If you’re using a Netgear router right now, you might want to turn it off for the time being following discovery of a security flaw in various Netgear models. Worse, there’s currently no easy fix for the vulnerability that could give hackers full control of your router.
Netgear reportedly left the security issue unattended for months, leaving thousands of home networking devices exposed to attacks. Now, Netgear issued a temporary fix for some router models. While at that, the delay still highlights the risk facing the Internet of Things and the difficulty to patch it.
Fix remains unstable
The patches are still in beta and apply only to select models. In addition, Netgear acknowledged the limitations of the fixes as the company has yet to test the patch. What adds insult to injury is users themselves have to manually install the firmware since Netgear is unable to roll out an over-the-air update.
Security researcher Andrew Rollins, who goes by the Twitter handle Acew0rm, alerted Netgear to the flaw back in August, but received only a cold shoulder from the company. Three months later, Rollins decided to make the vulnerability public. This prompted the Department of Homeland Security’s CERT group to release an advisory about the flaw. CERT stated:
“Exploiting this vulnerability is trivial. Users who have the option of doing so should strongly consider discontinuing use of affected devices until a fix is made available.”
Affected devices include Netgear R6200, R6400, R6700, R7000, R7100LG, R7300, R7900, and R8000 routers, as well as other models that could be exposed to arbitrary command injection. The security vulnerability could let unauthenticated web pages gain access to the command-line and execute malicious commands. In turn, this could provide hackers the ability to take over an entire system.
“By convincing a user to visit a specially crafted web site, a remote unauthenticated attacker may execute arbitrary commands with root privileges on affected routers,” CERT said.
The number of affected routers, however, remains unclear. The exploit has gone public, so it’s easy to assume a large swath of Netgear devices are currently at risk.