As ax awaits Apple's AirPort, wide swath of Netgear routers found subject to serious vulnerability

AppleInsider

Nearly all recent Netgear home routers have a serious flaw, allowing nefarious hackers to take control of a router and use it for denial of service attacks after the router's owner simply visits a malicious website.

Netgear believes that the R6200, R6400, R6700, R7000, R7100LG, R7300, R7900, and R8000 are subject to the "command injection" attack, and the company claims to be investigating the flaw. As the attack can remotely take place on the router itself just from visiting a malicious website, Apple owners with a Netgear router are still at risk.
"Exploiting these vulnerabilities is trivial" -- CERT
Another researcher has discovered that the R7000P, R7500, R7800, R8500, and R9000 are also afflicted by the flaw.

The exploit was initially published on Dec. 9, and later revealed by CERT on Dec. 11. Netgear did not go public with the issue until Dec. 12.

The original discoverer of the exploit claims that he told Netgear about the problem on Aug. 25, contrary to a public statement by Netgear claiming that the company is being "pro-active, rather than re-active" to security issues.

Netgear R7000 Command Injection. https://t.co/TJvVdlEokU

-- Acew0rm (@Acew0rm1)

December 8, 2016

"Exploiting these vulnerabilities is trivial," writes CERT. "Users who have the option of doing so should strongly consider discontinuing use of affected devices until a fix is made available."

Identifying if you're affected

Users can test to see if their router is vulnerable to the flaw from within the router's network by entering the IP address of the router, generally 192.168.1.1 in the following format:

http:///cgi-bin/;reboot

If the router reboots, then it is vulnerable to the flaw.

Rectifying the issue

The same flaw can be used to shut down the assailable web server. The fix lasts until the router restarts. After executing the command, the router's web administration tools are not available.

http:///cgi-bin/;killall$IFS'httpd'

Netgear has released beta firmware for an assortment of routers afflicted by the issue, but not all of them. The company notes that "this beta firmware has not been fully tested and might not work for all users."

Apple may be getting out of the router game

Apple's AirPort series of routers is immune to this particular attack, however, updates may not be available for that much longer.

Near the end of November, reports started circulating that Apple may be exiting the Wi-Fi router business. Former AirPort engineers are now reportedly working on other teams, including Apple TV development.

The internal changes suggest that Apple has no plans to update its lineup of routers, including the AirPort Extreme, Time Capsule, and AirPort Express. Apple's portable AirPort Express has not even been updated to 802.11ac.

The AirPort Extreme and Time Capsule products are not currently being sold in some Apple Retail stores.

thewhitefalcon

I would hope no one considers trash like Netgear or DLink to replace an AirPort. Something higher end like Ubiquity would be more appropriate. 

phone-ui-guy

thewhitefalcon said:

I would hope no one considers trash like Netgear or DLink to replace an AirPort. Something higher end like Ubiquity would be more appropriate. 

If I have to buy something other than airport, it will be Cisco. Hopefully Apple doesn't exit the segment as they make a nice hassle free product.

larryjw

Apple renamed themselves from Apple Computer to Apple years ago because they made more than computers. As they fail to even maintain or upgrade the products the do make in any significant way, they should rename themselves just Apple Phone, or since they only care about games and music and movies, just Apple Enterainment.

IanS

This is a market Apple should not be leaving, still lots of room for innovation and still a way to make buying into the Apple ecosystem just work.

robertwalter

As a long time Airport fan (bought and recommended dozens of them), I am disappointed by apple's leaving this product segment. 

I buy Apple for security and simplicity and expected that to begin at my router/firewall. 

At at first I thought Apple might be leaving because they got in to help spread WiFi and left when there were so many competent router makers. 

Now we see that the other router makers are not always so competent and I've begun to wonder if Apple exited because the felt they didn't have the wherewithal to make a router that wouldn't be comprised, so they would leave the bad PR to the other router makers. 

blastdoor

I was looking into Mesh networking products the other day. I see that there are some highly regarded offerings. I understand the argument that Apple thinks they have nothing to offer relative to those players. 

But I think those arguments are wrong. 

Even if Apple can't add anything in terms of the product's technical spec sheet, they can add a highly credible claim that they will do their best to keep your local network secure. And when they pair that with TimeCapsule, they can make a highly credible claim to keep your data safe and secure. 

Now... I'm NOT suggesting that Apple has zero security/reliability issues with their products. They aren't perfect. 

But compared to alternative vendors who exist in the real world, there is no other company that I trust more (at least none that is in my price range, offering products that more or less "just work" for consumers, prosumers, and small businesses). There might occasionally be a company that offers a better product, but none that do it consistently year after year. 

I really want Apple to figure out how to produce, update, and maintain more than just a small handful of products. I want a grown-up version of Apple. Some people misinterpret that to mean that I want Apple to become just like other big companies, but that's not it. I want Apple to become a grown-up version of itself -- to be the best it can be. 

boredumb

larryjw said:

...since they only care about games and music and movies, just Apple Enterainment.

Since they don't even produce those things, if that's all they focus on, why not simply "Crapple"?

But, more seriously, given the relative router security in question, I must reiterate my previous suggestion
as to whether Apple actually did maintain their privacy position and standards in their disputes with the U.S. government?
Or did they do so only in public, while quietly caving in private?  I hope we don't find out "the hard way",
and I hope moves like this one aren't early indicators...

battlescarred1

Do you think it's possible that Apple has moved former Airport engineers to the Apple TV side, in order to make the AppleTV a home hub that includes the router?

wigby

robertwalter said:

As a long time Airport fan (bought and recommended dozens of them), I am disappointed by apple's leaving this product segment. 

I buy Apple for security and simplicity and expected that to begin at my router/firewall. 

At at first I thought Apple might be leaving because they got in to help spread WiFi and left when there were so many competent router makers. 

Now we see that the other router makers are not always so competent and I've begun to wonder if Apple exited because the felt they didn't have the wherewithal to make a router that wouldn't be comprised, so they would leave the bad PR to the other router makers. 

So long as they're still making computers and phones, they will still be vulnerable to all sorts of attacks. No one pays any attention to a headline with the word "router" in it except tech and security blogs. Perhaps that's the only reason they left this space, because it's hard to find any innovation in commodity products like these. Routers are dumb pipes with very little value added. Either they work or they don't and most people just use the one that came with their cable modem and never think twice about them because they are invisible.

holyone

battlescarred1 said:

Do you think it's possible that Apple has moved former Airport engineers to the Apple TV side, in order to make the AppleTV a home hub that includes the router?

If the rumors are to be believed, probably moved over to the Eco challenger coming soon, wonder what they'll call it

christophb

I've never had anything but a bad experiences with Netgear switches and routers.  Slow performers in general, terrible support and awful interfaces.  If Apple leaves this market, it's back to Linksys for me.  My only complaint about the Airports is the need to reboot after even minor config changes.

danielchow

battlescarred1 said:

Do you think it's possible that Apple has moved former Airport engineers to the Apple TV side, in order to make the AppleTV a home hub that includes the router?

This seems a logical strategy because Apple is delegating AppleTV to handle Home (?). Our AppleTV is in the basement, the media room, so I have always wondered how well Home devices on the upper floors in other distant rooms communicate with it. We do not have Home devices installed. Perhaps the next line of Home products will either have the W1 chip or WIFI for extended range (?). 

rob53

blastdoor said:

I was looking into Mesh networking products the other day. I see that there are some highly regarded offerings. I understand the argument that Apple thinks they have nothing to offer relative to those players. 

But I think those arguments are wrong. 

Even if Apple can't add anything in terms of the product's technical spec sheet, they can add a highly credible claim that they will do their best to keep your local network secure. And when they pair that with TimeCapsule, they can make a highly credible claim to keep your data safe and secure. 

Now... I'm NOT suggesting that Apple has zero security/reliability issues with their products. They aren't perfect. 

But compared to alternative vendors who exist in the real world, there is no other company that I trust more (at least none that is in my price range, offering products that more or less "just work" for consumers, prosumers, and small businesses). There might occasionally be a company that offers a better product, but none that do it consistently year after year. 

I really want Apple to figure out how to produce, update, and maintain more than just a small handful of products. I want a grown-up version of Apple. Some people misinterpret that to mean that I want Apple to become just like other big companies, but that's not it. I want Apple to become a grown-up version of itself -- to be the best it can be. 

wigby said:

robertwalter said:

As a long time Airport fan (bought and recommended dozens of them), I am disappointed by apple's leaving this product segment. 

I buy Apple for security and simplicity and expected that to begin at my router/firewall. 

At at first I thought Apple might be leaving because they got in to help spread WiFi and left when there were so many competent router makers. 

Now we see that the other router makers are not always so competent and I've begun to wonder if Apple exited because the felt they didn't have the wherewithal to make a router that wouldn't be comprised, so they would leave the bad PR to the other router makers. 

So long as they're still making computers and phones, they will still be vulnerable to all sorts of attacks. No one pays any attention to a headline with the word "router" in it except tech and security blogs. Perhaps that's the only reason they left this space, because it's hard to find any innovation in commodity products like these. Routers are dumb pipes with very little value added. Either they work or they don't and most people just use the one that came with their cable modem and never think twice about them because they are invisible.

Check out http://www.cvedetails.com/vulnerability-list.php?vendor_id=49&product_id=4933&version_id=0&page=1&hasexp=0&opdos=0&opec=0&opov=0&opcsrf=0&opgpriv=0&opsqli=0&opxss=0&opdirt=0&opmemc=0&ophttprs=0&opbyp=0&opfileinc=0&opginf=0&cvssscoremin=0&cvssscoremax=0&year=0&month=0&cweid=0&order=1&trc=7&sha=285cd0375e920e1acc5ae050a0c8c8a001b4a9f6. ;

Seven CVE vulnerabilities but only one since 2011. It appears all of these have been fixed by Apple. 

I agree with @blastdoor and disagree with @wigby about whether routers are just dumb pipes. It's the same with encryption on iPhones. People just need to be educated about computer and router security, just like they've been educated about phishing attacks and identity theft. Apple tries to do this and gets ridiculed for it. Instead of giving up and suggesting people just don't care, we as educated computer technicians need to help spread the word about these real issues and not simply sweep them under the carpet. We have a President elect and corrupt FBI who's good at doing those things when they see the angle in doing so. 

mobird

larryjw said:

Apple renamed themselves from Apple Computer to Apple years ago because they made more than computers. As they fail to even maintain or upgrade the products the do make in any significant way, they should rename themselves just Apple Phone, or since they only care about games and music and movies, just Apple Enterainment.

How about Apple EMOJI

az_user

Most home owners would not expend the funds to acquire a top model Cisco router. The Apple equipment has worked well enough for years and was slightly more expensive than the bottom tier models.  The sad removal of control over the devices and removal of features by changing software in the last three or four years is a big disappointment.

To correct an error in a prior post above about availability, these Airport products are still for sale at Apple stores both in the USA and the UK as I recently had orders filled in both countries in the last two weeks.

Metriacanthosaurus

I still can't fathom the idea of Apple abandoning the AirPort. They are the only routers I use, recommend, or will ever use or recommend.

volcan

I have AirPort Extreme at home and Linksys at the office. The AE is about two years old and never had any problems. I've gone through about five Linksys routers in as many years. Sure some were upgraded for new protocols but others just quit working. Never owned a Netgear.

jdgaz

I am still in denial about Apple leaving the router business. My whole home infrastructure behind the modem is Apple. Would love to keep it that way. Never quite understood why Apple didn't push the marketing engine a bit on the router side of the business.

eightzero

IanS said:

This is a market Apple should not be leaving, still lots of room for innovation and still a way to make buying into the Apple ecosystem just work.

I am disappointed as well. I've concluded that a primary reason for their departure must be that there is likely little profit to be had. There is seemingly a lot of competition. and the advantages of the Apple product's premium price might not be evident to many. 

It is possible that a strategic decision was made regarding this segment of the ecosystem as well: if a user can attach large storage at home (4TB drives are now about $100) it might interfere/ compete with Apple's iCloud service that they charge for. Note that the new file management thingy only works to offload desktop/document files to iCloud, a service that requires a subscription for use. 

But...Apple seems to be proactive about security and privacy, at least for iPhone as the cash cow. Seems like maybe they are less interested in that issue when there is no money in it for them. Color me shocked?

romanmar

First thing I did when I got my r7000 router, years ago is install dd-wrt software for all the extra features.  Just tested and it's working fine, no vulnerabilities.