A vulnerability in some popular Netgear routers has gone unpatched for months. Left unchecked, it leaves thousands of home networking devices exposed to full control by hackers, who can then ensnare them in havoc-wreaking botnets. While Netgear has finally released a tentative fix for some models, the delays and challenges in patching all of them help illustrate just how at risk the Internet of Things is—and how hard it is to patch up when things go wrong.
Andrew Rollins, a security researcher who also goes by Acew0rm, notified Netgear about the flaw on August 25, but says that the company never responded to him. After waiting more than three months, he went public with the vulnerability, and the Department of Homeland Security’s CERT group released an advisory about it on Friday. Its advice? Pull the plug.
“Exploiting this vulnerability is trivial. Users who have the option of doing so should strongly consider discontinuing use of affected devices until a fix is made available,” the CERT notice said. The flaw allows unauthenticated web pages to access the command-line and then execute malicious commands, which could lead to total system takeover.
After initially saying over the weekend that three products “might be vulnerable,” Netgear now confirms that eight of its router models (R6250, R6400, R6700, R7000, R7100LG, R7300, R7900, R8000) are affected, including three of the five most popular routers on Amazon. Netgear also declined to comment on why it’s taking so long to release a production-grade firmware update.”We strive to earn and maintain the trust of those that use Netgear products for their connectivity,” the company said in a statement.
On Tuesday, Netgear finally released beta patches for some models, but the company says the fixes have not been fully tested and “might not work for all users.” Compounding the issue is that Netgear customers have to install the firmware themselves; the company says it has no process in place to push an over-the-air update, and that customers will have to manually install it on their own. That is, whenever it’s officially available.
“It’s making them look very incompetent,” Rollins says, adding that the vulnerability is “not that hard to fix at all.”
Computer science researcher Bas van Schaik published a temporary fix for the vulnerability on Friday. “What surprised me most is that Netgear was notified of this vulnerability months ago, but didn’t act,” he says. “Given the significant severity of the vulnerability, I find that as appalling as it is baffling.”
Users who own affected router models should download a beta patch if available, and implement van Schaik’s workaround (which CERT also recommends) if not. The other option is disconnecting the router until Netgear releases a final firmware update.
Internet of Dings
It’s unknown how many Netgear routers, if any, have been compromised—though given that the exploit is now public, owners should consider themselves at risk. The incident raises larger issues facing Internet of Things devices, though. Most significantly, how hard it can be to tell if they’re compromised, and how hard it is to fix them if they are.
Millions of Internet of Things devices are vulnerable to takeover through one bug or another, and this has increasingly led to the formation of IoT botnets—armies of devices that attackers infect with malware, which then coordinates their actions to mount attacks. Discovering the vulnerabilities in the first place is part of the battle, but the bigger challenge is actually securing them once the bugs are known. People rarely so much as look at their routers, much less interface with them the way they would a PC. And unlike with infected PCs, there’s no alert or clear indication that something’s wrong. IoT devices are hard to diagnose, and harder still to mend.
“It’s got to get to the level that it’s simple in terms of notification and procedure to upgrade for users, otherwise we end up with the problem we have,” says Morey Haber, vice president of technology at the security firm BeyondTrust. “There are many devices that are out there that are complex and not easy to update and people don’t even know it.”
And as long as so many devices are vulnerable, attackers will actively look to exploit them. It’s a vicious cycle, one that’s playing out for many Netgear owners in real time.