UPDATED with possibility of DNS rebinding attacks and news that Netgear has released hot fixes for two routers. This story was first published June 18, 2020.
At least 28, and very likely as many as 79, Netgear home Wi-Fi router models are vulnerable to attack, both locally and possibly over the internet.
That's according to a new report by Arlington, Virginia-based cybersecurity firm GRIMM. Vietnamese security firm VNPT ISC independently found the same flaw.
- The best Wi-Fi routers that hopefully won't need to be patched soon
- Your router's security stinks: Here's how to fix it
- Latest: 'Hundreds of millions' of smart devices, PCs can be hacked remotely
The problem, as is so often the case with home Wi-Fi routers, lies in the web server built into the router's firmware. The web server runs the web-based administrative interface that router owners log into with their administrative passwords.
The full lists of definitely affected and likely affected Netgear routers are at the end of this story. Tom's Guide has reached out to Netgear for comment, and will update this story when we receive a reply.
- Secure every device you own with the best router VPN
How to protect your router from this attack
Unfortunately, Netgear has not yet provided firmware updates for these routers, despite being told of the flaws in January by Trend Micro's Zero Day Initiative, which was acting on behalf of VNPT ISC.
It's likely we won't see patches for any of these routers until the end of June. Some of these routers have reached end-of-life and probably won't get patches at all.
If you own one of these routers, your best bet for the moment is to go into your administrative interface (try https://192.168.1.1 if you're connected to your router). Then select the Advanced mode or tab, if there is one, and try to find something that looks like "Web Services Management" or "Remote Management."
You want to make sure that remote management is turned off so that no one can access your router's administrative settings from an external network, i.e. the Internet.
That won't quite solve the problem, as anyone with access to your local network might still be able to exploit the flaw. To prevent that, try to specify that only one machine on the local network can access the administrative interface.
The danger with that last solution is that the designated administrative machine must be specified by its IP address. Because IP addresses can randomly (albeit infrequently) change on the local network, you could end up being locked out of administrative access, and would have to factory-reset the router manually to regain that access.
UPDATE: Danger of DNS rebinding attacks
There's also a risk that malicious actors could use DNS rebinding attacks to exploit this flaw, even on Netgear routers whose administrative settings are locked down, Lawrence Abrams at Bleeping Computer pointed out.
In a DNS rebinding attack, the attacker would have to control both a malicious website and a DNS server, one of the so-called "phone books" of the internet.
The best way to avoid DNS rebinding attacks might be to change your router's DNS settings to the free OpenDNS Home service, which will let you filter out those IP addresses reserved for local networks so that no DNS requests go to them. We've got a lot more on that here.
'1996 called, they want their vulnerability back'
Both GRIMM's Adam Nichols and a VNPT ISC researcher identified only as "d4rkn3ss" discovered that they could use a specific text string on two different models to put the routers into update mode, bypassing the login process for the Netgear administrative interface .
From there, a input that was too long would trigger a buffer overflow — a very basic type of attack — that would give the attacker full power over the router and be able to run code on it.
"The entire update process can be triggered without authentication," Nichols wrote in a GitHub entry, which also includes a proof-of-concept exploit. "Thus, our overflow in the update process is also able to be triggered without authentication."
As Nichols put it in his very detailed blog post: "1996 called, they want their vulnerability back."
VNPT ISC's d4rkn3ss found this attack worked on a Netgear R6700 router, marketed under the name Netgear Nighthawk AC1750 Smart WiFi Dual Band Gigabit Router. (Netgear maddeningly obscures its model numbers in its marketing materials; "AC1750" is a Wi-Fi specification, not a model number.)
Nichols found that his exploit worked on a Netgear R7000 router, which looks almost exactly the same as the R6700, but is marketed as the Netgear Nighthawk AC1900 Smart WiFi Dual Band Gigabit Router.
"The vulnerability been present in the R7000 since it was released in 2013 (and earlier for other devices)," Nichols wrote in his GitHub posting.
Both models were among 50-odd routers for which Netgear pushed out a ton of firmware security updates in early March of this year. But sadly, that was for an entirely different set of flaws.
Ironically, the Netgear R7000 was among the best, or perhaps one of the least terrible, of 28 home Wi-Fi routers analyzed in an independent study of router security in late 2018.
Affected Netgear models go back to 2007
We don't have much information about d4rkn3ss's research, but GRIMM's Nichols explained in his blog post that he "was able to identify 79 different Netgear devices and 758 firmware images that included a vulnerable copy of the web server." (Routers will often go through several firmware updates over their working lives.)
"I was able to create an exploit for each of the 758 vulnerable firmware images," he added, although attacks in theory don't necessarily work in practice.
So, to make sure, Nichols "manually tested the exploit on 28 of the vulnerable devices to ensure that the identified gadgets worked as expected."
Netgear routers are still pretty safe to use, however
ZDI told Netgear of this flaw In early January. In early May, Netgear requested an extension from ZDI of the non-disclosure window until June 15, despite the standard 90-day window having already passed. ZDI agreed to this, but then Netgear asked for another extension until the end of June, to which ZDI did not agree.
Therefore, both ZDI and GRIMM released their findings now. (GRIMM, then unaware of VNPT ISC's earlier discoveries, notified Netgear of the flaw in early May.)
But that doesn't necessarily make Netgear routers unsafe to use. Netgear regularly issues firmware patches and security alerts, and makes it relatively easy to install firmware updates. Many other well-known router brands do neither.
Just this week, D-Link told users of one of its most popular routers to just chuck out the device and buy a new model, as it wouldn't be updating the machine any more despite known software flaws.
That's because the D-Link router is 8 years old — just one year older than the Netgear R7000, which is still sold, supported and patched by Netgear.
Which Netgear routers are definitely vulnerable?
These 28 Netgear router models and their associated firmware versions have been proven to be vulnerable by Nichols. Some model numbers have a "v2" or "v3" attached, because Netgear often makes hardware changes to a model during its production lifespan while keeping its model number and appearance intact.
These are not permanent patches, but temporary workarounds, and Netgear includes the following warning on its support page:
"While the hotfixes do fix the security vulnerabilities identified above, they could negatively affect the regular operation of your device. Though our pre-deployment testing process did not indicate that these hotfixes would impact device operability, we always encourage our users to monitor their device closely after installing the firmware hotfix."
UPDATE: By Wednesday, June 24, Netgear had issued hot fixes for 15 more routers: the D6220, D6400, D7000v2, D8500, EX7000, R6900, R6900P, R7000, R7000P, R7100LG, R7850, R7900, R8000, R8500 and WNR3500v2. Links to all the patches can be found on the same Netgear support page.
You can try downloading the hot-fix directly from your router's administrative interface, but that didn't work for us. We had to download the hot-fix file to a PC, then upload the file to the router through the admin interface. After that, everything went well.
- D6300, firmware version 18.104.22.168 and 22.214.171.124
- DGN2200, firmware version 126.96.36.199
- DGN2200M, firmware version 188.8.131.52 and 184.108.40.206
- DGN2200v4, firmware version 220.127.116.11
- R6250, firmware versions 18.104.22.168 and 22.214.171.124
- R6300v2, firmware version 126.96.36.199CH, 188.8.131.52, and 184.108.40.206
- R6400, firmware version 220.127.116.11, 18.104.22.168, and 22.214.171.124
- R7000, firmware versions 9.88, 9.64, 9.60, 9.42, 9.34, 9.18, 9.14, 9.12, 9.10, 9.6, and 8.34
- R8000, firmware version 126.96.36.199, 188.8.131.52
- R8300, firmware version 184.108.40.206 and 220.127.116.11
- R8500, firmware version 18.104.22.168
- WGR614v9, firmware version 1.2.32NA
- WGR614v10, firmware version 22.214.171.124NA
- WGT624v4, firmware version 2.0.12NA and 126.96.36.199
- WN3000RP, firmware versions 188.8.131.52 and 184.108.40.206
- WNDR3300, firmware versions 1.0.45, 1.0.45NA, and 1.0.14NA
- WNDR3400, firmware versions 220.127.116.11 and 18.104.22.168
- WNDR3400v2, firmware versions 22.214.171.124 and 126.96.36.199
- WNDR3400v3, firmware versions 188.8.131.52 and 184.108.40.206
- WNDR3700v3, firmware versions 220.127.116.11, 18.104.22.168, and 22.214.171.124
- WNDR4000, firmware versions 126.96.36.199, 188.8.131.52, and 184.108.40.206
- WNDR4500v2, firmware versions 220.127.116.11 and 18.104.22.168
- WNR1000v3, firmware version 22.214.171.124
- WNR2000v2, firmware versions 126.96.36.199, 188.8.131.52NA, and 184.108.40.206
- WNR3500, firmware version 1.0.36NA
- WNR3500L, firmware versions 220.127.116.11NA, 18.104.22.168NA, and 22.214.171.124
- WNR3500Lv2, firmware version 126.96.36.199
- WNR834Bv2, firmware version 2.1.13NA
Which Netgear routers are likely to be vulnerable?
Over on his GitHub account, Nichols has a much longer list of all 758 firmware versions, running on 79 router models, that he found to be vulnerable at least in theory.
That's too long to add here, but our friends at ZDNet distilled it down to router models, which we've adapted here by subtracting the definitely proven vulnerable models above.
Here are 51 Netgear router models thought to be, but not yet proven, vulnerable.