NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
R7000 open vulnerability with unencrypted logon
R7000 seems to accept unencrypted (plain text) logins? This is also a vulnerability notification from anyone running Bitdefender Box scanning router. When logging into router there is no encryption both LAN or from remote when editing router functions from IP "Genie not used", other routers have certificate or https abilities when logging into a router. Why?
Running latest firmware 1.0.9.26 but also same on older.
Well, maybe something NG will look at. Would be up them to make changes. I presume some of this would be customer or how many instances of bad experiences with this issue. Haven't seen a ton of issues where people are abusing this issue. May not be something to worry too much about, since this has been the norm regarding the UI for a long time. Up to the Mfrs though.
29 Replies
I am no expert, but not sure what you expect? Even if there were encryption, it would be the same for all users, which defeats the purpose as if it were figured out, it would work for all users. However, Encryption can use certificates, but I think you'd have to buy one, and that probably would mean everyone would have to buy one to use the router to have unique encryption.
If you worry about this, get Wireshark and look at the TCP/IP packets that are sent out when you get e-mail.
https to the router ip address
https://routerlogin.net (and of course http://routerlogin.net) works for me on R7800
Pretty sure logs in on the LAN side are only plain text log ins since it's a LAN side access. If remote management is enabled then of course HTTPS would be used using the public IP address and a pre-assinged port address. Web UI access log ins to the routers web page on the LAN side isn't needed. Unless you think someone on the LAN side is trying to gain access.
Most router Mfrs don't use HTTPS on the web UI log in. Maybe some newer models. I have 3 new NG routers. All use HTTP to access UI for the log in.
- True. But NG should fix this in a firmware update so that logon information is not easily seen even on LAN side. This is a security vulnerability, that and having to pay for product support from NG!
Most log ins are hidden. At least the PW is when you type it in. Dots are seen, not actual characters. Usually users who are managing the router is or should be alone if there typing in PWs.
I do see some Mfrs that have the option to hid or no hid the PW as well. It's up to the Mfr I presume to let the user choose this option.
