Thousands of Netgear Wi-Fi routers need to be patched now — here's how

Thousands of Netgear Wi-Fi routers need to exist patched now — here'south how

(Prototype credit: Netgear)

It'south fourth dimension to update your Netgear Wi-Fi router once again. The home-networking-device maker has pushed out security updates for 35 dissimilar models of routers, Wi-Fi range extenders and combination modem-routers to fix iii flaws discovered past British security firm Immersive Labs.

Two of the Netgear router flaws allow an attacker, who already has access to the router's administration interface, hack it to change configuration settings. Those new settings could then be used to create backdoors that would give hackers permanent remote access to the router'due south controls.

Once a hacker has command of your router, they can see and control where you get on the cyberspace and can often see what y'all're receiving and sending.

To exist fair, just getting access to the administration interface in the showtime identify pretty much means game over already, but this is a serious flaw that needs to be fixed nonetheless.

Another Netgear router flaw lets someone on the local network get the router'due south serial number by querying a specific "port," or network interface.

Ordinarily, this wouldn't be so bad, but as Immersive Labs researcher Kev Breen explained in a company blog post yesterday (Dec. 2), "this serial number is used equally office of the [administrative] password reset function on most Netgear devices."

"This mechanism is supposed to ensure simply those with physical access to the device can reset the password," Breen added, because normally the serial number is visible only on a sticker on the physical device. "Armed with this information, it is now possible for whatsoever user on the network to beast-strength the password-reset questions."

This less-serious attack crave local network access, but that's not equally hard to go as information technology seems for an attacker. Many domicile-network Wi-Fi access passwords tin be guessed or brute-forced. If malware sneaks onto a computer, smartphone, gaming console or smart device in the domicile past other ways, then it will have local network access too.

How to update your Netgear Wi-Fi router's firmware

Updating Netgear routers to the latest firmware depends on the model. Many newer Netgear routers have automated updates enabled by default, and you lot'll only demand to make sure the feature is turned on.

With some others, yous accept to get to the authoritative interface and manually check for updates, which the router tin can then download and install itself. Many of the models afflicted past these flaws also support the Netgear Nighthawk mobile app, which lets you check for and install router firmware right from your smartphone.

Older models may crave a more complicated router-update process that involves going to the Netgear back up website, inbound the router's model number (it'due south printed on a sticker on the device itself), going to that model'south support folio, checking for firmware updates, downloading the update file to a Mac or PC, and and then uploading the file to the router through the administrative interface.

If you need to go to the Netgear router administrative console, you tin commonly achieve information technology at http://198.168.1.1 in a spider web browser if you're on the router's local network. Some Netgear routers besides let yous use http://routerlogin.com or http://routerlogin.net.

In general, the username for the Netgear router administrative interface is "admin." You can alter that if you like, simply it's much more than important to brand sure that the password for the administrative interface has been inverse from the default password.

Default passwords for virtually home Wi-Fi routers, whether made by Netgear or non, tin can easily exist found online. Leaving yours every bit is just makes y'all a sitting duck for hackers.

While y'all're in your router'southward administrative settings, you'll want to go to the "Advanced" part of the interface, then await for "Advanced Setup." Click on UPnP and make sure it'due south disabled.

Then click on "Spider web Services Management" or "Remote Management" and disable that besides. Doing so will remove ii mutual channels of assail that hackers oftentimes utilise to assail routers.

Netgear Wi-Fi routers that need to be updated

Following are 2 lists of Netgear devices, listed by model number, that need to be updated. The firmware version number listed is the version that fixes these flaws. You can see the version number of the firmware that your own router is running in the summit right corner of the administrative interface.

Eighteen Netgear Wi-Fi routers, range extenders and combination modem-routers are vulnerable to the kickoff 2 flaws above, which lets an attacker change a router's configuration settings. (Both versions of the RAX120 may also exist vulnerable to other Wi-Fi router flaws disclosed past unlike researchers this calendar week.)

DSL Modem Routers

D7800 stock-still in firmware version one.0.one.66

Wi-Fi Range Extenders

EX2700 fixed in firmware version 1.0.1.68
WN3000RPv2 fixed in firmware version ane.0.0.90
WN3000RPv3 fixed in firmware version 1.0.2.100

LTE Modem Routers

LBR1020 (an Orbi wireless broadband gateway) stock-still in firmware version 2.vi.v.20

Orbi Wi-Fi Systems

LBR20 fixed in firmware version ii.6.five.32

Wi-Fi Routers

R6700AX stock-still in firmware version one.0.ten.110
R7800 fixed in firmware version 1.0.2.86
R8900 fixed in firmware version 1.0.v.38
R9000 fixed in firmware version 1.0.v.38
RAX10 fixed in firmware version 1.0.ten.110
RAX120v1 fixed in firmware version 1.ii.3.28
RAX120v2 fixed in firmware version i.2.3.28
RAX70 fixed in firmware version one.0.10.110
RAX78 fixed in firmware version 1.0.10.110
XR450 stock-still in firmware version 2.iii.two.130
XR500 fixed in firmware version 2.three.2.130
XR700 stock-still in firmware version ane.0.1.46

Seventeen Netgear Wi-Fi router models are vulnerable to the third flaw, which makes the device series number visible.

Wi-Fi Routers

AC2100 fixed in firmware version i.2.0.88
AC2400 fixed in firmware version 1.2.0.88
AC2600 fixed in firmware version 1.2.0.88
D7000 fixed in firmware version one.0.1.82
R6220 stock-still in firmware version 1.1.0.110
R6230 fixed in firmware version one.1.0.110
R6260 fixed in firmware version 1.ane.0.84
R6330 fixed in firmware version one.1.0.84
R6350 fixed in firmware version 1.1.0.84
R6700v2 stock-still in firmware version i.two.0.88
R6800 fixed in firmware version 1.ii.0.88
R6850 stock-still in firmware version 1.one.0.84
R6900v2 fixed in firmware version i.ii.0.88
R7200 fixed in firmware version ane.2.0.88
R7350 fixed in firmware version one.2.0.88
R7400 fixed in firmware version i.2.0.88
R7450 stock-still in firmware version ane.2.0.88

Paul Wagenseil is a senior editor at Tom'south Guide focused on security and privacy. He has as well been a dishwasher, fry cook, long-booty driver, lawmaking monkey and video editor. He'due south been rooting effectually in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown upwards in random TV news spots and even chastened a panel discussion at the CEDIA home-technology conference. Yous can follow his rants on Twitter at @snd_wagenseil.