This past week, I received a lot of questions regarding yet another newly-found router vulnerability, this time coming from Netgear.
Some of you expressed frustrations and went as far as saying you’d “never buy a Netgear again.” Well, that’s your call, but I’d say it’s an example of overreacting.
While router vulnerabilities are no good, getting overly concerned about them is unnecessary. I’ll explain that in this post.
Security vs. vulnerability: You can’t have the former without the latter
Generally, in computing, a vulnerability is where a device doesn’t provide the level of security it promises. Since it’s tough—impossible in fact—to test every single scenario, and technology is constantly evolving, vulnerabilities are inevitable.
So, it’s safe to say any device with any security level will have some vulnerabilities. It’s just a matter of when or if somebody finds out and exploits them to do bad stuff. In other words, the only time you get 100 percent vulnerability-free is when you don’t use any security at all.
(It’s just like your home. After you lock the door, rest assured that the lock can be picked or compromised one way or another. The only way not to worry about somebody breaking your lock is not to use one at all. Like all security measures, that of a home is more a matter of deterrence than total protection.)
So, vulnerabilities are common, and so are updates, or security patches, that fix them. Popular operating systems, like Windows or macOS, get regular updates, as frequently as once a month or even once a week. That happens regardless of whether or not the public is aware of any issue. Security is a never-ending cat-and-mouse game.
However, older versions are “out of life,” meaning the vendor no longer supports them. For example, if you decide to continue using Windows 7 or earlier versions, you’re on your own.
That applies to all things in the tech world, including home routers.
Why router vulnerabilities are big deals
Every time there’s a vulnerability report, it’s almost always a huge deal for a few reasons.
Routers are popular
That’s right. Popularity goes side by side with seriousness. The more people use a router, the more widespread its security issues become. As a result, the vulnerability found in routers from popular vendors like Asus, Netgear, TP-Link, etc., tends to get a lot of attention.
Routers are a special Internet of Things device
Unlike other IoT devices, which are generally low-value targets, your home router is your gateway to the Internet.
Having control of the router, the bad guys can do a lot of severe damage, including (and not limited to) taking over your DNS server settings to redirect you to malicious websites.
Publicity
There’s nothing that grabs more attention than fear. And in the online world, attention is money.
Many times, though not always, router vulnerabilities (security issues in general) are blown up for self-serving purposes. Security firms use them to brush up on their reputation or sell software. And the media take advantage of them to boost their page views.
(Let’s be honest with each other here. Many of the self-proclaimed “security experts” working for major media outlets know little about network security. They probably don’t have time or desire to learn the mundane details of a particular vulnerability, either. Instead, they repeat information from hackers or security firms or patch-write a security blog.)
So most of the time, the vulnerabilities are not as bad as they are cracked up to be.
Is the recent Netgear router vulnerability serious?
That depends on who you ask. For me, it’s not a huge deal.
If you don’t mind the technical jargon, the issue’s details are in this post. But basically, it applies to the webserver in a limited number of relatively old routers.
(Some reports call the total number of affected devices as high as 79, but many of them are just variants, or different versions, of a single model. Here’s the complete list with their security patch status.)
The webserver is an integral part of a standard router. It allows users to work with the router via its web user interface and other less popular tools, such as SSH or Telnet. In the case of this vulnerability, there’s an intricate way to fool the device so that one can log in without the correct password.
It’s not easy to exploit this vulnerability, and the bad guy needs to target a specific user. In other words, they need a particular reason to do it, with a relatively low chance of success, which brings us to the low-level target notion mentioned above.
Most importantly, many vulnerable models are among the first Wi-Fi 4 devices over a decade old. If you still have one of those, you should replace it for performance reasons anyway. For a few that supports Wi-Fi 5, Netgear has already released security patches.
That said, the chance of anyone getting affected by this is meager, much lower than getting your car stolen if you leave it unlocked overnight in a sketchy neighborhood.
To put this in perspective. This whole episode is like somebody finds a security issue with Windows XP; Microsoft says it won’t fix it because the OS is no longer supported, and the media cry foul to get attention. It’s mostly just shenanigans.
The takeaway
Again, no, I don’t mean to downplay the importance of router security. However, there’s no need to get all wound up every time you hear of some vulnerability, either.
Just update your router to the latest firmware, keep its admin and Wi-Fi passwords secure, and don’t mess around too much with its settings (unless you know what you’re doing), and everything will be as fine as can be. It’s a matter of degrees.
Also, it’s a good idea to upgrade your network every five or six years (or when a device is “out of life”) with hardware from a reputable vendor.
Most importantly, no matter what router you’re using right now, keep in mind that it is vulnerable. You’d be fooling yourself if you believe otherwise. The only way to be 100 percent issue-free on this front is not getting online at all. But then you’ll have fewer creative options to deal with living, which by itself is risky.
So, it’s safe to say any device with any security level will have some vulnerabilities. It’s just a matter of when or if somebody finds out and exploits them to do bad stuff. In other words, the only time you get 100 percent vulnerability-free is when you don’t use any security at all.
bro are you serious. re-read this now 3 years from post and tell me you agree that this is nonsensical garbage that is factually and logically flawed. Do you actually understand any of this stuff or do you just happen to be exposed to advanced tech? Like, is any of the information I may have consumed actually oversimplified-perhaps-incorrect assumptions from an “expert”.
Yes, I was serious 3 years ago as I am today. Security is a matter of degree. The only time you have 100% security (with no vulnerability) is when you’re dead, which is the only sure thing in life. Take my word for it (don’t try it!) or go ahead and question your own understanding, at least there’s something you can do about that.
It’s rather irresponsible to state that IoT devices are low level targets. As a network security professional, that is simply not true and dangerous to say. IoT devices are, by their nature, more vulnerable than big name established X86 or ARM computing devices from the likes of Apple since they are more likely to have a real engineering team dedicated to vulnerability research, the funds to cover the expenses, and a real reputation at stake. However, the IoT devices are the gateway to the rest of the devices in the typical flat topology home network.
Since it’s much harder to compromise an iPhone than a smart light bulb, a hacker will compromise a smart light bulb, then traverse the rest of the flat home network that simply lacks net and IP isolation. They then keep scanning until they find and gain access to an unpatched Windows or Mac system. Remember, some OSes like MacOS don’t come with firewall blocking every service by default and some people even turn off their PC’s firewall.
Picture this, if I can get into your network through your no-name brand light bulb, I can then attempt to gain access to your httpd/web gui for your compromised router using XSS forgery and other similar attacks on an unpatched device. With nmap and bash scripts, these types of attacks don’t have to be targeted. They can be fully automated and much faster than any human can perform.
Also with MAC addresses, I can quickly parse through device brands while doing nmap scans.
Please don’t write things such as this ir in your other article where you state that using a guest network is stupid. Unless you are a cybersecurity professional, it is best not discuss about such matters in an incorrect manner as the less technical people who go to your site can put their networks in danger.
Remember, not everyone remembers to patch his/her devices on time and, due to lack of funds, cannot buy devices that are supported on the long term from reputable manufacturers.
Also, the ‘security’ solutions that most home routers come with is laughable at best as they can only rely on DNS filtering and scanning of unencrypted traffic at best. The only effecting solutions are MITM SSL certs from big iron security appliance vendors that charge an arm and a leg to be able to decrypt network traffic at the router level, scan it, and then re-encrypt it before sending it out through WAN. Another effective alternative is Cisco’s encrypted traffic analytics.
I’ve been a fan of your since you were at CNET but I have to call out misconceptions and misinformation so others are not left vulnberable.
I missed this comment somehow until now. I hear you, Dave. Thanks for the input. But it’s a matter of degrees. Like I stated, EVERYTHING is vulnerable. Maybe you should read the entire post instead of picking a few sentences out of it. 🙂