RBK653 Firmware Woes

Question

Firmware not there: RBK653 = RBR750 + 2x RBR350

I purchased the Netgear RBK653 kit (Router + two satellites) a year and a half ago. Two months ago, Netgear released a firmware update for the router — but not the satellites:

I’ve learned (the hard way!) that one should never update the router unless (1) you’ve updated the satellites first, and (2) the target firmware versions (satellite and router) are a match.

Since the v7.3.x.y firmware update, according to the release notes, “addresses security vulnerabilities,” that means that anyone with an RBK653 kit has been operating for almost two months with an under-patched router — and is therefore vulnerable — because Netgear has not provided a patch for a fairly recent device (which I think is irresponsible of them).

Other than buying additional Netgear hardware (which I would not want to do right now), is there any alternative — or way to goose Netgear into actually supporting their recent products?

And recommendations would be welcome.

FURRYe38 · Answer

Just disable Auto update on your RBR. V7 FW is not compatible with RBS350 series units. Not sure if NG will be updating them or not. If the system works with v4 version loaded on all units, you'll need to keep v4 version on all units. You can't update the RBR to v7 or the RBS350s will no longer work.
&nbsp;
Maybe later at some point if NG doesn't do anything for the 350s, find you some used 750 RBS on places like Amazon, Ebay or Shopgoodwill. Get one or two 750s then update them to v7 FW first the the RBR lastly.
&nbsp;
If your having problems with your system, please post the details and we can help you trouble shoot them.&nbsp;
&nbsp;
Good Luck
SteveD_DC&nbsp;wrote:
Firmware not there: RBK653 = RBR750 + 2x RBR350
&nbsp;
I purchased the Netgear RBK653 kit (Router + two satellites) a year and a half ago. Two months ago, Netgear released a firmware update for the router — but not the satellites:

I’ve learned (the hard way!) that one should never update the router unless (1) you’ve updated the satellites first, and (2) the target firmware versions (satellite and router) are a match.
&nbsp;
Since the v7.3.x.y firmware update, according to the release notes, “addresses security vulnerabilities,” that means that anyone with an RBK653 kit has been operating for almost two months with an under-patched router — and is therefore vulnerable — because Netgear has not provided a patch for a fairly recent device (which I think is irresponsible of them).&nbsp;
&nbsp;
Other than buying additional Netgear hardware (which I would not want to do right now), is there any alternative — or way to goose Netgear into actually supporting their recent products?
&nbsp;
And recommendations would be welcome.

&nbsp;

SteveD_DC · Answer

FURRYe38, having no problems with the system. But running out-of-date firmware on a router, especially when vulnerabilities have been identified and patched, represents a security risk. Once a firmware update is released, it is frighteningly easy for the bug(s) it fixes to be reverse engineered and exploits developed.

So, I am deeply troubled that it has taken this long for Netgear to get around to updating the other satellites that pair with the RBR750s. It is damn irresponsible of them. It would be one thing if the RBS350’s were five years past the point where they were being sold (and therefore end-of-life). And for there to be no indication of when the update would be available (if ever) makes me really question the wisdom of my spending hundreds of dollars on this kit less than two years ago. I’ve been a fan of Netgear for a long time, but it seems as if they don’t really care about existing customers as long as they can sell new, shiny toys to new ones.

Thank you for posting. If you have any sway with Netgear (you are clearly a prolific contributor to the forums, so maybe they will listen to you), please give them a poke for me.

FURRYe38 · Answer

What are these vulnerabilities that you refer too?&nbsp;
Links please.&nbsp;
&nbsp;
Something to check with as well:
If you are a NETGEAR customer with a security-related support concern, you can contact NETGEAR customer support at techsupport.security@netgear.comFor all other issues, visit http://www.netgear.com/about/security/
To report a security vulnerability, visit https://bugcrowd.com/netgear
&nbsp;
It's up to NG to deploy fixes for issues they find or brought to them.&nbsp;
Also up to NG to set EoL policy and such. The AC series is EoL as well as some AX series I see:
https://www.netgear.com/about/eos
&nbsp;

SteveD_DC · Answer

FURRYe38, the release notes for firmware v7.2.6.31 specifically cites, "This firmware addresses security vulnerabilities," which indicates that it incorporates fixes over and above the prior firmware (v4.6.14.3) -- which makes sense since it's been almost a year and a half since the last update. &nbsp;But Netgear doesn't cite what is fixed; they only provide a link to the all-encompassing page that you also linked to: &nbsp;https://www.netgear.com/about/security.&nbsp;I've started to wade through the many notices therein, and it is clear that there have been a LOT of programming flaws squashed in the past 18 months. So, I'm not in a position to point to specifics at this point (it's a "target rich environment"). But given that bad actors will reverse engineer an update and quickly develop an exploit shortly after firmware is released (especially for Internet-connected devices), it is very likely that&nbsp;they already know what was fixed (even before we do) and the vulnerability of users like me.&nbsp;You are correct that, "It's up to NG to deploy fixes for issues they find or brought to them," and they have done so for the RBR750 -- but only for users who aren't also using them with the RBS350 that they bundled them with.&nbsp;If the RBS350 was definitively listed for EOL, then at least I would know the way things are. But at this point, and since none of the devices released around the time frame that the RBS350 are already listed, it is possible that the RBS350 is not EOL, but in a "zombie"/neglected state. &nbsp;In other words, users like me are being ignored. I'm not happy about that. &nbsp;&nbsp;Thank you for&nbsp;techsupport.security@netgear.com. I'll contact them tonight.&nbsp;

schumaku · Answer

RBK653 Downloads
RBK653 — Orbi Tri-band Mesh WiFi 6 System
(1) Orbi Router (RBR750) + (2) Orbi Satellites (RBS350)
&nbsp;
RBK653 Firmware Version 4.6.14.3&nbsp;
...consisting of...
RBR750:https://www.downloads.netgear.com/files/GDC/RBK752/RBR750-V4.6.14.3.zip
RBS350:&nbsp;https://www.downloads.netgear.com/files/GDC/RBK653/RBS350-V4.6.14.3.zip

Forum Discussion

RBK653 Firmware Woes

9 Replies