Thousands of Netgear Routers Could Be Hacked — This is What to Do

Thousands of Netgear Routers Could Be Hacked — This is What to Do

Damn kids. Nearly a dozen Netgear home Wi-Fi router models have a serious security flaw that needs to be patched.

The affected models are the R6400v2, R6700, R6700v3, R6900, R6900P, R7000, R7000P, R7850, R7900, R8000, and RS400, most of which are in the "Nighthawk" line and are physically nearly identical. Firmware updates are currently available for all of these.

This flaw can be exploited by bad guys with access to Wi-Fi networks. [For example, the R7000 is also labeled as a "Nighthawk AC1900 Smart WiFi Dual Band Gigabit Router."

To update your router's firmware, Netgear's security advisory says,https://www.netgear.com/support/,でそのサポートページに行くことをお勧め, then punch in your model number. From there, go to the model's support page; download the Zip file to your PC and unzip the file. 9]

Then use your favorite web browser to access the router's management interface (http://192.168.1.1),にある可能性が高いです)[詳細設定]タブをクリックし、[管理]を選択し、[ルーターの更新]をクリックします。そこからファイルをルーターにアップロードできます。

However, for most of these routers, it is as easy as downloading a firmware update directly to the router. Follow the instructions in the web management interface in the paragraph above and click the [check-for-update] button instead of uploading the file from your PC or Mac.

The problem here stems from the Disney-designed Circle parental control feature that was deployed on Netgear Nighthawk and Orbi mesh routers (some already in customer homes) as an optional add-on feature in 2017.

Orbis and the new Wi-Fi 6 Nighthawks got parental control software built in-house by Netgear earlier this year, but the Circle service was discontinued on older model Nighthawks in late 2020.

Here's the problem: If you have one of the affected routers, you have vulnerable Circle software on your device, regardless of whether you paid the $4.99 monthly fee for the Circle feature.

"The Circle update daemon containing the vulnerability can run by default, even if you have not configured your router to use the parental control feature," explained Adam Nichols of GRIMM, a D.C. area security firm, in a blog post (Bleeping Computer has previously published a blog post on this topic. (Bleeping Computer previously reported this story.)

"While it does not fix the underlying problem, simply disabling the vulnerable code when Circle is not in use would have prevented the exploit on most devices."

Others of the security firm GRIMM, Adam Nichols explained in a blog post.

In other words, there is a problem that probably came with software you didn't ask for and could have been introduced to your device via a firmware update after purchase.

We have published a number of security alerts about Netgear routers over the past few years, with at least two in 2020. While the resulting headlines have been negative, we want to reiterate that Netgear's consistent policy of finding, patching, and publicizing security flaws is a good thing.

The reason we don't hear much about security flaws from other major router manufacturers is that they don't tell us about them. At least we know how to fix it if something goes wrong with a Netgear router.

The same principle applies to Windows PCs, Macs, iPhones, and Android phones. All of these devices receive regular security updates to fix flaws and are better because of it. We don't need routers that don't receive firmware updates.

The flaw, cataloged as CVE-2021-40847, was discovered by researchers at GRIMM. They noticed that there was a Circle update daemon, or mini-program, called "circled" (possibly pronounced "circle-dee") on older Netgear Nighthawk routers.

After some investigation, they discovered that the Circle update daemon runs as root, is enabled by default, and can be exploited even when disabled.

"The Circle Parental Control Service update process on various Netgear routers allows remote attackers with network access to perform RCE (remote code execution) as root via a man-in-the-middle (MitM) attack Nichols writes on the GRIMM blog. [Netgear firmware updates are downloaded over old HTTP and are unencrypted, so theoretically they could be intercepted, tampered with, and passed to the router in a poisoned form.

Netgear defends against this by encrypting and digitally signing firmware update files, making it much more difficult for an attacker to read, modify, or install modified firmware.

Circle does not. Its update files are simply a compressed database with no internal protection.

GRIMM has shown that it is not difficult to sneak malicious code into Circle's updates and take complete control of the router from there.

This may not be entirely Circle's fault. It may be that Circle, with its Disney hardware devices, was discontinued, so the firmware update connection was encrypted, eliminating the need to encrypt the update file.

If so, this new flaw may be the result of something that slipped through the cracks of the different update models when the Circle software was ported to the Netgear device.

Here is a list from the Netgear website of the firmware versions that should be on each device.

.

Categories