NETGEAR recently issued a security advisory about a Transport Layer Security (TLS) certificate private key disclosure vulnerability on several of its routers. And this is apparently not the first time the company left TLS certificates and private keys exposed in their wireless router firmware.

The certificates and their private keys were embedded into the software, which was available to download for free on a public website where anyone could find it, and with a little skill read the private key. The keys could be used to intercept and tamper with secure connections (man-in-the-middle attacks) and essentially, any of the compromised routers can be hijacked.

Experts Comments

January 24, 2020
Mark Thompson
VP of Product Management
This is yet another example of manufacturers prioritizing time to market over device security. D-Link made the same mistake in 2015 when developers accidentally published keys in open-source firmware. NETGEAR should store these private keys in a secure HSM or use on-device key generation to generate the public-private keypair. This is an unfortunate, but timely reminder to IT leaders to revisit and revise the way they approach device security to mitigate manufacturer vulnerabilities.
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.