Researchers have discovered that 31 models of the Netgear home router contain critical flaws that make them vulnerable to hackers. These latest vulnerabilities come only months after “Command Injection” based flaws were found in Netgear devices last year. IT security experts from the prpl Foundation and Lastline and Rapid7 commented below.

Art Swift, President at the Prpl Foundation:

art-swift“Once these devices have been compromised, especially routers, IoT hubs, and network gateways – due to the fact that they are very often on a local network – they represent a gateway to the network, and can be used to perform a series of attacks on the network bypassing network protection. This can cause a Trojan horse situation for the attackers to get a foothold into the local network.

“Unfortunately the vast majority of manufacturers focus solely on time to market with security as an afterthought. Good security is at least half about good management of the product, yet the consumer technology industry prioritises the user experience over everything else. Regulators must understand this and so should impose a bare minimum standard for security updates – forcing manufacturers to administer these, so devices are not left unpatched for too long. If there is this shift of responsibility from the end user to the vendor, it demands a secure infrastructure extended into the device itself, for instance:

  • Secure boot – ensure IoT systems will only boot up if the first piece of software to execute is cryptographically signed by a trusted entity. It needs to match on the other side with a public key or certificate which is hard-coded into the device, anchoring the “Root of Trust” into the hardware to make it tamper-proof.
  • Hardware virtualisation – this enables separation of each software element, where a system can be designed that keeps critical components in secure isolation from the rest and prevents lateral movement. This can allow consumers to enhance and modify their products whilst crucially allowing regulators to prohibit and lock down modification of any function deemed ‘too dangerous’.

“The not-for-profit prpl Foundation has created the Security Guidance for Critical Areas of Embedded Computing, a peer-reviewed and actionable framework that brings into focus three areas to make IoT more secure: using open source, forging a root of trust in hardware and security by separation using hardware virtualisation. Interoperable, open standards are the key requirement for developers in order to improve IoT security even in the smallest of connected devices – it will help reduce that complexity by effectively outsourcing the trickiest work to the subject matter experts. Using this framework, developers can ensure they are layering security appropriately to make it more difficult for hackers to exploit of all of these devices. It’s about awareness and education and letting developers know that there is a better way that won’t impact negatively on design or innovation.”

Brian Laing, VP at Lastline:

Brian Laing“Many products, such as these Netgear routers, are sold with vulnerabilities. Some should have been found in development, and some are based on design where the developers assumed incorrectly only the best intentions.  Others are much harder to find and require multiple steps that developers and testers may not have thought about when developing the product.  Some vulnerabilities including this one can be mitigated by following basic security best practices.  The Netgear vulnerability for example requires that the user turn on remote management which is turned off by default to protect the router from possible attacks.  New vulnerabilities are found all the time so consumers need to take as many preventative measures as possible, such as disabling remote management. That will mitigate the impact of someone trying to attack an unknown vulnerability.

“There are a number of tools developers can run on their code in development that will find some security issues in the code itself.  Many vulnerabilities, for example, are caused by poor checking of input values.  There are tools that can find these types of issues.  Developers can also assume the worse intentions and bombard their solution with information they would not normally expect and in ways they would not normally expect.  This will allow them to uncover vulnerabilities they may not have found otherwise.

“The best defence is to use the router and settings, like disabling remote management, to protect the router.  Commercial grade routers often need to be remotely administered.  In those situations connection rules are used to limit access to only a few specific IP addresses.  There are a number of different best practices guides for configuring routers to help prevent attacks.  These should be followed, there are even vendor specific ones that cover features vendors may have specifically to prevent attack.”

Tod Beardsley, Senior Research Manager at Rapid7:

Tod-Beardsley“The findings from Trustwave illustrate how a fairly normal security vulnerability is discovered — a researcher notices something funny going on in an device’s web application, and through a fairly manual process, stumbles across a bug that has gone unnoticed by the vendor. While the password disclosure issue is fairly low-severity, since the application is not exposed by default on the internet, and the attacker has only one chance to exploit it after a router reboot, the results of Trustwave’s coordinated disclosure work are impressive. I’m happy to see that NETGEAR is taking responsibility for levelling up their disclosure handling procedures and partnering with BugCrowd, a reputable bug bounty organization that helps equipment manufacturers like NETGEAR get a handle on how future vulnerabilities are handled and disclosed. Other home and small business router vendors can learn a lot from these experiences.”