The firmware updater of some Netgear routers are apparently unsafe. Whether and how the manufacturer reacts to the problem is completely unclear. The manufacturer has been silent for weeks.
Netgear Routers Retrieve SSL Encrypted Firmware Updates
The devices should not check the server certificate used, specifically the download tool with the parameter. No check certificate should be used behind the scenes. An attacker could therefore deliver manipulated firmware updates and ultimately take over the routers. For this to work, the attacker has to redirect the router’s data traffic.
Meanwhile, the researchers recommend switching off the automatic update function and not performing any firmware downloads with the router’s web interface. Instead, owners of the affected router models should download the update files from the service area of the manufacturer’s website and import them manually with the web interface.
Criminals Could Mimic A Bank’s Home Page
If an attacker succeeds in connecting to this chain using a manipulated address book, he can cheer the router with other IP addresses and thus guide the user to fake websites. For example, criminals could mimic a bank’s home page to tap the login information that is typed in on the fake page.
The target of the attack is the administration interface of the router. Even if it is decoupled from remote maintenance and is actually only available in the local network, it can be attacked, since routers are often not protected against attacks. With this attack, the cybercriminals primarily take advantage of the convenience of the user.Many users configure a router only once, after which they no longer worry about it. Regular firmware updates are very important for this interface.
The worst of the flaws lets hackers remotely install malware on the Nighthawk X4S gaming router, model R7800. That could lead to the entire Wi-Fi network and all web traffic that runs through it being compromised. Netgear gives that vulnerability a severity score of 9.4/10, which qualifies as “critical.”