NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Orbi 2.2.1.210 fimware security issue (turns on guest network with no password)
Has anyone else experienced this? I upgraded by Orbi to 2.2.1.210 - everything seemed fine. I have a guest network (with a password) that I leave disabled and only enable when we have a guest. It is also set to not allow access to my LAN.
A few days after upgrading I noticed that my guest network was active with NO PASSWORD and it could access my LAN. I logged into the Orbi console and it was still set to disabled, but it was broadcasting and I could connect to it with no password. The only way to turn it back off was to turn the guest network on and off again.
This is a serious security flaw! I now have major concerns about the security of this device which I've had no problems with for over a year.
43 Replies
btw - the guest network had a password set.
I just noticed this today. I have never set up the Guest network to use or turned it on yet! I suddenly realised there was a lot of devices connected that I could not work out who they were in the household or the device! Then realised on my laptop that NETGEAR-Guest was broadcasting totally open! argh!
I logged into Orbi and enabled guest network and added a password to secure it, I then turned it off! It was now secured but still broadcasting. I then reset the Orbi and it's vanished! phew! Iam not sure if it will turn itself on again but I recommend setting a password for it, turn it on and then off. The whole time the Orbi status said that the Guest Network was not enabled apart from when I turned it on to secure it. So it was broadcasting and turned on all by itself!
I have upgraded to 2.2.1.210 about a week ago
Try FW re-load and full factory reset and setup from scratch:
Does it still occur after this?
I have already fixed it as I described - namely, by turning the guest network on and back off again.
I was however, highlighting the issue that this may happen when the firmeware is updated and it shouldn't happen. It was pure chance that I noticed this and my network had been completely open for several days as a result.
Would need to try a factory reset and setup from scratch to see if this is something that changed in the new FW. Something NG will need to know.
ploo wrote:
I have already fixed it as I described - namely, by turning the guest network on and back off again.
I was however, highlighting the issue that this may happen when the firmeware is updated and it shouldn't happen. It was pure chance that I noticed this and my network had been completely open for several days as a result.
I use a spectrum analyzer every now and then to see if my wifi has any interference with neighbors, etc.
Noticed for a couple days that a very strong signal called 'NETGEAR-Guest' had the same signal strength as me and I thought it was a neighbor.
After walking around trying to find the signal I determine that it had to be in my house.
I thought something was weird, so I went to the mobile app and it showed as disabled. In the mobile app, I enabled guest, hit save, then went and disabled guest and save and the guest ap then disappeared.
I wonder how many people out there have a guest signal open and don't even realize it, this seems very bad and I have no idea how this got enabled.
Hi all,
Just wanted to add that I ran into this today too. I'd been adding a new Netgear modem/router (DM200), and configuring my Orbi wi-fi settings etc (although not for the guest network), when I noticed an unsecured ORBI-Guest network. I was shocked to discover that it was my Orbi, even though I had made no changes to the guest network settings whatsoever, and the checkbox was unchecked in the admin page! Enabling it then disabling it, and rebooting the Orbi (via the admin page) made no difference.In the end I had to power off my satellite (RBS50), after which the guest network disappeared.
This is a major security flaw, and should be addressed as a matter of urgency by Netgear.Edit: May be relevant that I'm in AP mode.
- This just happened to me tonight. I came home and was working on a CradlePoint and I noticed the Netgear-Guest network in my list. I click and attach to it and get an IP address. I'm then able to surf the internet. I pull up my port scanner and scan the subnet but I don't find anybody else. I wanted to know who had a wide open network so I did a reverse lookup and what do you know, it was my f-in IP address, blew me away! I went and checked the settings and sure enough it showed disabled while in fact it was enabled. I changed the guest network name and rebooted and it looks OK now, but this is a major security issue. I am running version 2.2.1.210 and have 1 satellite (likely not for much longer).
I ust checked and had the same issue, the guest network being enabled with no password, despite the settings showing the guest network was disabled. Since I've never enabled it, there isn't a password set, so that wasn't an issue, but it shouldn't spontaneously enable itself.
And, before anyone asks, I've manually loaded the 2.2.1.210 firmware before, following other issues, and I iddn't use the guest network with previous firmware versions, either.
I don't live in a very dense area, so it's not terrible, as far as neighbors getting on my network, but still a security issue that should be addressed, especially since the Orbi doesn't fully segment the guest network from the regular private network anyway.
- Someone at bugcrowd got back to me. Please can someone help me answer the question: What are the steps to reproduce this bug?
The bug seems to be with the satellite not being able to fully get the config changes from the base. Lots of different ways to reproduce and it's worse if the Orbi is in AP mode and something else on the network is acting as the DHCP server.
If you perform a firmware upgrade, then the satellite will revert to default settings and start Broadcasting the guest network. It won't get the settings from the base until you perform a physical reset and then initiate a sync.
If you make a change on the base unit, the satellite does not get the changes (even if it shows as registered on the base unit) - so now you have the base broadcasting the new settings and the satellite broadcasting the old ones. Once again, you have to hard reset the satellite and re-connect/sync it to the base for the settings to propogate.
If you are in Router mode - then you might not get an IP address from the base, but you could technically still connect via the satellite and assign yourself a static IP.
Some folks are reporting that a reboot fixes it - but that never worked for me. I always had to do the hard reset (which sometimes won't work unless you hold the button for 90 full seconds).
