely they'll just make stuff up just like always.

    1. ds6 Bronze badge
      Gimp

      Re: marketing data?

      The only reason Facebook is able to make money, or even exist at all, is because they market targeted ads to you and sell your personal information to third parties—and we unfortunately have undeniable proof of that second one.

      Marketing runs the business world. It's unfortunate but it's true. Every little morsel of personal info a company can squeeze out of you is equivalent to a few coins worth of profit.

      And people don't care. They will never care. The convenience and shiny–thing–attraction is a worthwhile price to pay for them.

  10. DropBear Silver badge
    Devil

    Dear Router Makers,

    I know how hard it is to tell which part of your advertising budget is effective and which part is wasted. May I offer you a single anecdotal data point? As far as I'm concerned, the only effective part of your marketing is the ranking of your brand and model number on the OpenWrt webpage titled "supported hardware"...

  11. Reaps

    fucking cloud marketing collection shit

    See title, every fuckers doing it now, keyboards, mice - looking at you razer, fucking everything, expecting condoms next.

    Only solution is to make it legal to fucking hunt marketing wankers.

  12. Anonymous Coward
    Anonymous Coward

    Predatory computing

    The latest and greatest trend.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020