Nearly all recent Netgear home routers have a serious flaw, allowing nefarious hackers to take control of a router and use it for denial of service attacks after the router's owner simply visits a malicious website.
Netgear believes that the R6200, R6400, R6700, R7000, R7100LG, R7300, R7900, and R8000 are subject to the "command injection" attack, and the company claims to be investigating the flaw. As the attack can remotely take place on the router itself just from visiting a malicious website, Apple owners with a Netgear router are still at risk.
"Exploiting these vulnerabilities is trivial" — CERT
Another researcher has discovered that the R7000P, R7500, R7800, R8500, and R9000 are also afflicted by the flaw.
The exploit was initially published on Dec. 9, and later revealed by CERT on Dec. 11. Netgear did not go public with the issue until Dec. 12.
The original discoverer of the exploit claims that he told Netgear about the problem on Aug. 25, contrary to a public statement by Netgear claiming that the company is being "pro-active, rather than re-active" to security issues.
Netgear R7000 Command Injection. https://t.co/TJvVdlEokU
— Acew0rm (@Acew0rm1) December 8, 2016
"Exploiting these vulnerabilities is trivial," writes CERT. "Users who have the option of doing so should strongly consider discontinuing use of affected devices until a fix is made available."
Identifying if you're affected
Users can test to see if their router is vulnerable to the flaw from within the router's network by entering the IP address of the router, generally 192.168.1.1 in the following format:
http:///cgi-bin/;reboot
If the router reboots, then it is vulnerable to the flaw.
Rectifying the issue
The same flaw can be used to shut down the assailable web server. The fix lasts until the router restarts. After executing the command, the router's web administration tools are not available.
http:///cgi-bin/;killall$IFS'httpd'
Netgear has released beta firmware for an assortment of routers afflicted by the issue, but not all of them. The company notes that "this beta firmware has not been fully tested and might not work for all users."
Apple may be getting out of the router game
Apple's AirPort series of routers is immune to this particular attack, however, updates may not be available for that much longer.
Near the end of November, reports started circulating that Apple may be exiting the Wi-Fi router business. Former AirPort engineers are now reportedly working on other teams, including Apple TV development.
The internal changes suggest that Apple has no plans to update its lineup of routers, including the AirPort Extreme, Time Capsule, and AirPort Express. Apple's portable AirPort Express has not even been updated to 802.11ac.
The AirPort Extreme and Time Capsule products are not currently being sold in some Apple Retail stores.
64 Comments
I would hope no one considers trash like Netgear or DLink to replace an AirPort. Something higher end like Ubiquity would be more appropriate.
Apple renamed themselves from Apple Computer to Apple years ago because they made more than computers. As they fail to even maintain or upgrade the products the do make in any significant way, they should rename themselves just Apple Phone, or since they only care about games and music and movies, just Apple Enterainment.
This is a market Apple should not be leaving, still lots of room for innovation and still a way to make buying into the Apple ecosystem just work.
As a long time Airport fan (bought and recommended dozens of them), I am disappointed by apple's leaving this product segment.
I buy Apple for security and simplicity and expected that to begin at my router/firewall.
At at first I thought Apple might be leaving because they got in to help spread WiFi and left when there were so many competent router makers.
Now we see that the other router makers are not always so competent and I've begun to wonder if Apple exited because the felt they didn't have the wherewithal to make a router that wouldn't be comprised, so they would leave the bad PR to the other router makers.