UPDATED 11 a.m. Tuesday Dec. 13 with new information from Netgear about affected models and temporary patch. UPDATED 3:45 p.m. Wednesday with yet more information from Netgear.
Usually, security news stories go something like this: A researcher found a bug. It’s bad, but you can prevent it by patching your gadget. This is not one of those stories.
A huge vulnerability is present in some of Netgear’s most popular Nighthawk Wi-Fi routers. Worse yet, it’s very easy to exploit and would let anyone take complete control of your home Wi-Fi network. There’s no fix available yet -- just a somewhat convoluted workaround. It's so bad that the U.S. government is warning people not to use Netgear routers. And the real kicker? Netgear has reportedly known about this flaw since August, yet does not seem to have done anything about it.
To prevent falling victim to this flaw, you can perform one or two somewhat technical hacks while you're on your home Wi-Fi network. (We have details below.) Or you can simply unplug your Netgear router and use another brand of router until Netgear patches this flaw.
List of affected Netgear routers
Once Reddit got wind of the vulnerabilities, it did some investigating on its own, and realized that the flaw went far beyond the initial two routers that Rollins researched. Kalypto (In)Security, a blog run by researcher Kalypto Pink, has the most complete list of affected routers so far. These include:
- Netgear AC1750-Smart WiFi Router (Model R6400)
- Netgear AC1900-Nighthawk Smart WiFi Router (Model R7000)
- Netgear AC2300-Nighthawk Smart WiFi Router with MU-MIMO (Model R7000P)
- Netgear AC2350-Nighthawk X4 AC 2350 Dual Band WiFi Router (Model R7500)
- Netgear AC2600-Nighthawk X4S Smart WiFi Gaming Router (Model R7800)
- Netgear AC3200-Nighthawk AC3200 Tri-Band WiFi Router (Model R8000)
- Netgear AC5300-AC5300 Nighthawk X8 Tri-Band WiFi Router (Model R8500)
- Netgear AD7200-Nighthawk X10 Smart WiFi Router (R9000)
Other models may be affected as well. Since many Netgear routers run on similar firmware, the vulnerability could be more widespread than the researchers and Redditors anticipated.
UPDATE: Netgear has added the AC1600 Smart WiFi Router (R6250), Nighthawk AC1750 Smart WiFi Router (R6700), Nighthawk AC1900 LTE Modem Router (R7100LG), Nighthawk DST 1900 Dual-Band WiFi Router (R7300DST) and Nighthawk AC3000 X6 Tri-Band WiFi Router (R7900) to the list of possibly affected routers.
UPDATE: Netgear has added the Nighthawk AC1900 Smart WiFi Router (R6900), AC1200 WiFi VDSL/ADSL Modem Router (D6220) and AC1600 WiFi VDSL/ADSL Modem Router (D6400) models to the list of affected routers.
How to tell if your Netgear router is vulnerable
Luckily, there is a very simple test you can perform to see if your model is vulnerable. While you're at home and connected to the local network, simply go to an Internet browser and type the following command:
substituting your own router's local IP address for the term set off by brackets. (Here's how to find your home router's local IP address.) Many routers will respond to the even simpler
which does NOT require that you know your router's local IP address.
If the router reboots, your model is vulnerable to remote infiltration, and you should unplug it until Netgear provides a fix. (You can use commands other than reboot, if you like, but that’s a fairly harmless one.)
How to temporarily shield your Netgear router from attack
There are two workarounds, although the first is not entirely effective. First, you can change your router’s local IP address. Netgear provides instructions (opens in new tab), although only the tech-savvy among you will want to try this; it’s a bit of a process. Changing your IP address will prevent random strangers from finding you online, but won’t prevent an infiltration if someone targets you specifically and discovers it, or if someone can get onto your local network, which by default discloses your router's IP address.
A more complete, but temporary, workaround is to disable the router’s administration web interface completely. Ironically, you can do this by taking advantage of the same exploit that allows infiltration in the first place. Simply type
into your Web browser, and the command will disable Netgear’s RouterLogin administrative software.
This means you won’t be able to access any of your router’s administrative functions — like changing passwords, or opening ports — until you physically reboot the router. On the other hand, neither will an attacker. In theory, this fix should not affect your router’s ability to provide internet service, making it a smart, if imperfect, fix for the time being.
Alternatively, if you have an older router in the closet, now might be the time to pull it out and put it to work. There’s no evidence that attackers have exploited this vulnerability in the wild, but as it’s been out for four days, and it’s so easy to do, the floodgates are open.
UPDATE: Netgear has created temporary firmware that fixes the problem for the R6400 (opens in new tab), R7000 (opens in new tab) and R8000 (opens in new tab). A Netgear security advisory (opens in new tab) states that a permanent solution is being worked on for these models and all other affected models.
UPDATE: Netgear has added beta firmware for the R6250 (opens in new tab), R6700 (opens in new tab), R6900 (opens in new tab), R7100LG (opens in new tab), R7300DST (opens in new tab), R7900 (opens in new tab), D6220 (opens in new tab) and D6400 (opens in new tab).
Who found this attack, and what is Netgear doing about it?
The information on the vulnerability comes from a variety of sources, but here’s the rough chronology. On Aug. 25, Andrew Rollins, a St. Louis-based security researcher who used the name Acew0rm, found a huge flaw in two high-end Netgear routers. He says he contacted the company, which did not reply to his concerns. After giving Netgear more than three months to respond, Acew0rm went public with his concerns on Twitter and YouTube late last week.
The flaw is so severe that the U.S. government issued a warning about it Friday (Dec. 9). The Computer Emergency Response Team (CERT) at Carnegie Mellon University, which is affiliated with the Department of Homeland Security, informed users about the vulnerability, explaining that there is no fix, and recommending that users disconnect affected routers until Netgear cleans up its act.
As for Netgear itself, the company acknowledged Rollins’ concerns, but perhaps too late to make a difference. In a security advisory (opens in new tab), Netgear admitted that the flaw exists and pledged to investigate further. The advisory did not contain any concrete details on how to lock a potential attacker out.
Responding to a request for comment from Tom's Guide, a Netgear spokesman referred to the posted security advisory and said that the company was "still investigating the issue" and would update the advisory with more information once it became available.
How the Netgear router attack works
Here’s how the vulnerability works: First, you find the IP address of a router you’d like to attack. If you have access to a local network, this process is trivial.
Once you know the IP address, you type the following into an Internet browser's address field:
That’s it. Naturally, you’d replace [RouterIP] with the victim’s IP address, and COMMAND with whatever you wanted the router to do next. This could be something as innocuous as rebooting the router, or as malicious as giving yourself an undetected backdoor into an entire network.
Because most users never bother to change their routers’ local IP addresses from a handful of default configurations (such as "192.168.1.1" or "172.16.0.1"), the attack also works from the internet. A malicious web page can embed the attacking command in an image link that goes to one of those default local router IP addresses.
He or she who controls the router effectively controls the entire network. You could spy on someone’s webcam, draft the router into a botnet, redirect Google searches or Facebook updates to malicious pages, or simply steal social media and financial logins for yourself. The possibilities are endless.
If you’re thinking, “that exploit sounds too simple; am I missing something?”, you’re not. It really is that trivial. A malefactor need only craft a simple website that links to the command, then hide it behind a URL shortener (like Bit.ly), and tons of unsuspecting users would probably fall for it.