Netgear ended 2016 on a bad note with many of its routers exposed as vulnerable. It's not starting off 2017 on the most steady footing, either: A new report shows that as many as one million Netgear routers, spanning about 30 different models, are vulnerable to password pilfering and being hijacked by a botnet. Fortunately, there are patches available for 19 models, which you should implement immediately.
The two scary vulnerabilities were discovered by a researcher named Simon Kenin from the Trustwave security firm, who disclosed the news yesterday (Jan. 30). Kenin revealed the flaws in tandem with Netgear's release of patches.
If you use one of the routers listed below, you can download the security update patch for it from this page (opens in new tab). Owners of the AC1750 WiFi Cable Modem Router (Model C6300) need to contact their internet service providers for update instructions.
Patched Netgear Routers and Model Numbers
Nighthawk X8 Tri-Band AC5300 WiFi Router (Model R8500)
Nighthawk X8 AC5000 Smart WiFi Router (Model R8300)
Nighthawk AC1900 Smart WiFi Router (Model R7000)
AC1750 Smart WiFi Router—802.11ac Dual Band Gigabit (Model R6400)
Nighthawk DST—AC1900 DST Router (Model R7300DST)
Nighthawk 4G LTE Modem Router (Model R7100LG)
Smart WiFi Router AC1750 Dual Band Gigabit (Model R6300v2)
N600 Wireless Dual Band Router (Model WNDR3400v3)
N300 Wireless Gigabit Router (Model WNR3500Lv2)
Smart WiFi Router (AC1600) (Model R6250)
Nighthawk AC1750 Smart WiFi Router—Dual Band Gigabit (Model R6700)
Nighthawk AC1900 Smart WiFi Router (Model R6900)
Nighthawk X6—AC3200 Tri-Band WiFi Gigabit Router (Model R8000)
Nighthawk X6—AC3000 Tri-Band WiFi Gigabit Router (Model R7900)
N900 Wireless Dual Band Gigabit Router (Model WNDR4500v2)
Smart WiFi Router AC1200 Dual Band Gigabit (Model R6200v2)
N600 Wireless Dual Band Router (Model WNDR3400v2)
WiFi VDSL2/ADSL2+ Modem Router (Model D6220)
AC1600 WiFi VDSL/ADSL Modem Router—802.11ac Dual Band Gigabit (Model D6400)
For the other affected models, Netgear is providing a workaround in lieu of a fix. If you use one of the devices listed below, use the instructions here (opens in new tab) to check its firmware version. If it matches the firmware number listed, enable password recovery (opens in new tab) and then disable remote management using the steps listed in that specific product's user manual, which you can find by searching here (opens in new tab).
Router Model and Firmware Version:
Dual Band Gigabit Wireless Router - 802.11ac (Model R6200); v18.104.22.168_1.0.43
Dual Band Gigabit Wireless Router - 802.11ac (Model R6300v1); v22.214.171.124_1.0.58
VDSL Wireless Gateway (Model VEGN2610); v126.96.36.199_1.0.12
Smart WiFi Router (Model AC1450); v188.8.131.52_10.0.16
N150 Wireless Router (Model WNR1000v3); v184.108.40.206_60.0.93
N600 Wireless Dual Band Gigabit Router (Model WNDR3700v3); v220.127.116.11_1.0.31
N750 Wireless Dual Band Gigabit Router (Model WNDR4000); v18.104.22.168_9.1.86
WiFi Dual Band Gigabit Router -- Premium Edition (Model WNDR4500); v22.214.171.124_1.0.68
DSL Gateway Model and Firmware Version:
WiFi ADSL Modem Router (Model D6300); v126.96.36.199
WiFi Modem Router 802.11ac (Model D6300B); v188.8.131.52
N300 Wireless ADSL2+ Modem Router (Model DGN2200Bv4); v184.108.40.206
N300 Wireless ADSL2+ Modem Router (Model DGN2200v4); v220.127.116.11
These patches fix a flaw that Kenin discovered by hacking his own Netgear router, which had stopped working, from his bedroom on a cold and rainy winter night. Kenin, who admits he is "not a great programmer," figured out a way to get his router to cough up its administrative password by sending it a line of code through the local network.
A router is vulnerable to the remote access version of the flaw if its Remote Administration feature is turned on. (It's off by default.) If that setting isn't enabled, you'll need to get on the local network to deliver the payload. Kenin notes that that could threaten routers in coffee shops and other locations with open Wi-Fi networks.
Kenin's post claims that Trustwave researchers found more than 10,000 vulnerable devices during an internet scan, but that the total count is "probably in the hundreds of thousands, if not over a million."