Easy to get the router's account and password

Question

It's easy to get the router's admin's account and password through the Nighthawk app.

When my phone is connected to a netgear router,I only need to open the Nighthawk app and choose login in with touchId(use fingerprint,without the router's admin account and password),then I get the router's authority even the root's account and password is plaintext and can be inquiried from the app.It's dangerous and horrible.Hope that the bug can be fixed soon.

michaelkenward · Answer

aabbcc&nbsp;wrote:
It's easy to get the router's admin's account and password through the Nighthawk app.
&nbsp;

Can you explain what password you are talking about here?
&nbsp;
Is it the one you use to get in to control the device or the one you need to use the wifi?
&nbsp;
And what Nighthawk App is this? Android? iThing?
&nbsp;
I don't use fingerprint detection, but wouldn't you expect it to respond to your fingerprint to get in to the thing?
&nbsp;
Or are you saying that it will respond to any fingerprint?
&nbsp;
Or does it let you in even if you haven't set up fingerprint recognition?
&nbsp;
The big risk is if anyone can just pick up your device and get into the router. Is that what you are saying?
&nbsp;

aabbcc · Answer

michaelkenward&nbsp;wrote:aabbcc&nbsp;wrote:It's easy to get the router's admin's account and password through the Nighthawk app.&nbsp;Can you explain what password you are talking about here?&nbsp;Is it the one you use to get in to control the device or the one you need to use the wifi?&nbsp;And what Nighthawk App is this? Android? iThing?&nbsp;I don't use fingerprint detection, but wouldn't you expect it to respond to your fingerprint to get in to the thing?&nbsp;Or are you saying that it will respond to any fingerprint?&nbsp;Or does it let you in even if you haven't set up fingerprint recognition?&nbsp;The big risk is if anyone can just pick up your device and get into the router. Is that what you are saying?&nbsp;I'm talking about the password of the control of the router,IOS app.Firstly,connect the netgear router by wifi.Then,open the&nbsp;Nighthawk App.Choose "LOG IN WITH TOUCHID"Success,and get the control of the device.Even can get the admin's password.&nbsp;It means anyone once he connect the netgear router's wifi I shared and install the nightkaws app,He can get the control of the device by his own TOUCHID through the nightkaws app&nbsp;without admin's account and password and can do anything he wants to do.&nbsp;

schumaku · Answer

When activating the Touch ID (fingerprint sensor) in the App, you allow the App to store the admin password - thus when unlocking the App using the Touch ID, you allow the App to access the router and offer all the App convenience to the customer.
&nbsp;
This usage and security model is the very similar in many applications, even finance Apps like Paypal allow almost full access to your Paypal accounts.
&nbsp;
One might dispute that the Nightawk App does not allow removing the Touch ID access however, reverting to password is apparently&nbsp;to difficult for many home users or consumers, as this is one of the most asked questions: "I forgot the router password.". That's why the capability is there in the App - to see the password - after a valid authentication&nbsp;by Touch ID.

michaelkenward · Answer

Sorry. I am still lost.
&nbsp;
How does the use of fingerprint access on your iPhone give someone else access to your router's control interface and its wifi passwords?
&nbsp;
&nbsp;

schumaku · Answer

It's like a stored password or "remember me" - the Touch ID does allow to unlock Michael. When I'm using for the Paypal App to send or receive money, it's the same - the login is linked to the fingerprint (however - stored password, token, certificate, ...), no need to enter the password.
&nbsp;
Here on Android (Pixel 2, Android 8.1) the "Login with your fingerprint" is a little bit wonky of workable at all on the Nightawk App.

Forum Discussion

Easy to get the router's account and password

9 Replies