Wish you could log into someone's Netgear box without a password? Summon a &genie=1 If you're using a Netgear router at home, it's time to get patching. The networking hardware maker has just released a tsunami of patches for a couple of dozen models of its kit. The flaws were found by Martin Rakhmanov at infosec shop Trustwave, which has spent over a year hunting down programming gremlins in Netgear's …
Can't help thinking Rudd's obsession stems from a cheating husband and subsequent divorce. I'm sure you become obsessed with any encrypted devices/data you can't see the contents of, in those situations and it never leaves you.
Still, no reason to impose your beliefs on a whole nation, with the cost that entails, with far better ways to spend that money on other forms of technology to enhance people lives, rather than more monitoring/surveillance.
Something a very clever Scottish Edinburgh graduate said to me while sitting in the Meadows (park), (that I took onboard, never forgot and has proved it worth) - Never assume there is someone of intelligence behind a posh clipped English accent.
It makes you see Amber Rudd/Theresa May/BoJo types in a whole new light.
I think it just stems from her being an idiot and simply not understanding how IT works.
...and, as such, being very, very useful to the senior civil service types that want to ensure that they[1] can get data on anyone, anywhere at any time. Along the lines of "give me 6 words by an innocent man and I will be able to find something to hang him by".
[1] After all, it's a remarkably common theme amongst home secretaries of all political colours for many years. Even ones that should stand for reduction of Government interferance on the private lives of people.
Just thought I'd post the mickey mouse link:
https://www.cyberaware.gov.uk/software-updates
Great to think the Government (backed by clueless Amber Rudd obviously) can spend a fortune paying advertising execs to come up their latest campaign to install software updates but do nothing to force fcukers like Netgear to provide the firmware/security updates for 6 years minimum in the first place.
You can't help think too, that blindly telling users to installing the latest update isn't necessarily the best approach. The same approach to force a user into installing an update, can be used to enable backdoors (and Governments), in the same way as peeling an onion layer by layer, so slowly, that you don't notice your data is being exposed, i.e. the data slurping, that has changed from opt-in to opt-out over newer versions of Windows 10, data slurping updates added to Win7 and also browsers like Firefox adding the default option "Allow Firefox to install and run studies", aswell as adding a 'screenshots' screen grab technology directly into the browser, that by default uploads to the cloud, no password.
Blind updating per se (without due diligence to what you're installing), isn't a good thing either.
"Security through arrogance." is no defence either.
Don't get me wrong I'm a huge fan of FOSS, I do use DD-WRT, but just because the code is freely available doesn't mean it's not got bugs, it still needs to be verified it's safe by someone. Don't give me that, "If if enough people use the bugs will come out.", hmmm that worked out well for the SSL bugs a yeat or two back. Too many FOSS-fanbois walking around with their fingers in their ears quoting the mantra, "It's open source so it has to be safer by design.". I can buy a steak at TESCO, looks OK and I can see it perfectly through the plastic, doesn't mean it hasn't just spent the last 3 hours out of the fridge and won't give me the guts ache if I eat it.
> I do use DD-WRT, but just because the code is freely available doesn't mean it's not got bugs...
Correct - those platforms (like most) absolutely have bugs. The practical advantage of those third party FOSS options is that the bugs are normally more complex, and more importantly the patches are released quickly; support usually continues longer after the manufacturer gave up on the hardware.
"Don't give me that, "If if enough people use the bugs will come out.", hmmm that worked out well for the SSL bugs a yeat or two back."
That was openssl bugs not SSL bugs ... Openssl is quite an exceptional case of level of obfuscation in the code, preventing anyone to perform peer review, therefore the indeed appalling bugs ...
This is for one, admittedly very used, implementation only ...
Openssl is quite an exceptional case of level of obfuscation in the code,
Concur - whoever modded that down has never ever had to read it and look for bugs. I have had to do that twice, finding issues in both case and I needed some PTSD therapy after both cases. As far as code base goes it is somewhere between GodAwful and the Zebra/Quagga/Frr code base (that one qualifies for the 8th circle of hell).
That was openssl bugs not SSL bugs ... Openssl is quite an exceptional case of level of obfuscation in the code, preventing anyone to perform peer review, therefore the indeed appalling bugs ...
Every major TLS implementation was publicly found to have at least one severe, security-compromising bug in 2014 alone. Every one.
You might try learning a little recent history before pontificating.
@Venerable AC
FFS, you do not get it.
How many models have Netgear patched ? How many are still vulnerable and are not going to be patched because, well, routers reach EOL after 2 or so years ? Make it open source, and I can grab the diff, apply it, build and deploy ... if I want to become a hero, I create a github repo with ready-to-use firmware for everyone else who's been left out in the cold by reckless corporate scum who don't care about their customer base ... Netgear, D-Link, you name it ... once the box has reached EOL, you better get a new shiny ...
What stuns me is the ?genie=1 ... what a bunch of arrogant 1d1ots ...
The reason to use open source on your router isn't better security. While really boneheaded stuff like this isn't present, DD-WRT and OpenWRT don't and can't have perfect security.
What they do have over vendor software on routers is longer term support. Anyone care to bet whether the list of routers in that Netgear advisory is ALL the ones affected, or only the more recent models they have chosen to keep supporting? Netgear isn't going to put out a press release stating "we have fixes for this list of affected routers, and we will not be providing fixes for this list of slightly older routers which are also affected."
Most likely added during some testing phase and they forgot to remove it.
Stuff like that should be behind an #IFDEF (or whatever is the equivalent in your favourite language). And the same #IFDEF should also be wrapped around the following functionality:
1) User interface has a prominent "Development Mode" notice displayed on all web pages (or equivalent for a non-web interface).
2) Certain device functionality (in this case, the network connectivity) is disabled at startup.
3) User has to click on "Go Live" (or suitable equivalent) to get normal functioning (but not removal of "Development Mode" warning)
4) On reboot/power cycle, device starts up in Development Mode and is not live until user explicitly invokes step 3.
That should be the case for any "make life easier during development" code. And it should be an instant dismissal offence to put in dev/test code which isn't wrapped in the #IFDEF.
Yeah, there are lots of refinements you could add to the scheme. But something like that should be the bare minimum.
It ain't rocket surgery. In fact, it's so damned obvious it shouldn't have been necessary for me to say it here.
I wonder what I got wrong in the above. There's bound to be something. You can't #IFDEF Murphy's law.
"execute arbitrary code on the router as root over the air"
I don't know where to begin!
It does occur to me that the bugs, backdoors, and flaws are not the priority. At all. The human(s) responsible should be identified, located, and beaconed. Every thing they've touched, before and after, should also be closely scrutinized. It's the only way to be sure.
This post has been deleted by its author
Might explain the reports of phantom devices like "Full_Ford" appearing in Windows 10 Networks, which disappear when quizzed/right click properties.
https://answers.microsoft.com/en-us/windows/forum/windows_10-networking-winpc/unknown-network-device/0e40bec5-c795-476c-ae8a-46bb180a856a?auth=1
I've long suspected Netgear routers were compromised.
What about older Netgear kit? No firmware patches for those, it seems.
Netgear (if you're reading) - In the UK, kit has to be fit for purpose for 6 years under Consumer Law.
Netgear (if you're reading) - In the UK, kit has to be fit for purpose for 6 years under Consumer Law.
No, it's up to 6 years, the actual duration depending on what's reasonable for the type of product - and it's for a court to decide what's reasonable in each case.
Why are all home network devices designed by idiots(?) / compromised three letterer paid employees.
I mean, why do they use software stack from 1995? CGI web server. Perl scripts. Funky admin panels.
Name me one home network device maker we can trust nowadays to deliver trustworthy hardware and software.
If someone can*, it certainly won't be Netgear. I bought one of their top spec'd consumer routers (£120) back in 2012 and it was EOL'd within 9 months (barely 12 months after release). The ADSL bugs were never fixed and I bet it's very quickly became a swiss cheese for security holes that have been found in the years since. The only reason mine was bearable to use was because support sent me a Firmware beta that was never released to the unwashed masses. Official fixes were only available if you dropped (£140) on the v2 HW (£140) which was released about the time my v1 HW was EOLd; i.e. Netgear were happy for me to junk HW still in warranty to get updates. That's when I swore off Netgear ever again for anything.
*I have one name in mind because I have one but I can see the OP was posing a rhetorical question (plus I don't want to be accused of being a shill).
>If someone can*, it certainly won't be Netgear. I bought one of their top spec'd consumer routers (£120) back in 2012 and it was EOL'd within 9 months (barely 12 months after release).
Sadly it's an industry wide problem with slipshod attitude to security once the sale is made, FU we've got your money and no longer care unless of course you're interested in our shiny new model. I'm strongly in favour of legislation that says anything connected to the internet should be supported for security and bugs for a duration of 5-7 years, I would favour 7 as often things are in the sales channel for 1-2 years from release.
We're running out of landfill space so we have to make things last longer and also I don't have a bottomless wallet.
DrayTek - consistently better performance and a positive attitude towards patches and bug fixes. You pay for it, but they have been sat on my perimeter for several years now without issue and with updates (even the oldest unit in our network).
I honestly don't know why the likes of BT, vodafone, TalkTalk etc. don't use these guys for CPE instead of the crap that they do. I've swapped three systems for DrayTek in the past week and the only one that didn't show up a massive connections/second improvement was the BT Infinity6. Everything else, whilst not showing any noticeable difference on a Speedtest, elicited positive responses about how much snappier the internet experience was.
So, you *can* have a responsible modem/router manufacturer, with patches, and great performance.
My normal play-kit is enterprise level stuff, but even there I've occasionally had to deal with Draytek firewalls.
Whilst it took a bit of working out I managed to get my head around their limitations and get them secured in a similar manner to a full-on enterprise firewall - VPN's, ACL's encryption domains etc.
So for home users they are probably as close to business-grade devices as you are going to get for the price - just be aware that you need to dig under the bonnet a bit to make sure it's actually doing what you think you just told it to do via the GUI - there were a few little gotcha's that I came across in the order of processing (such as NAT/ACL's and enc-dom's etc.).
Draytek ha you're avin a laugh.
Lots of Draytek experience - couldn't recommend them what-so-ever.
Nor their off spin Zyxel - in case you didn't know ex Dratyek guys invented Zyxel. Wonder where they got the roms from . er maybe.
Would you want a Zyxel?
If the Apple iBoot firmware can leak, anything can leak. There are billions riding on Apple and protecting its IP and it still leaked. It's a real good example of why there shouldn't be backdoors.
Maybe even Apple compromised themselves to prove a point? If you need to argue the point against backdoors in Congress, how better to show the problem, by highlighting compromises against Apple itself. It's old code, so serves the purpose.
Just sayin'. Apple have clever folk working there, that think outside the box. You give up something, to gain something much bigger.
I still don't know why Netgear, Dlink etc don't use OpenWRT or similar on their devices rather than their own badly written crud.
Come to think of it - why don't they all pitch up together, collect funds and pay a couple of OpenWRT (or whatever) hacks to code a proper OS for their routers/things?
This way they can ensure that the code is Open Source, and bugs will be found, and be patched promptly, and they don't have to do the coding themselves.
Just a thought.
Many router owners cannot configure their routers let alone patch the firmware,
these routers have been installed by ISP's and the like when network access package was purchased.
A sign of things to come.
Can we have IoT firmware on a read only mini-sd card or something they could just slot in.
though this would allow others to jail-break the IoT device's system.
I found a serious exploit that allowed someone on the WAN side to fetch the router password and enable remote login. You used a simple URL fetch from pointed at the router, the router forwarded you to the Netgear website and would add a query line that included the information you needed to get the password. As it was a "Major" feature of all Routers they said they couldn't fix it.
I tested on all Netgear products I had at the time (WNDR 3700, 4000, 4500) and a couple of other units. I also reached out about a year after I reported it and others replied that it was still there on other units. To date no firmware fix has been rolled out.
June 6 2014 - Issue reported
July 12 2014 - Netgear confirm the issue exist.
July 15 2014 - Case attempted to close - I asked why
July 17 2014 - Netgear tell me that these cases will close and reopen if a fix is found.
February 10 2018 - Still not heard back, It's still there too......
I did however speak to someone who deals with non-released hardware, and can confirm that no new hardware has this existing flaw. It's easy to fix - but super easy to exploit (all you need is a web browser!) so perhaps when all of their "Older" gear is gone then this exploit will be gone.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
