14 DAY TRIAL // Thousands of owners of Netgear routers are at risk of being hijacked as a serious security hole was found by researchers.
The flaws were found by security researcher Simon Kenin of Trustwave and have been shared with the folks over at Netgear. While some patches have been rolled out over the past year to fix the issue, it seems that its routers are still open to hackers.
The discovered security problem allows attackers with access to the router to collect admin access passwords. A remote attacker can make use of this vulnerability if remote administration is set to Internet facing. This feature is usually turned off, but anyone with physical access to a network with a Netgear router can exploit it locally. A good example for this is a café with public WiFi, or any other place that offers such a feature.
It is already known that many people reuse their passwords. Once the hacker gets hold of the router’s admin password, they can then check all the connected devices on the network and try to access them with the same admin password. They could also make a few tweaks here and there if needed in order to get where they want.
Trustwave’s Kenin points out that with the existing malware, including the Mirai botnet, vulnerable routers could be infected and used as bots as well. If that’s not possible, the DNS can be changed to further infect machines on the network.
Almost a year in the works
The researcher came upon this flaw almost a year ago. He figured out that he could trigger an error message on his own router, and then the router could be tricked into revealing the numerical code that can be used with the password recovery tool to get the admin credentials.
Upon further investigation, Kenin figured out that, in some cases, the numerical code isn’t even needed and the credentials will be revealed regardless of what parameter is sent. This means that pretty much anyone who can get to the router admin screen, whether that’s done over the web or local WiFi network, can get your admin password and gain control over the router.
“We have found more than ten thousand vulnerable devices that are remotely accessible. The real number of affected devices is probably in the hundreds of thousands, if not over a million,” Kenin notes, revealing the extent of this critical vulnerability.
Ever since its discovery, Trustwave has contacted Netgear multiple times. In the first advisory, the company listed 18 models as vulnerable. The second included 25 models. In June, Netgear rolled out a fix for a small subset of routers and a workaround for the rest. Following latter updates, the list ended up including 31 models, 18 of which are patched now and 2 models that were previously listed as vulnerable, but are now listed as not vulnerable. The latter two have been tested by Trustwave and found to still be open to attacks.
Just when Trustwave was going to go public with its findings since Netgear failed to answer, the company got back to the researchers and promised some changes. First, the company pledged to push out firmware to the unpatched models on an aggressive timeline. Secondly, they committed to Bugcrowd, which is a third-party vendor that helps to vet research and provides oversight for the patching process. Additionally, it provides a bug bounty program with rewards for researchers that bring their findings forward, which should encourage others to seek such bugs.
You can find a full list of affected models on Trustwave's page.