Tuesday, January 18, 2022 • Welcome to the 💯 No-Nonsense Zone!

Quietly, Netgear Kills Web-based Remote Management, Pushing Mobile Apps

Here’s some potentially upsetting news for those who use Netgear home Wi-Fi routers.

As it turned out, for some time now, the networking vendor has been quietly removing the handy web-based Remote Management feature from its devices.

I first noted this when reviewing the WAX204 back in March 2021 but assumed its case as a one-off. However, when testing the latest Orbi RBKE960, which also doesn’t have this feature, it became evident that this is a deliberate and systematic move.

I reached out to Netgear, and the company confirmed that it has been phasing out this feature entirely.

Orbi Web based remote management
Here’s the Web-based Remote Management section within the interface of an Orbi router — when still available. Note how you can change the port number to make it more secure.

So what is Remote Management anyway?

Web-based Remote Management is a valuable feature that allows users to remotely access a router’s web interface the way they do locally when at home.

It’s also available in other networking brands with different names, such as Remote Access, Web Administration, or Web Acess from WAN, etc. In other words, it’s common. Advanced users generally expect and assume that it’s there.

For example, suppose you’re traveling and for some reason need to change your home Wi-Fi settings, restart your router, block a device, or even wake up a local device via Wake on LAN.

Remote Management allows you to do that using the web browser of any Internet-connected computer or a mobile browser on a phone/tablet. It’s like you’re still home.

This remote administration feature works with the Dynamic DNS to give you complete control of your router, hence, your home network, without the involvement of any third party.

Remote Management is generally turned off by default. I wrote about how to turn it on and use it securely in this piece on DDNS.

It’s worth noting that remote access can indeed be a security risk when not configured correctly.

Read this  Dynamic DNS Explained and How to Set Up Yours Like a Pro

What did Netgear do exactly, and why?

The company didn’t make any announcements or provide any guidelines. Instead, it simply excludes the feature from its new routers starting this year.

Furthermore, it also removes this feature on existing Orbi and Nighthawk routers via firmware updates. (So far, gaming routers running DumaOS, like the XR1000 or XR500, seem not affected.)

There’s no specific timeline for every affected model, but according to Netgear, the Orbi RBK750 series and Orbi RBK850 series had this feature when upgraded to firmware ver. 4.6.3.7 and ver. 4.6.3.9, respectively.

In both cases, the removal of the feature wasn’t spelled out, but labeled as:

“Fixes security vulnerabilities.”

It’s important to note that I reviewed these two models and most other Netgear routers when they still had Remote Management, which played a part in how I rated them.

The Orbi RBKE960 and WAX204 were the only two in which I experienced the lack of this feature during the testing.

You read it right. This feature, if disabled, which is the default, on existing routers will be removed when you upgrade the router to the latest firmware.

In other words, on routers that have this feature, you must enable it if you want to keep it. And that was also the reason why its removal came as a surprise since I had always used this feature in all (Netgear) routers, when available.

Below is the statement on the matter that Netgear provided me earlier this week:

“For any existing Orbi and Nighthawk product where the Remote Management feature is currently disabled, we will remove the ability to enable the feature. If an existing user previously enabled Remote Management, we will leave the support as enabled.

By turning on the Remote Management feature, a user will expose their router’s Web interface to the entire outside internet. Although Netgear attempts to make our web interface as secure as possible, there is always the possibility of new security vulnerabilities being discovered.

If a vulnerability related to the web interface is found, the level of risk to a customer with Remote Management enabled is much higher as that vulnerability can now potentially be exploited from anywhere on the outside internet, rather than from just within their local LAN.

Netgear now offers remote management capabilities via our Orbi and Nighthawk mobile apps, which use a much more secure mechanism of accessing the devices and does not require opening a port to the external internet.”

So, Netgear cited the reason for the removal as a “security” matter. And it has a point.


Years ago, when the cyber world was still naive, innocent, and kind, the Remote Management was turned on by default using default values.

The engineers at the time were too excited about how helpful (and cool) it could be and never thought of how bad guys could take advantage of it.

That, plus the router’s known default username and password, make Wi-Fi 4 and older routers easily vulnerable to malicious parties. On top of that, firmware vulnerabilities are real.

In 2020, Netgear was one of few networking companies that had to deal with an onslaught of bad press, mainly because some media outlets sensationalized the “security” issue — many still do — for views and clicks. I wrote a piece on this matter.

Read this  No, Netgear's Recent Router Vulnerability Is Not that Serious

But for years, home routers’ security has been significantly tightened. In most, if not all cases, a router won’t even connect to the Internet unless you change the default password. And the remote access has always been turned off by default.

Sure, having this feature is like having another door that is susceptible to being left open by mistake or misuse. But that would be on the user, not the vendor.

(A car company should not be held responsible if somebody messes up your car because you leave the door unlocked, so to speak.)


That said, I find Netgear’s drastic move on this front a bit unnecessary and doesn’t make sense if you think about it.

Why remove something when it’s already disabled? If security were indeed an issue, Netgear would pay attention to the cases where this feature is being used.

And it seems even more sinister considering what the company offers as the alternative.

Nighthawk web based Remote Management
The Web-based Remote Management section of a Nighthawk router, when still available

A big move in mobile app coercion

For years, Netgear has made the mobile apps — the Orbi and Nighthawk apps for its Orbi mesh and Nighthawk routers, respectively — as an option.

As such, users can choose to use the app or not. They can fully manage the router using just the local web interface.

The convenience aside, the web interface doesn’t require a login account, allowing consumers to use a Netgear router completely independent from the vendor.

On the other hand, the apps require a Netgear login account and hence the potential privacy risks. I wrote more about that in this post on mobile app vs web interface.

Read this  Router Management: Web Interface vs App and the Trend Linksys Typifies

On top of that, with the apps, Netgear has added premium features that require a subscription, at times by removing the free and helpful equivalent from the web interface.

First, there was the Armor protection, then VPN and Parental Controls. Chances are you’ll find more down the road. It’s been a slow but steady transition from the web user interface to mobile apps.

And now, with the removal of the Web-based Remote Management, the apps are the only way users can manage their home network remotely. It’s the most significant app coercion so far.

That said, security or not, Netgear is the only one who stands to benefit the most from this development. The more users who use the apps, the more business it gets, not to mention the valuable data it can collect from its users via the login account. (Here’s the company’s privacy policy.)

Netgear Orbi 960 Advanced Settings
Here’s the Advanced Settings section of the Netgear Orbi RBKE960 with the Remote Management feature no longer available.

The takeaway

If you don’t use or haven’t heard of Remote Management, this doesn’t affect you at all. For now, you can still use the local web interface to manage Orbi or Nighthawk routers, albeit you might note that they’ll have fewer and fewer features.

For those who rely on this feature to manage their home or businesses, this is upsetting — they no longer can count on new Netgear routers on this front.

In all, this deliberate removal seems self-serving, and the security rationale appears disingenuous on Netgear’s part. After all, the company still supports this feature on existing routers with it turned on.

In any case, if you’re using an older Netgear router that comes with Remote Management — those that came out in 2020 or earlier sure do — and want to use this feature at some point, make sure you turn it on before updating the firmware. You can always turn it off later.

☕ Appreciate the content? Buy Dong a Ko-fi!

2 thoughts on “Quietly, Netgear Kills Web-based Remote Management, Pushing Mobile Apps”

  1. It becomes simple to switch to a Company who is competent and can make web access via remote management secure enough. This is blatant incompetency on Netgear’s part. Another way is to have a low powered device like Raspberry Pi or Intel Nuc running 24×7 and use freeware Wireguard based VPN like tailscale to set up a static route to your router’s LAN. So when outside home LAN, fire up Tailscale app on Android or iPhone and simply type router’s LAN IP in browser and access it remotely. Plenty of articles on Tailscale to make it work. Very easy too.

    Reply

Leave a Comment