Netgear router
Netgear router
How to find out if your model is at risk, and what to do about it
December 29, 2016
West Palm Beach, FL - by Dan Tynan - Netgear is scrambling to fix a software bug in its wireless routers that could leave many home networks vulnerable to remote attacks.
The flaw, which was first noticed in August but wasn't widely discussed by security experts until this past weekend, includes many routers in Netgear's popular Nighthawk series.
The company started offering a patch for the bug on Tuesday, though only for some models. The company also warned that the fixes may not install properly on every router.
The list of affected models includes the R7000 recommended in Consumer Reports' ratings, as well as the R6250, R6400, R6700, R7100LG, R7300, R7900, and R8000.
Netgear has a full list of affected routers on its website.
If you own a Netgear router, you can find the model number on a label on the bottom of the device.
To exploit the software flaw, an attacker would have to email you a link containing the URL for your Netgear router's Web control panel; the URL includes a brief command. If you unknowingly click the link, you grant full access to your router's administrative controls.
That means an attacker could change the router settings, reroute your browser to sites under his or her control (to, say, steal your banking log-ons), turn on your webcams, and see all the unencrypted data you send and receive.
How to Fix It
Netgear released beta versions of the fix on Tuesday for five models—the R6250, R6400, R6700, R7000, and R8000—along with instructions on how to install the fix on your router. On Wednesday, the company added beta fixes for six more routers—the R6900, R7100LG, R7300DST, R7900, D6220, and D6400.
Users need to install the fix themselves. Like most routers, these Netgear models cannot be updated without input from the user.
The list of affected routers may grow as Netgear continues to test models. In fact, a Dutch computer researcher living in the UK, Bas van Schaik, claims on his blog that he has already identified others.
Consumer Reports installed the fix on an R8000 router in the lab; it took about five minutes to download, and a few minutes to install.
One note: The directions at the Netgear site tell users to click on "firmware upgrade" when they are in the browser interface; the actual language we saw before installation was "router update."
The US Computer Emergency Response Team (US-CERT) issued a warning about the bug last Friday, but Netgear was alerted to the flaw in August, via its security advisory page.
The warning "slipped through the cracks," says Nathan Papadopulos, Netgear's head of global communications. He added that Netgear has not received support calls from users that would indicate an attacker has exploited this vulnerability. The company is sending emails to registered users alerting them to the flaw and any fixes.
"Netgear is continuing our investigation of the issue and will continue to provide updates to the security advisory article as we make more progress on addressing this issue," Papadopulos says.
