Skip to main content

Thousands of Netgear routers can be hacked — here's what to do

The Netgear Nighthawk RS400 home Wi-Fi router.
(Image credit: Netgear; Shutterstock)

Dang kids. Because of an optional parental-control feature that apparently wasn't so optional, nearly a dozen widely used Netgear home Wi-Fi router models have a serious security flaw and need to be patched.

The affected models are the R6400v2, R6700, R6700v3, R6900, R6900P, R7000, R7000P, R7850, R7900, R8000 and RS400, most of them in the "Nighthawk" line and physically nearly identical. Firmware updates are now available for all of them. 

The flaw can be exploited by a bad guy who gets access to your Wi-Fi network, which may not always be as hard to do as it seems, and then used to seize control of your home or small-office network and send you God-knows-where on the internet.

Because Netgear markets its home routers using somewhat misleading terminology — for example, the R7000 is also labeled as the "Nighthawk AC1900 Smart WiFi Dual Band Gigabit Router" — you might want to flip your router over and check the sticker on the bottom for the real model name.

How to update your Netgear router's firmware

To update your router's firmware, Netgear's security advisory recommends going to its support page at https://www.netgear.com/support/, then punching in your model's number. From there, you'll be taken to your model's support page. You can download a Zip file to your PC and unpack the file. 

Then use your favorite web browser to access your router's administrative interface (it's most likely at http://192.168.1.1), click the Advanced tab, select Administration and click Router Update. You can upload the file to the router from there.

However, for most of these routers, it's going to be just as easy to download the firmware update directly to the router. Follow the web administrative-interface instructions in the paragraph above, and then click the check-for-update button instead of uploading a file from your PC or Mac.

Vulnerable Disney Circle software

The problem here stems from the Disney-designed Circle parental-control feature, which was rolled out to Netgear Nighthawk and Orbi mesh routers, some of them already in customers' homes, as an optional add-on feature in 2017. 

The Orbis and newer Wi-Fi 6 Nighthawks got parental-control software built in-house by Netgear earlier this year, while the Circle service was discontinued for older Nighthawk models in late 2020.

Here's the catch: If you have one of the affected routers, the vulnerable Circle software is on your device regardless of whether you ever ponied up the $4.99 monthly charge for the Circle feature. 

"The Circle update daemon that contains the vulnerability is enabled to run by default, even if you haven't configured your router to use the parental control features," explained Adam Nichols of the D.C.-area security firm GRIMM in a blog post. (Bleeping Computer earlier reported this story.)

"While it doesn’t fix the underlying issue, simply disabling the vulnerable code when Circle is not in use would have prevented exploitation on most devices."

In other words, you've got a problem that came with software you probably didn't ask for and that may have been introduced to your device via a firmware update after you bought it. 

A side note about Netgear security patches

We've run a lot of Netgear router security alerts in the past few years, with at least two in 2020. So we want to reiterate that Netgear's consistent policy of finding, patching and publicizing its security flaws is a Good Thing, despite the resulting negative headlines. 

The only reason you don't hear about many security flaws with some other major router makers is because they don't tell you about the flaws. At least we know when something goes wrong with Netgear routers and how to fix it.

The same principle goes for Windows PCs, Macs, iPhones and Android phones. All of those devices get regular security updates to fix flaws and are the better for it. You don't want a router that never receives firmware updates.

What's going on here?

This flaw, catalogued as CVE-2021-40847, was discovered by GRIMM researchers. They noticed that there was a Circle update daemon, or mini-program, called "circled" (presumably pronounced "circle-dee") on older Netgear Nighthawk routers.

After some probing, they found that the Circle update daemon ran as root, was enabled by default and could still be exploited even if it was disabled.

"The update process of the Circle Parental Control Service on various Netgear routers allows remote attackers with network access to gain RCE [remote code execution] as root via a Man-in-the-Middle (MitM) attack," Nichols wrote on the GRIMM blog. 

Because Netgear's firmware updates are downloaded over plain old HTTP and are not encrypted, Nichols explained, they could in theory be intercepted, altered, and then passed along in poisoned form to the routers — a classic man-in-the-middle attack.

Netgear protects against this by encrypting its firmware update files and digitally signing them, making it pretty difficult for an attacker to read, alter or install altered firmware.

Not so Circle. Its update file is just a compressed database without any kind of internal protections. 

GRIMM showed that it wasn't hard to sneak malicious code into a Circle update and from there completely seize control of a router, which in turn would grant the attacker complete control of your home (or small office) internet traffic. 

This may not entirely be Circle's fault. It could be that the firmware-update connections on its since-discontinued Circle with Disney hardware devices were encrypted, removing the necessity of encrypting the update files as well. 

If so, then this new flaw may be the result of something falling between the cracks in the differing update models when the Circle software was ported to Netgear devices.

The Netgear firmware you want to end up with

Here's a list from the Netgear site of the firmware versions that you want to have on each device.

  •     R6400v2 fixed in firmware version 1.0.4.120
  •     R6700 fixed in firmware version 1.0.2.26
  •     R6700v3 fixed in firmware version 1.0.4.120
  •     R6900 fixed in firmware version 1.0.2.26
  •     R6900P fixed in firmware version 3.3.142_HOTFIX
  •     R7000 fixed in firmware version 1.0.11.128
  •     R7000P fixed in firmware version 1.3.3.142_HOTFIX
  •     R7850 fixed in firmware version 1.0.5.76
  •     R7900 fixed in firmware version 1.0.4.46
  •     R8000 fixed in firmware version 1.0.4.76
  •     RS400 fixed in firmware version 1.5.1.80
Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.