Some popular Netgear routers contain a security flaw that is evidently easy to exploit and can make users vulnerable to a CSRF attack.
About this time I’m wondering if I’d even purchase a Netgear router.
You’d think that with all of the fuss recently about the insecure Internet of things, especially when it comes to routers, that any router maker would be on top of it and patching vulnerabilities as soon as they’re discovered.
Evidently not, as far as Netgear is concerned.
On Friday, a researcher with the online handle Acew0rm published a vulnerability that the U.S. CERT Coordination Center (CERT/CC) at Carnegie Mellon University has rated as “critical,” giving it a score of 9.3 out of 10 using the Common Vulnerability Scoring System. Over the weekend, Netgear confirmed the vulnerability, saying that its R7000, R6400 and R8000 routers were possibly vulnerable. However, PCWorld has reported that another researcher has looked into the matter and has indicated that other Netgear Nighthawk routers are vulnerable, including models R7000, R6400 and R8000.
So why did Acew0rm publish the exploit? It’s a familiar story. It appears that he notified Netgear of the vulnerability in August but never heard back from them.
Again, you’d think that a company marketing routers would want to patch their routers sooner rather than later given recent IoT news, wouldn’t you? I ask you, is this any way to run a router company?
The vulnerability makes the router vulnerable to a Cross-Site Request Forgery (CSRF) attack, which allows an attacker to hijack a user’s browser when visiting a target website. Although the folks at CERT/CC are recommending that users remove the routers from service until Netgear issues a patch, Lucian Constantin has published some possible workarounds on PCWorld for users who aren’t able to do this.
Over at Computerworld, Michael Horowitz opines that those considering buying a Netgear router “can use this issue to gauge how the company deals with security.” No thanks. I’ve already made my evaluation. Netgear made the decision to sit on top of this vulnerability for four months, evidently doing nothing about it. They’re only acting on this now because of press reports and because an exploit has been made public, meaning the black hats are ready to pounce.
Meanwhile, we have to get a handle on the Internet of insecure things now. Not later.