NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Security Gap: How to enable https communication between orbi RBR50 router and RBS50 satellite
It seems that there is a high security risk in the communication (normal and backhaul) (RBK50) with occurs between the Orbi RBR50 and RBS50. The communications are http and not https.
I would like to see if anyone has a fix for this, especially when using theses products in AP mode?
It seems that this has not been addressed as a part of the most recent firmware?
4 Replies
What FW version do you have loaded?
Can you let us know how your finding this?
Does this happen in router mode as well?
What security mode do you have set on the Orbi? WPA2 and AES only is recommended.
You should file a support ticket here and notifiy NG:
https://www.netgear.com/mynetgear/registration/login.aspx
HaroldCarl wrote:
It seems that there is a high security risk in the communication (normal and backhaul) (RBK50) with occurs between the Orbi RBR50 and RBS50. The communications are http and not https.
I would like to see if anyone has a fix for this, especially when using theses products in AP mode?
It seems that this has not been addressed as a part of the most recent firmware?
I, also, am interested in how this conclusion about the backhaul was reached.
It is well-known that the connection to Orbi's web interface is HTTP instead of HTTPS. This is one reason the default configuration is not to allow "remote administration." It is also a reason to use a wired computer to administer the router. (Not just Orbi, but any router that uses HTTP.) No packets "in the air" is reasonably secure.
Traffic between the router and satellites is encrypted. Here's a community thread discussing the process: https://community.netgear.com/t5/Orbi/Orbi-Backbone-Password-Generation/td-p/1260457
As the thread mentions, anyone who lacks confidence in Netgear's randomly generated password can create their own on the Orbi web interface by going to Advanced->Wireless Settings->Backhaul Password.
I think we're always concerned about potential security threats and want to know what you found.
CrimpOn wrote:
It is well-known that the connection to Orbi's web interface is HTTP instead of HTTPS. This is one reason the default configuration is not to allow "remote administration." It is also a reason to use a wired computer to administer the router. (Not just Orbi, but any router that uses HTTP.) No packets "in the air" is reasonably secure.
By "remote administration" do you mean "remote management"? I can't find any options for disabling remote administration, but it seems like what you'd want to do is disable administration over wireless connections, which I also can't find a setting for. This is a common setting on the other routers I've used, so maybe I'm just missing it in the labrynthine Orbi config menus.
The option "enable remote management" in the app is turned off, but I can still access the admin menus via http from a wifi connected PC.
