NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

milestog's avatar
milestog
Aspirant
Jan 31, 2020
Solved

RBR850 Security Flaw - no password required

Typing 192.168.1.1 to access my router does not prompt for a username or password.  I do not save or cache passwords.  The behaviour is the same on Chrome, IE, Firefox, and Edge.  The behaviour is the same regrdless if I try on any compter as long as the computer is logged into my wireless network.  I have confirmed on 5 different computers including computer with newly installed Windows and computers that access the network the first time.  This is a major security flaw as anyone I give temporary access to can access my router.  Ive, tried resetting the router, rebooting it, and 

  • RESOLVED

     

    With no help from NG support I have found the problem and the solution.

    The two important details are, when the status led is solid white and won't go out, this means the router is still not fully setup. When in this state everything functions as expected and the user will not have any operational or functional issues, including modifying setup within the GUI.

     

    The problems are that the white led status light stays on, and you can acccess the GUI from the WAN and LAN side.

     

    The problem I found is during the setup process using the Orbi app, the last step takes you to a page where NG is trying to sell you added support. Previously I ignored this and closed out the app.

     

    The solution is that you must make a selection, I chose no thanks. Once you make your selection the Orbi flashes the white status light and then the app moves to the next screen which states setup complete. White status light goes out as expected, and you are now prompted with a login pop up when trying to access the GUI using WAN or LAN.

     

    Should someone experience this issue and are unable to resolve, please pm me and I will provide more details to assist you in correcting these two issues.

     

    Can a moderator please mark this discussion as resolved.

31 Replies

  • I've tried hard reset, restoring settings, changing password.  Strill, any computer connected to the network can access the administrative panel at 192.168.1.1

     

    Note that my original setup was manual as my provider requires PPPOE login with VLAN ID.  I read many years ago online that similiar problems arose with users using manual setup.  One user theorized that the setup never registered as complete allowing login with no password.

     

    This is a serious security flaw that needs to be addressed or published to the broader community as people consider buying thios product.

    • Bandito's avatar
      Bandito
      Luminary

      Have you tried contacting Netgear support?  They may be able to help you with this issue.

      • mrwkbrdr's avatar
        mrwkbrdr
        Star

        I have reported this to netgear support weeks ago. They have no idea as to the cause. Their solution is to return the unit to Costco and get a new one. Now that someone else has reported this. I believe this may be a FW issue. I have spent over 5 hours on the phone with level 2 support, with no resolution. My support ticket is still open since Jan 2nd. My unit had this issue from day one out of the box. Directly after setup I noticed access to GUI and the Orbi app without prompting for user name or password. You can also access the GUI from outside the network via fixed IP or Dynamic domain without entering a username or password. This is a huge security risk and nergear should be utilizing all their resources to get this resolved.

         

        My unit is the new Costco version model RBR840 WiFi 6 AX.

        SW version 3.2.9.2_1.2.4

         

         

        HUGE SECURITY FLAW

  • FURRYe38's avatar
    FURRYe38
    Guru - Experienced User

    What Firmware is currently loaded?
    What is the Mfr and model# of the ISP modem the NG router is connected too?

     

    Be Sure to clear out all browser caches before entering into the RBRs web page. 

    Clear out any saved PW profiles for the RBR in your browser. 

     

    I have not seen this issue for a while now. 


    milestog wrote:

    Typing 192.168.1.1 to access my router does not prompt for a username or password.  I do not save or cache passwords.  The behaviour is the same on Chrome, IE, Firefox, and Edge.  The behaviour is the same regrdless if I try on any compter as long as the computer is logged into my wireless network.  I have confirmed on 5 different computers including computer with newly installed Windows and computers that access the network the first time.  This is a major security flaw as anyone I give temporary access to can access my router.  Ive, tried resetting the router, rebooting it, and 


     

  • Blanca_O's avatar
    Blanca_O
    NETGEAR Employee Retired

    Hi milestog

    May I please know the current firmware version? Have you tried different firmware version? 

     

    Hi mrwkbrdr

    Please send me a private message with the support case number by clicking on this link

     

    Regards,
    Blanca
    Community Team

    • milestog's avatar
      milestog
      Aspirant

      firmware is V3.2.9.2  I tried the previous firmware as well and it didn't help.

      • milestog's avatar
        milestog
        Aspirant

        One person suggested clearing the cache.  In my original post I stated the lack of login occurs regardless of new vs existing windows install and regardless of browser type and across all 5 computers I own.  That means cache is not the issue but for those troubleshooting note that I also clear the cache also.  

  • FURRYe38's avatar
    FURRYe38
    Guru - Experienced User

    Any progress on this? 

    I've talked to others that have this system and they don't see this issue. 


    milestog wrote:

    Typing 192.168.1.1 to access my router does not prompt for a username or password.  I do not save or cache passwords.  The behaviour is the same on Chrome, IE, Firefox, and Edge.  The behaviour is the same regrdless if I try on any compter as long as the computer is logged into my wireless network.  I have confirmed on 5 different computers including computer with newly installed Windows and computers that access the network the first time.  This is a major security flaw as anyone I give temporary access to can access my router.  Ive, tried resetting the router, rebooting it, and 


     

    • mrwkbrdr's avatar
      mrwkbrdr
      Star

      Netgear has no idea, as they have yet to contact me. My case is still open stating awaiting next level support.

       

      Any progress on this? 

      I've talked to others that have this system and they don't see this issue. 

      • FURRYe38's avatar
        FURRYe38
        Guru - Experienced User

        Did you send Blanca_O a private message? I believe she's trying to contact you. Keep in contact with Blanca.

         


        mrwkbrdr wrote:

        Netgear has no idea, as they have yet to contact me. My case is still open stating awaiting next level support.

         

        Any progress on this? 

        I've talked to others that have this system and they don't see this issue.