Flaw in Netgear Wi-Fi routers exposes admin password, WLAN details


  • Discourse touched me in a no-no place

    Just a quick note to any of you who have a Netgear router.

    A number of Netgear home wireless routers sport a vulnerability that can be misused by unauthenticated attackers to obtain the administrator password, device serial number, WLAN details, and various details regarding clients connected to the device

    They've confirmed the vulnerability on 4 models so far, but it could affect more.

    What's more disappointing is the response from Netgear

    Attempts to clarify the nature of this vulnerability with support were unsuccessful. This ticket has since been auto-closed while waiting for a follow up. A subsequent email sent to the Netgear 'OpenSource' contact has also gone unanswered.


    Filed under: "thanks for finding a severe bug in our shit (for free) and reporting it to us", things that sound familiar

  • sockdevs

    Doesn't look like mine's on the list.

    Still, not exactly a confidence-inspiring response…



  • A consumer router with a serious security flaw that the manufacturer does not give a shit about? Shocking, shocking I tell you! I'm sure the FBI will intervene.


  • sockdevs

    well at least it's easy to mitigate, just turn off remote management (which should never be turned on anyway)

    and then there's the option of flashing to Tomato or DD-WRT.


  • Discourse touched me in a no-no place

    Agreed, although Tomato always makes me feel hungry.

    I'd also add "not buying a shitty router in the first place" to the list of things you can do to mitigate the situation.


  • sockdevs

    @DoctorJones said:

    not buying a shitty router in the first place

    well yes, thing is 90% of the time IME what makes the "shitty router" shitty is the manufacturer's software. once you flash them to Tomato or DDWRT they generally become quite capable devices.

    why spend $90-150 on a router when i can spend $50 on a "shitty router" and do a brain transplant to make it on par with the routers available for $90-150?



  • Man...I hear a lot of people messing around with routers on TDWTF. Sounds like a PITA.



  • My router's not on the list but I'll have to check it when I get home. And/or finally sit down and figure out how to flash some sensible firmware on it.


  • Discourse touched me in a no-no place

    It depends if you actually care about decent hardware or not, and your needs.

    My broadband is ADSL, so the modem chipset is pretty important for me. The best chipsets available are broadcom (which allow you to tweak the SNR to improve connection stability and speed), but most routers come with cheap shitty chipsets.

    As far as I know, you can't flash a router and make the chipset less shitty.

    FYI I use Billion routers because they use broadcom chipsets and are also fairly cheap.


  • sockdevs

    hmm... ok. yes. don't cheap out on your modem (or modem/router)

    that's important.

    but once you're on ethernet all you really care about is can the device keep up with your network (assuming you're on at least Cat5 (and preferably Cat5e or Cat6))



  • @boomzilla said:

    Man...I hear a lot of people messing around with routers on TDWTF. Sounds like a PITA.

    It is a bit.

    I don't have a choice with mine - it's an ISP supplied one or nothing.



  • @loopback0 said:

    I don't have a choice with mine - it's an ISP supplied one or nothing.

    I've pretty much just always used the one I got from my ISP and never had a problem.


  • sockdevs

    @loopback0 said:

    I don't have a choice with mine - it's an ISP supplied one or nothing.

    Ditto, so what i do is configure it for full bidirectional NAT to one IP assign a good router that IP statically (usually 10.0.0.1 because why not?) and then hook my network into the router i do control.

    or i go and buy my own cable modem, fake a call to tech support about not being online and needing to reenter the connection configuration to the router and convincing tier3 to just tell me how to do it instead of sending a technician. and plug that info into the cable modem i bought and leave the ISP's model sitting in a box in my closet.

    that route doesn't always work but i like it a lot more when it does.



  • I wouldn't change it either if I had a choice.

    If I can connect to the Internet with it through wifi and Ethernet, that's all it needs to do.



  • @accalia said:

    Ditto, so what i do is configure it for full bidirectional NAT to one IP assign a good router that IP statically (usually 10.0.0.1 because why not?) and then hook my network into the router i do control.

    What? Two devices where one suffice?
    What do you actually need that warrants that setup?

    @accalia said:

    or i go and buy my own cable modem

    There's one cable ISP, and you have to use their supplied modem/router.



  • I recently got crazy and did my first port forwarding, so my kids' friends could access my local minecraft server. I guess if I was doing something serious I could see wanting something else. Now, I do have another router hooked up for better wireless coverage in another part of the house, but...jeez, flashing firmware and shit...

    :donotwant.bmp:



  • Oh yeah, port forwarding, but I've never had an ISP supplied router that didn't do that. It seems a lot like doing something for the sake of doing it, rather than gaining a functional benefit.


  • sockdevs

    @loopback0 said:

    What? Two devices where one suffice?

    i don't trust their cable modem, not even as far as i can throw it.

    @loopback0 said:

    What do you actually need that warrants that setup?

    see trust issues above. also the fact that i have more than four wired computers and so need more ports.

    @loopback0 said:

    There's one cable ISP, and you have to use their supplied modem/router.

    same here, but if they don't know you're not using their equipment then all the better for me. the only reason they want you to use theirs is so they can charge you ourtrageous rental fees... your standard off the shelf cable modems work just as well, if not better.

    Just keep their official modem around just in case you actually do need a technician visit



  • @accalia said:

    i don't trust their cable modem

    You don't trust what?

    @accalia said:

    the only reason they want you to use theirs is so they can charge you ourtrageous rental fees

    We don't rent cable modems. That's silly.

    @accalia said:

    if they don't know you're not using their equipment then all the better for me

    You missed the have to use their modem bit. It's not optional technically.
    And, as they're the only one and have that rule, no one sells cable modems anyway.


  • area_deu

    @accalia said:

    more than four wired computers and so need more ports

    Wouldn't a switch suffice?


  • sockdevs

    @loopback0 said:

    You don't trust what?

    My ISP's cable modem

    @loopback0 said:

    We don't rent cable modems. That's silly.

    well our ISP does. at a rate that would buy the modem outfight in 3 months, but you don't ever stop paying the rent.

    @loopback0 said:

    You missed the have to use their modem bit. It's not optional technically.

    Who the fuck does that?

    @loopback0 said:

    no one sells cable modems anyway.

    *cough* amazon *cough*

    @aliceif said:

    Wouldn't a switch suffice?

    what? and use three devices when i only need two?



  • @accalia said:

    My ISP's cable modem

    You don't trust what about it?

    @accalia said:

    Who the fuck does that?

    An ISP who doesn't want to support a billion different modems among other reasons.
    I don't know, it doesn't matter. It works superbly, so there isn't really a problem.


  • sockdevs

    @loopback0 said:

    An ISP who doesn't want to support a billion different modems among other reasons.
    I don't know, it doesn't matter. It works superbly, so there isn't really a problem.

    Virgin Media?



  • @RaceProUK said:

    Virgin Media?

    Did the "one cable ISP" narrow it down? :laughing:


  • sockdevs

    @loopback0 said:

    You don't trust what about it?

    how secure it is. so by setting it up to forward everything to a router i do trust if it gets compromised my network isn't compromised.

    @loopback0 said:

    An ISP who doesn't want to support a billion different modems among other reasons.

    this i get, but then they can accomplish that by simply saying "you're not using our modem. that's an unsupported configuration. here's our help forum maybe someone else can help you. feel free to call back if you want to use our modem"

    no need to deliberately poison their network so that their modem is the only one that actually works!



  • @accalia said:

    they can accomplish that by simply saying "you're not using our modem. that's an unsupported configuration. here's our help forum maybe someone else can help you. feel free to call back if you want to use our modem"

    Which really cheers customers up, and improves NPS no end. It's much simpler to support a handful of your own devices.
    And the like 6 customers who it bothers can stick the router into modem only mode and connect it to a router anyway.


  • area_deu

    Cable seems like a can of worms that I do not ever want to touch, the more I hear about it.

    Being chained to a specific modem just sounds wrong, anti-competitive and evil.


  • sockdevs

    @loopback0 said:

    And the like 6 customers who it bothers can stick the router into modem only mode and connect it to a router anyway.

    granted, but i'm still confused as heck as to why they deliberately poison their own well rather than just never admitting that any other modem works and telling the 6 people who want to be snowflakes to take a long walk off a short pier.



  • @aliceif said:

    Being chained to a specific modem just sounds wrong, anti-competitive and evil.

    That's what FiOS does, too. It's never seemed like a big deal.

    @accalia said:

    admitting that any other modem works

    I'm not sure if that would work with FiOS, not that I've ever been interested in finding out. We have a coax cable that comes out from the box on the wall that gets split. One goes into the modem / router and the other goes to the TV box.



  • @aliceif said:

    anti-competitive

    There's a choice of one company, does that matter?

    @accalia said:

    deliberately poison their own well

    I wouldn't say it was poisoning.
    It really does work better for customer experience.
    They install a modem/router, it doesn't directly cost the customer anything, and the engineer can leave the customer's house quickly without pissing about with other modems knowing that the customer's service works.
    Self-install is easy - open the box, connect it, call up. Minutes spent with no config. Working internet.
    It breaks at any point? A man in a van brings a new one. For free. He leaves again knowing the customer's service works.

    edit: Diagnosing faults must be much easier too. Again, better customer experience.



  • @DoctorJones said:

    The best chipsets available are broadcom (which allow you to tweak the SNR to improve connection stability and speed), but most routers come with cheap shitty chipsets.

    The best ADSL chipsets are Broadcom. The best router chipset is whatever little ARM box you feel like running Debian headless on.

    I have this cheap Chinese modem (Broadcom chipset) and use one of these running Debian as a router. It's monstrously capable compared to anything you'd find inside a typical ADSL modem/router combo, and I manage it over ssh so I'm equally comfortable doing that from inside or outside my LAN. This setup has been working beautifully for a year and a bit.



  • @loopback0 said:

    Two devices where one suffice?

    Point is that router config can get quite involved, so it's nice to be able to do that on something completely portable. When (not if) my present ADSL modem takes lightning damage, I can just switch it out for anything else that happens to be cheap on the day; as long as it can work as a PPPoE bridge, I don't even have to touch my router config - it will Just Work. And if my present Beaglebone Black gives up the ghost, I can just grab any old ARM box and bring up my backup of my present Debian userland on top of whatever kernel it uses without needing to change a thing there either.

    Even a change of CPU architecture is pretty easy to cope with, given a backup of /etc and a list of installed packages.


  • Discourse touched me in a no-no place

    @loopback0 said:

    [port forwarding] seems a lot like doing something for the sake of doing it, rather than gaining a functional benefit.

    I actually use that aspect of mine quite a lot (but only because I got comfortable using it on our systems at work first.)

    http://pjh.homeip.net/ (my Discourse install) for example will get you one box on my network.

    https://pjh.homeip.net/time/ (from here, self-signed cert warning if you've not seen it yet) will get you a different one (because Discourse above :rolleyes:)

    I also run DNS that I use at work from there as well (don't bother trying - it's whitelisted only to my work IP)

    I've also got a couple of SVN servers, and SSH on non-standard ports... (for example, 11001 for one box, 12001 on another, 130001 on yet another. Actual numbers obfuscated for obvs reasons.)

    Previously I've had services running on other PC's in my house (not currently) as well. Testing AD as a PoC for our systems was one such.

    Stock Virgin Media modem, if relevant, since I saw them mentioned up-topic.



  • I'm with telfort, on FttH. That means I've got 2 boxes anyway - an NT (you're not allowed to call them modems for some reason) and a router. Router is my own - theirs has never been plugged in and is sitting on my shelf.

    Pretty nice connection - I get 4ms to the big Amsterdam datacenters (AMS/IX), of which at least 10% is on my own copper.



  • @PJH said:

    actually use that aspect of mine quite a lot (but only because I got comfortable using it on our systems at work first.)

    The doing something for the sake of it comment was about changing the modem or adding another device.

    I use the port forwarding on mine too.



  • @PJH said:

    Stock Virgin Media modem, if relevant, since I saw them mentioned up-topic.

    Yup. Same. One box, does everything needed.

    Multi quote on mobile not possible.


  • Discourse touched me in a no-no place

    @DoctorJones said:

    My broadband is ADSL, so the modem chipset is pretty important for me. The best chipsets available are broadcom...

    @flabdablet said:

    The best ADSL chipsets are Broadcom. The best router chipset is whatever little ARM box you feel like running Debian headless on.

    Why did you miss-quote me to correct me for something I already stated?


    Filed under: my troll sense is tingling, +1 would be trolled again


  • @loopback0 said:

    What? Two devices where one suffice?What do you actually need that warrants that setup?

    I like to have my own device behind theirs so that when they inevitably tell me to do a factory reset on it before sending a tech out for an obvious down line, I don't lose anything.

    I actually have this:

    This allows me to put three SSIDs on my access point. The guest SSID doesn't go through my LAN and is limited to 256kb/s up and down. That allows guests to check their email but prevents leechers from seeing it as useful. The outside SSID bypasses my network. This is the one I give to guests and family members that need Internet access. My network can't catch any malware from their laptops. The third connects the device directly to my internal network. Things like my AppleTV use this one.



  • @PJH said:

    SSH on non-standard ports

    gets probed a ridiculous amount less often than ssh on the standard port.



  • @DoctorJones said:

    Why did you miss-quote me to correct me for something I already stated?

    Misquote? No intent to do that.

    My reply was intended to highlight the point that the chipset you typically find inside a consumer ADSL modem/router, Broadcom or not, usually includes a fairly dismal SoC CPU with a sadly restrictive amount of RAM attached. If you want to not have hassles with e.g. maintaining a huge number of concurrent BitTorrent connections, moving the routing out to a more capable second box usually pays off.


  • sockdevs

    @flabdablet said:

    gets probed a ridiculous amount less often than ssh on the standard port.

    fun fact, i run a honeypot on port 22 on one of my personal servers. It's a crippled ssh instance that'll connect and accept any authentication whatsoever, then drop the connection immediately after authentication.

    it's funny seeing the logs of who tries to get in there, and how long they keep trying before they give up.



  • I have fail2ban installed on the ssh-exposed box at school, configured to drop traffic from any box that fails three logins for 24 hours. Currently there are 32 IP addresses in the blocked list; overall I've blocked 1234 IP addresses.

    The overwhelming majority of them are from China.

    Is there anything in your logs suggesting you're being probed by actual humans? I imagine it's almost entirely bots in this day and age.


  • sockdevs

    @flabdablet said:

    I have fail2ban installed on the ssh-exposed box at school, configured to drop traffic from any box that fails three logins for 24 hours. Currently there are 32 IP addresses in the blocked list; overall I've blocked 1234 IP addresses.

    hey! that's what i have on my actual SSH port!

    i limit you to three failures in 15 minutes for a 1 hour ban and 5 in 24 gets you a 7 day ban. 7 in 30 days gets you permanent.

    @flabdablet said:

    The overwhelming majority of them are from China.

    korea mostly for me, but china is up there. between the two of them they have 70% of the attempts

    @flabdablet said:

    Is there anything in your logs suggesting you're being probed by actual humans? I imagine it's almost entirely bots in this day and age.

    for the honeypot it's mostly bots, but i get the occasional human doing wardriving with a port scanner.



  • There are some cool tools available now for folks who enjoy this kind of thing.


  • Grade A Premium Asshole

    I usually make up our home network out of whatever gear I pull from a business. This week we are doing a wireless upgrade at a hospital and I was all excited because I need new APs at home. No dice, they are all Meraki which may as well be useless unless I want to pay for the subscription...


  • Discourse touched me in a no-no place

    @flabdablet said:

    I have fail2ban installed on the ssh-exposed box at school, configured to drop traffic from any box that fails three logins for 24 hours.

    We usually just start out by configuring ssh to only allow login with an RSA key, and then put an aggressive fail2ban policy in place (I think it's something like two failed attempts in 7 days gets a block). It doesn't matter too much as anyone with auth can get in reliably anyway.

    Unfortunately, can't just outright block SSH access from China and Korea. Too many legitimate students from there. :smile:


  • Discourse touched me in a no-no place

    @flabdablet said:

    gets probed a ridiculous amount less often than ssh on the standard port.

    Plus the fact that unless I want to SSH into one box on the network in order to get onto another, I can get there in one hop if they're on different (external) ports.


  • Discourse touched me in a no-no place

    @flabdablet said:

    fail2ban

    OSSEC here - and - I've had remarkably few alerts recently - especially on my webservers..


  • BINNED

    @boomzilla said:

    port forwarding

    Meet my nemisis:

    Port forwarding simply doesn't work. At least not with firmware they ship it to customers with.

    @accalia said:

    also the fact that i have more than four wired computers

    Hah! 4! We get 4-port routers with 2 ports on a separate VLAN reserved for IPTV. No, it doesn't matter if you actually use IPTV. And they are mostly locked down to hell, so no VLAN settings are available.


  • Discourse touched me in a no-no place

    @Onyx said:

    Meet my nemisis

    I think we're all familiar with Blakey.


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.