Industry News

Got a Netgear wireless router? You’ve got a security problem

A warning has been issued about what appears to be a serious security issue affecting several Netgear WiFi routers, and could result in hackers stealing sensitive information, including admin passwords and wireless keys.

Details of the vulnerability were published (alongside proof-of-concept exploit code) by security researcher Peter Adkins, who explained that the flaw lay in the SOAP service embedded inside the vulnerable Netgear routers.

SOAP (Simple Object Access Protocol) is used by the Netgear Genie desktop app to provide an easy way for users to peform a number of functions on their router, including setting up parental controls, changing wireless credentials etc.

Adkins found a way to send carefully-crafted HTTP requests to the SOAP service embedded inside the routers, tricking them to execute commands without the session having been authenticated. Sensitive information can then be accessed.

In short, someone malicious connected to your WiFi network could exploit the vulnerability to obtain the administrator password, details of the wireless network, the device’s serial number and details on what clients are connected to the router.

But things get even worse if you have enabled remote management on a vulnerable Netgear router, as hackers could then exploit them remotely across the internet.

netgear-genie-app
Ouch!

It is reported that the vulnerability has been confirmed to be present in the NetGear WNDR3700v4, NetGear WNR2200, NetGear WNR2500, NetGear WNDR3700v2, NetGear WNDR3700v1, NetGear WNDR4300, NetGear R6300v2, and NetGear WNDR3800. In addition it is believed that the NetGear WNDRMAC, NetGear WPN824N and NetGear WNDR4700 may also be affected, and Adkins warns that the vulnerability may also be present in other devices not yet known about.

Adkins claims that he attempted to explain the issue to Netgear’s support team in January (having failed to find a more direct route to raise a security issue) but was disappointed with their response:

The initial response from NetGear support was that despite these issues “the network should still stay secure” due to a number of built-in security features. Attempts to clarify the nature of this vulnerability with support were unsuccessful. This ticket has since been auto-closed while waiting for a follow up. A subsequent email sent to the NetGear ‘OpenSource’ contact has also gone unanswered.

So, what should you do? Well, while you are waiting for a security patch from Netgear the most sensible courses of action would appear to be to ensure that remote management is disabled on your device, and only allow trusted devices to access your local network.

You may also wish to lobby Netgear to set up a clear and obvious channel through which security vulnerabilities should be reported, as it appears that Adkins’ attempts to find someone who understood the seriousness of the issue inside Netgear’s regular technical support team failed.

About the author

Graham CLULEY

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

13 Comments

Click here to post a comment

  • I also attempted to contact Netgear on this issue and got even less far than Peter did. It really does beg the question I asked earlier in the week, what is an independent security researcher to do when met with a corporate brick wall? I actually had this situation in mind when asking. Anyone got any ideas? Because I’d really like to know.

  • The initial response from NetGear support was that despite these issues “the network should still stay secure” due to a number of built-in security features.

    Perhaps they’re confusing their routers with the (extra-thick) skull surrounding their brain?

    Yes, well, if that makes them feel more comfortable, I guess it must be fine. In any case, remote administration is risky business in general.

    (Incidentally, a drill could still penetrate that skull no matter what they believe… sort of like… well, never mind)

    • Sad how bad netgear has become. Netgear was one of my first wifi routers and it was great.
      Now, I have a new R7500 router and the webui is miserably slow and complicated. Too many products and not enough quality control.
      I should have bought an ASUS router, but the netgear was on sale.
      Live and learn.

  • It would be interesting to know if this vulnerability is present on the Virgin Media versions of Netgear routers with SOAP capability, such as the VMDG485 (VM Superhub 2). If so, perhaps if Virgin Media, with their 4.5 million broadband customers asked Netgear about it, it would resonate a little louder within Netgear?

  • […] A flaw in several Netgear wireless routers can allow hackers to access admin passwords, wireless keys, and other sensitive information. The SOAP (Simple Object Access Protocol) in the Netgear routers can be tricked by using carefully-crafted HTTP requests which can allow access to private information. For more on this topic, please click here:: Got a Netgear wireless router? You’ve got a security problem […]

  • I believe that when I bought my router, and asking customer support, for help to install, that net gear tech support, slam sale me to buy their security service, that remotely installed features and software and went into my dos portion to mirror, copy and steal my personal info, for identity fraud at a later time. I can’t prove this. But I believe this. They also wanted to also remote access to my smart phones, my laptops, and everything else I owned, that was wireless.
    All of my wireless products shortly thereafter, within nine months crashed, with immediate return phone call support from these same people demanding further support and remote access on new computor tablet and smart phone. I refused, and can’t understand for the life of me, why they would be so very upset when I disclosed being a new customer of lifelock security. Be very careful with net gear products and customer support selling you a service that allows a network to steal, use and hack your personal info. I believe their theives. Amongst customer service that corporate is unaware of robbing their customers for their own personal gain. Wake up net gear risk management.

  • PLEASE HELP! I bought a Netgear router R6100 at Walmart with a protection plan. Now it has been not working, dropping wifi all the time, dropping the other wifi attached products off my phone and I have been given the run around by Walmart, the protection plan, which sent me to Netgear, they gave me the run around, I talked to two Netgear tech’s, and they hung up on me! They have my phone number, never called back. Who can I call in michigan or nationally to get this problem taken care of! Also I worry about hackers getting into my computer. Netgear denies it.

  • The vulnerability is for sure also on my Netgear N600 router, I plan to wait until just before quitting time and then phone up my ISP provider and yell quick I need a non Netgear router! I also told everyone of your customers theyre insecure! Imagine the fun….

  • The two latest comments here (March 11 and April 16, 2016) appear to come from sock puppets advertising http://www.netgearrouterhelp.com/. The deceptively named site has nothing to do with Netgear. The text on the site suggests it was badly auto-translated from some other language ("Netgear router help is an excellence place"). For all I know it is a terrific 3rd party support site but buyer beware.

    I'm not leaving my real name or email, because I don't need to be trolled.