NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Security Gap: How to enable https communication between orbi RBR50 router and RBS50 satellite
It seems that there is a high security risk in the communication (normal and backhaul) (RBK50) with occurs between the Orbi RBR50 and RBS50. The communications are http and not https.
I would l...
I, also, am interested in how this conclusion about the backhaul was reached.
It is well-known that the connection to Orbi's web interface is HTTP instead of HTTPS. This is one reason the default configuration is not to allow "remote administration." It is also a reason to use a wired computer to administer the router. (Not just Orbi, but any router that uses HTTP.) No packets "in the air" is reasonably secure.
Traffic between the router and satellites is encrypted. Here's a community thread discussing the process: https://community.netgear.com/t5/Orbi/Orbi-Backbone-Password-Generation/td-p/1260457
As the thread mentions, anyone who lacks confidence in Netgear's randomly generated password can create their own on the Orbi web interface by going to Advanced->Wireless Settings->Backhaul Password.
I think we're always concerned about potential security threats and want to know what you found.
CrimpOn wrote:
It is well-known that the connection to Orbi's web interface is HTTP instead of HTTPS. This is one reason the default configuration is not to allow "remote administration." It is also a reason to use a wired computer to administer the router. (Not just Orbi, but any router that uses HTTP.) No packets "in the air" is reasonably secure.
By "remote administration" do you mean "remote management"? I can't find any options for disabling remote administration, but it seems like what you'd want to do is disable administration over wireless connections, which I also can't find a setting for. This is a common setting on the other routers I've used, so maybe I'm just missing it in the labrynthine Orbi config menus.
The option "enable remote management" in the app is turned off, but I can still access the admin menus via http from a wifi connected PC.
Flibbidyfloo wrote:
The option "enable remote management" in the app is turned off, but I can still access the admin menus via http from a wifi connected PC.This observation is correct (and sad). Alas, those of us who have desktop and laptop computers with ethernet ports are a dying breed. Customers without such devices purchase WiFi routers to connect their phones, tablets, televisions, IoT devices, etc. Without WiFi access to Orbi, they could not set it up. In recent months, numerous questions have been asked on this Forum by people who rely on the Orbi app do manage their system, not the web interface.
I believe this is the factor that will drive Netgear to implement https: on the router. (When it is no longer acceptable to say, "use a desktop for that.") My guess is that for now, they are relying on WiFi encryption to protect the router. The average neighbor is not likely to have the expertise or patience to crack a home WiFi. It would be fascinating to know if the "Pro" Orbi line secures the web interface.