NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
milestog
Jan 31, 2020Aspirant
RBR850 Security Flaw - no password required
Typing 192.168.1.1 to access my router does not prompt for a username or password. I do not save or cache passwords. The behaviour is the same on Chrome, IE, Firefox, and Edge. The behaviour is the same regrdless if I try on any compter as long as the computer is logged into my wireless network. I have confirmed on 5 different computers including computer with newly installed Windows and computers that access the network the first time. This is a major security flaw as anyone I give temporary access to can access my router. Ive, tried resetting the router, rebooting it, and
RESOLVED
With no help from NG support I have found the problem and the solution.
The two important details are, when the status led is solid white and won't go out, this means the router is still not fully setup. When in this state everything functions as expected and the user will not have any operational or functional issues, including modifying setup within the GUI.
The problems are that the white led status light stays on, and you can acccess the GUI from the WAN and LAN side.
The problem I found is during the setup process using the Orbi app, the last step takes you to a page where NG is trying to sell you added support. Previously I ignored this and closed out the app.
The solution is that you must make a selection, I chose no thanks. Once you make your selection the Orbi flashes the white status light and then the app moves to the next screen which states setup complete. White status light goes out as expected, and you are now prompted with a login pop up when trying to access the GUI using WAN or LAN.
Should someone experience this issue and are unable to resolve, please pm me and I will provide more details to assist you in correcting these two issues.
Can a moderator please mark this discussion as resolved.
31 Replies
- milestogAspirant
I've tried hard reset, restoring settings, changing password. Strill, any computer connected to the network can access the administrative panel at 192.168.1.1
Note that my original setup was manual as my provider requires PPPOE login with VLAN ID. I read many years ago online that similiar problems arose with users using manual setup. One user theorized that the setup never registered as complete allowing login with no password.
This is a serious security flaw that needs to be addressed or published to the broader community as people consider buying thios product.
- BanditoLuminary
Have you tried contacting Netgear support? They may be able to help you with this issue.
I have reported this to netgear support weeks ago. They have no idea as to the cause. Their solution is to return the unit to Costco and get a new one. Now that someone else has reported this. I believe this may be a FW issue. I have spent over 5 hours on the phone with level 2 support, with no resolution. My support ticket is still open since Jan 2nd. My unit had this issue from day one out of the box. Directly after setup I noticed access to GUI and the Orbi app without prompting for user name or password. You can also access the GUI from outside the network via fixed IP or Dynamic domain without entering a username or password. This is a huge security risk and nergear should be utilizing all their resources to get this resolved.
My unit is the new Costco version model RBR840 WiFi 6 AX.
SW version 3.2.9.2_1.2.4
HUGE SECURITY FLAW
- FURRYe38Guru - Experienced User
What Firmware is currently loaded?
What is the Mfr and model# of the ISP modem the NG router is connected too?Be Sure to clear out all browser caches before entering into the RBRs web page.
Clear out any saved PW profiles for the RBR in your browser.
I have not seen this issue for a while now.
milestog wrote:Typing 192.168.1.1 to access my router does not prompt for a username or password. I do not save or cache passwords. The behaviour is the same on Chrome, IE, Firefox, and Edge. The behaviour is the same regrdless if I try on any compter as long as the computer is logged into my wireless network. I have confirmed on 5 different computers including computer with newly installed Windows and computers that access the network the first time. This is a major security flaw as anyone I give temporary access to can access my router. Ive, tried resetting the router, rebooting it, and
- Blanca_ONETGEAR Employee Retired
- milestogAspirant
firmware is V3.2.9.2 I tried the previous firmware as well and it didn't help.
- milestogAspirant
One person suggested clearing the cache. In my original post I stated the lack of login occurs regardless of new vs existing windows install and regardless of browser type and across all 5 computers I own. That means cache is not the issue but for those troubleshooting note that I also clear the cache also.
- FURRYe38Guru - Experienced User
Any progress on this?
I've talked to others that have this system and they don't see this issue.
milestog wrote:Typing 192.168.1.1 to access my router does not prompt for a username or password. I do not save or cache passwords. The behaviour is the same on Chrome, IE, Firefox, and Edge. The behaviour is the same regrdless if I try on any compter as long as the computer is logged into my wireless network. I have confirmed on 5 different computers including computer with newly installed Windows and computers that access the network the first time. This is a major security flaw as anyone I give temporary access to can access my router. Ive, tried resetting the router, rebooting it, and
Netgear has no idea, as they have yet to contact me. My case is still open stating awaiting next level support.
Any progress on this?
I've talked to others that have this system and they don't see this issue.
- FURRYe38Guru - Experienced User
Did you send Blanca_O a private message? I believe she's trying to contact you. Keep in contact with Blanca.
mrwkbrdr wrote:Netgear has no idea, as they have yet to contact me. My case is still open stating awaiting next level support.
Any progress on this?
I've talked to others that have this system and they don't see this issue.