NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
Firmware 2.3.5.30 Security Vulnerability?
Hi, I just updated my Orbi RBR50/RBS50 to the new Firmware 2.3.5.30. I am also a subcriber of the Netgear Bitdefender Armor. After the update I got a notification for a potential security risk (see a...
Please post in the Armor forum about this:
https://community.netgear.com/t5/NETGEAR-Armor/bd-p/en-home-armor
stefan_eb wrote:Should Netgear do something about it?
Ha! This is SO COOL. Netgear is ratted out by their own partner. Using http for the "inside the LAN" router access is a feature of many routers, not just Netgear. I have never seen an explanation for why they do this, but my own (personal) belief is:
- People are supposed to use complex passwords on the administrative account.
- If someone has physical access to a wired port on the Orbi, then they are "inside the safe" and already can do anything they want.
- If someone wants to hack using WiFi, they have to breach the (supposedly) complex WiFi password.
- If the owner is paranoid, he can use Access Control to keep anyone from attaching a new device.
The goofy part is that when "Remote Access" is turned on, that interface is https. So, they already support a secure web interface. They just don't use it for internal access.
This is well documented issue that Netgear (and other router makers) seem to think is not a high priority.
I would agree that the LAN side UI may need HTTPS at some point, however not alot of hacking goes on on the LAN side. Though not everyone seems to be proactive in some counter measures, Mfrs may be just waiting for a real need for HTTPS on the routers UI. May involve more than just changing protocols as well. Most routers and APs and such don't use HTTPS for LAN side access. Been like since since the start. Some printers now do though.