NETGEAR recently issued a security advisory about a Transport Layer Security (TLS) certificate private key disclosure vulnerability on several of its routers. And this is apparently not the first time the company left TLS certificates and private keys exposed in their wireless router firmware.
The certificates and their private keys were embedded into the software, which was available to download for free on a public website where anyone could find it, and with a little skill read the private key. The keys could be used to intercept and tamper with secure connections (man-in-the-middle attacks) and essentially, any of the compromised routers can be hijacked.
This is yet another example of manufacturers prioritizing time to market over device security. D-Link made the same mistake in 2015 when developers accidentally published keys in open-source firmware. NETGEAR should store these private keys in a secure HSM or use on-device key generation to generate the public-private keypair. This is an unfortunate, but timely reminder to IT leaders to revisit and revise the way they approach device security to mitigate manufacturer vulnerabilities.