NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
meltdown and spectre
WhIch security consequences do the 'Meltdown' and 'Spectre' bugs have for my router?
- The attacks both require running code on the router. Your router doesn't execute data that is is transporting. The web console code is all built in to the router so it's safe. The genie app I think loads the web console code but not 100% sure since I've never used it.
If you could get code to run on the router then if the router's processor performed unrestricted speculative execution the attack would be feasible, but you have to get code running on it first. Now, it _is_ possible to run code on the Nighthawk if you can authenticate to it. It's also possible a different exploit could be used to get code running on it, and that would be the primary vulnerability. For example, if could feed some code to the web console server and trick it into running it then that would be a problem. But you aren't going to get meltdown and Spectre working absent some other vulnerability (which almost certainly exists, but there's a good chance you don't even need Spectre or meltdown in that case).
Basically, it's not that you shouldn't care, but care more about vulnerabilities that let malicious code run on the router in the first place.
NB: There do exist attacks against things like SSL that are dependent on observing timing or manipulating data from an outsider's perspective that could e.g. leak information about keys etc. Those are not what we're discussing here.
Those threats use a specific trait That is 'Specutlative Execution', which basically means to speed up processing, the CPU will gets data IT thinks you will ask for before you ask for it. In theory I guess if you ask for you USERID lets say to log into the router, the CPU will put into memory your PASSWORD as well. Using a program that can read this part of memory will allow it to see the stream of data that would go out. Some will not be used, some might, but the possibility of capturing your personal data exists in theory. See https://arstechnica.com/gadgets/2018/01/meltdown-and-spectre-heres-what-intel-apple-microsoft-others-are-doing-about-it/. These have never been verified as a living real threat yet either.
The router probably doesn't have a true CPU but a special chip that has one function only, That is to run the router. Doesn't mean it couldn't have the problem, but only Netgear or some other investigator would know. Basically it seems a computer that can run applications seem to be vulnerable.
Today Symantec sent me e-mail (I use Norton Security Suite) with this link, https://www.symantec.com/blogs/threat-intelligence/meltdown-spectre-cpu-bugs?om_em_cid=hho_email_US_BLST_ACT_RR_2018_01_Meltdown, that you might want to read.
Could it happen in the Router, I don't know, but my guess is no, as it doesn't have any data to read, it just passes on when comes in to the proper device. There are other ways to capture TCP/IP packets that exist. I could be wrong though, again, Netgear should be able to answer this as they know what the processor chip can do in the router.
The attacks both require running code on the router. Your router doesn't execute data that is is transporting. The web console code is all built in to the router so it's safe. The genie app I think loads the web console code but not 100% sure since I've never used it.
If you could get code to run on the router then if the router's processor performed unrestricted speculative execution the attack would be feasible, but you have to get code running on it first. Now, it _is_ possible to run code on the Nighthawk if you can authenticate to it. It's also possible a different exploit could be used to get code running on it, and that would be the primary vulnerability. For example, if could feed some code to the web console server and trick it into running it then that would be a problem. But you aren't going to get meltdown and Spectre working absent some other vulnerability (which almost certainly exists, but there's a good chance you don't even need Spectre or meltdown in that case).
Basically, it's not that you shouldn't care, but care more about vulnerabilities that let malicious code run on the router in the first place.
NB: There do exist attacks against things like SSL that are dependent on observing timing or manipulating data from an outsider's perspective that could e.g. leak information about keys etc. Those are not what we're discussing here.
If you could get code to run on the router then if the router's processor performed unrestricted speculative execution the attack would be feasible, but you have to get code running on it first. Now, it _is_ possible to run code on the Nighthawk if you can authenticate to it. It's also possible a different exploit could be used to get code running on it, and that would be the primary vulnerability. For example, if could feed some code to the web console server and trick it into running it then that would be a problem. But you aren't going to get meltdown and Spectre working absent some other vulnerability (which almost certainly exists, but there's a good chance you don't even need Spectre or meltdown in that case).
Basically, it's not that you shouldn't care, but care more about vulnerabilities that let malicious code run on the router in the first place.
NB: There do exist attacks against things like SSL that are dependent on observing timing or manipulating data from an outsider's perspective that could e.g. leak information about keys etc. Those are not what we're discussing here.