NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

SteveD_DC's avatar
SteveD_DC
Guide
Jun 02, 2024

RBK653 Firmware Woes

Firmware not there: RBK653 = RBR750 + 2x RBR350   I purchased the Netgear RBK653 kit (Router + two satellites) a year and a half ago. Two months ago, Netgear released a firmware update for the rout...
SteveD_DC's avatar
SteveD_DC
Guide
Jun 02, 2024

FURRYe38, having no problems with the system. But running out-of-date firmware on a router, especially when vulnerabilities have been identified and patched, represents a security risk. Once a firmware update is released, it is frighteningly easy for the bug(s) it fixes to be reverse engineered and exploits developed.

 

So, I am deeply troubled that it has taken this long for Netgear to get around to updating the other satellites that pair with the RBR750s. It is damn irresponsible of them. It would be one thing if the RBS350’s were five years past the point where they were being sold (and therefore end-of-life). And for there to be no indication of when the update would be available (if ever) makes me really question the wisdom of my spending hundreds of dollars on this kit less than two years ago. I’ve been a fan of Netgear for a long time, but it seems as if they don’t really care about existing customers as long as they can sell new, shiny toys to new ones.

 

Thank you for posting. If you have any sway with Netgear (you are clearly a prolific contributor to the forums, so maybe they will listen to you), please give them a poke for me.

 

FURRYe38's avatar
FURRYe38
Guru - Experienced User
Jun 02, 2024

What are these vulnerabilities that you refer too? 

Links please. 

 

Something to check with as well:

If you are a NETGEAR customer with a security-related support concern, you can contact NETGEAR customer support at techsupport.security@netgear.com
For all other issues, visit http://www.netgear.com/about/security/

To report a security vulnerability, visit https://bugcrowd.com/netgear

 

It's up to NG to deploy fixes for issues they find or brought to them. 

Also up to NG to set EoL policy and such. The AC series is EoL as well as some AX series I see:

https://www.netgear.com/about/eos

 

  • SteveD_DC's avatar
    SteveD_DC
    Guide
    Jun 02, 2024

    FURRYe38, the release notes for firmware v7.2.6.31 specifically cites, "This firmware addresses security vulnerabilities," which indicates that it incorporates fixes over and above the prior firmware (v4.6.14.3) -- which makes sense since it's been almost a year and a half since the last update.  But Netgear doesn't cite what is fixed; they only provide a link to the all-encompassing page that you also linked to:  https://www.netgear.com/about/security.

     

    I've started to wade through the many notices therein, and it is clear that there have been a LOT of programming flaws squashed in the past 18 months. So, I'm not in a position to point to specifics at this point (it's a "target rich environment"). But given that bad actors will reverse engineer an update and quickly develop an exploit shortly after firmware is released (especially for Internet-connected devices), it is very likely that they already know what was fixed (even before we do) and the vulnerability of users like me.

     

    You are correct that, "It's up to NG to deploy fixes for issues they find or brought to them," and they have done so for the RBR750 -- but only for users who aren't also using them with the RBS350 that they bundled them with.

     

    If the RBS350 was definitively listed for EOL, then at least I would know the way things are. But at this point, and since none of the devices released around the time frame that the RBS350 are already listed, it is possible that the RBS350 is not EOL, but in a "zombie"/neglected state.  In other words, users like me are being ignored. I'm not happy about that.  

     

    Thank you for techsupport.security@netgear.com. I'll contact them tonight.

     

    • FURRYe38's avatar
      FURRYe38
      Guru - Experienced User
      Jun 02, 2024

      Good Luck.

      • SteveD_DC's avatar
        SteveD_DC
        Guide
        Jun 28, 2024

        Just to conclude this discussion. After a lot of back-and-forth with Netgear on support (initiated by contacting  techsupport.security@netgear.com as recommended by FURRYe38), it comes down to the fact that Netgear doesn't care. They made it clear that they are no longer supporting the RBS350, and are just selling off the remaining ones before officially listing it as end-of-service. And the satellites I purchased a year and a half ago are never going to get a firmware version that will enable them to work with the current firmware for the router that they were boxed with when I purchased the RBK653 kit.

         

        In other words, I'm s#!+ out of luck. I can either ditch my RBS350s (thereby allowing me to update the RBR750 to a current, security bug-fixed v7.2.6.31), buy a pair of new satellites, or get a completely different mesh routing system (not from Netgear).

         

        I am very disappointed in Netgear and the disregard for the security of its customers that it has shown here. I have been a long-time user, purchased well over a dozen routers and other hardware from them, and recommended Netgear to many people. That ends with this treatment. I will stop recommending Netgear to my students, my associates, and my family. My current Orbi system is my last. And that is sad.