NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

piemmm's avatar
piemmm
Aspirant
Aug 04, 2021

Insecure WiFi on RBR850 when WPA2 used

Hello!   Has anyone noticed that the Orbi creates an unencrypted WiFi network (as well as an encrypted one with the same name, and you only get to see the encrypted one on most phones)?   My conf...
FURRYe38's avatar
FURRYe38
Guru - Experienced User
Aug 04, 2021

Lets troubleshoot this first before claiming nobody saw this. Mines working and I haven't seen this. One user did report this earlier this year and we believe it was fixed with a reset and setup. 

 

Lets factory reset the RBR and RBS. Press the reset button on each for 15 secons then release. Complete the RBR setup wizard. I would not sync the RBS until after the setup wizard completes. Do this with a wired PC and web browser with the RBR. 

 

After you get the RBR setup, take 1 RBS, while in same room as the RBR, and sync the RBS to the RBR by pressing the sync button on the back of the RBS first, then RBR. Or use the RBRs Add Satellite web feature. 

 

Wait for the front to turn BLUE then give about 5 minutes. Check the RBS web page for WPA status. If you have a 2nd RBS, do same process to re-sync it.

 

How was the RBR and RBS updated? Automatically or manually download FW files? 


What is the size of your home? Sq Ft?
What is the distance between the router and 📡 satellite(s)? 30 feet or more is recommended in between RBR and RBS📡 to begin with depending upon building materials when wirelessly connected.

 

 

piemmm's avatar
piemmm
Aspirant
Aug 05, 2021

I'll correct that by first stating that it's likely 2 tech savvy people have noticed this issue (whereas scores of non-tech savvy people who may not know, have not). Also, depending on your country, this could make some people directly liable for (even unwittingly) running an open AP should it be abused.

I have already reset the AP twice and gone through the setup process. However I will follow your instructions and do it 'your way'.  Regardless of this however, this is a serious bug and it needs to be addressed with a firmware update.

 

There will be many non-tech people who are unwittingly running an open, insecure network because of this.

  • piemmm's avatar
    piemmm
    Aspirant
    Aug 05, 2021

    I now have this working, the setup process is completley borked making assumptions about the network it is plugged into that it should not be. It is impossible to use the normal setup process, so I eventually worked around it.m

     

    Setup assumption that it can always have 192.168.1.1 (it cannot, another device has that on this network).

    Setup assumption that I want to use this as a router and not a simple AP. (I have a proper firewall for my gateway, orbi will never be more than an AP)

    Setup assumption that the wifi name I choose is not already active (as being retired, but not yet). This completley screws up the setup process.

     

    Additionally:

     

    Netgear-Guest appears randomly each time the orbi devices are rebooted. This should never happen, even for a second as it's not configured.

     

    If the setup fails to complete for whatever reason, an insecure AP will be created on 5G alongside an encrypted one. The app will not notify you have an insecure network, and will not sync the proper settings to the satellite routers to secure the network. Only a full reset cures this and working around issues with the setup.

     

    There is no notification to the user that the network is in this insecure state, so they don't know to fix it. This could be trivial to put into the app as you could be in deep water in some countries for running an open AP (GPDR, anti terrorism laws relating to WiFi(I kid not), etc).

    All of this stems from inadequate testing.

    To answer your previous questions regarding firmwares, I was able to reproduce this on the original factory firmware and the latest firmware (as in my screenshot).  All orbis were in the same room.  Firmware was updated manually. The app will also let you abort the setup process halfway through (and then let you in as if it was fully completed).  I used the web interface in all instances to configure the router (after realising that the app was, basically, "not good at all")

    I'm wondering if this is worth a CVE as there will be people unawares that they are running an open access point.

    • piemmm's avatar
      piemmm
      Aspirant
      Aug 05, 2021

      Just to add to this, another bug:

       

      Setup the main and satellites in the same room (eventually) all working fine.

       

      Move the satellites to their respective locations - one of them has wired backhaul.  

       

      Watch in amazement as that paticular satellite no longer appears on the 'attached devices' list, yet is somehow working, but can't be re-added to the list so I can't remotely see what it's status is anymore.

       

      Also, web firmware crashes in said sattelite when you do anything other than view the initial web page - clicking on a link borks it.

       

      Not impressed. Firmware. Seemingly written and tested by noddy.

      • FURRYe38's avatar
        FURRYe38
        Guru - Experienced User
        Aug 05, 2021

        What FW version are you actually using?