Cybercriminals Are Infiltrating Netgear Routers with Ancient Attack Methods

It would be heartening to think that cybersecurity has advanced since the 1990s, but some things never change. Vulnerabilities that some of us first saw in 1996 are still with us.

If you don’t believe me, just take a look at the news. Last month, Virginia-based cybersecurity firm GRIMM announced that they had found a vulnerability that affects many Netgear home WiFi routers. The cause? Outdated firmware that allows remote users to access the administrative systems in these routers.

If you think this exploit sounds like a 1990s-standard input overflow flaw, well done. That’s exactly what it is. As Nichols put it in his very detailed blog post: “1996 called, they want their vulnerability back.”

Unfortunately, these kinds of vulnerabilities are all too common. In just the last year, we reported on the VPNfilter botnet’s compromise of 500,000 routers, the fact that Virgin media users were the target of a huge hack, and the rise of new and efficient WiFi phishing attacks that are still remarkably effective.

The Vulnerabilities

The primary vulnerability identified in these reports relates to a “feature” of NetGear routers called variously “Web Services Management” or “Remote Management.” The problem, as is so often the case with home Wi-Fi routers, lies in the web server built into the router’s firmware. The web server runs the web-based administrative interface on which router owners authenticate themselves with their administrative passwords.

Initially, it was thought that locking down the administrative privileges of these routers would make them secure. But then Lawrence Abrams at Bleeping Computer pointed out that a DNS rebinding attack could leave them vulnerable. By inputting a specific text string on two different models, researchers found that they could put the routers into update mode, bypassing the login process for the Netgear administrative interface. This completely circumvents the authentication normally required for these routers.

The Risk

The vulnerability has been proven to work on at least two routers, but it’s feared that it could affect dozens of models. The NetGear R6700 and R7000 routers are definitely vulnerable, and they have been since they were first released in 2013. Both of these routers were also among 50-odd routers for which Netgear pushed out a major set of security updates in early 2020. That set of updates addressed a different set of flaws.

Just how many Netgear routers are vulnerable remains a little unclear. GRIMM has suggested that up to 79 routers might be affected by the flaw. A much longer list of all 758 firmware versions were also found to be vulnerable, at least in theory. This represents almost all of the consumer-level routers that Netgear has released since 2007, barring a few high-end gaming routers.

Protect Yourself

For now, the best fix for these vulnerabilities is to follow the guidance and patches that Netgear has released. These include “hot fixes” for the R6400v2 and the R6700v3, both of which should be updated to firmware version 1.0.4.92. It’s important to recognize that these are not permanent patches but temporary workarounds that still leave open the chance of users falling victim to identity fraud at some point.

Netgear explicitly acknowledges this on their support page:

While the hotfixes do fix the security vulnerabilities identified above, they could negatively affect the regular operation of your device. Though our pre-deployment testing process did not indicate that these hotfixes would impact device operability, we always encourage our users to monitor their device closely after installing the firmware hotfix.

For this reason, it might be time for your organization to get a new router. If it’s you (or your organization) continue to use the affected routers, you must lock down access to them. A quick – if inelegant – fix is to limit remote access to these routers to a whitelist of trusted external IP addresses. However, be warned that this might cause difficulties if you are trying to manage remote routers via a dynamic IP address. It will still allow users on your internal network to exploit the vulnerability.

The Future

It’s also easy to predict what the future will hold for WiFi routers: vulnerabilities will continue to be discovered. Some of these will take advantage of the new, untested features that ship with the newest router models. Others, like those we’ve covered in this article, will have a decidedly vintage feel. For users and administrators, the major lesson of these recent flaws is clear enough – your WiFi router is your first line of defense against hacks, and they should be treated as such.


Bernie Brode talks aboutNetgear Router Vulnerabilities

About the Author: Bernard Brode (@BernieBrode) is a product researcher at Microscopic Machines and remains eternally curious about where the intersection of AI, cybersecurity, and nanotechnology will eventually take us.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.