NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Status:
Engineering Investigation
Modems/Routers : Add HTTPS when connecting to the NETGEAR Genie page
Hi NETGEAR,
I have recently configured a few different NETGEAR ADSL Modems/Routers, to be specific the D6400 and DGND3700v2, but both of these don't appear to support a HTTPS connection to the NETGEAR genie web page. As far as I can tell from browsing all the links and sub links, you don't even have a setting to enable this. The only reference to HTTPS in the User Manual is to enable HTTPS for remote connections from the Internet (Manage the Modem Router Remotely, Page 244).
Would NETGEAR look at intergrating this in the next firmware release to improve security on your device?
Thank you in advance for taking the time to respond to my question, it is most appreciated.
Regards
55 Comments
CyberTri these will also sniff for https and the many known certificates and shared private keys on such consumer devices. A little bit unclear where and how these will manage to get into the data path however - so often as some security analysts want us to believe this. Yes, WPA2-AES might be cracked, too.
"But i had a https session to my router." Yeah, if you want to believe...
Oh and the wireless Mesh backhaul was so convenient, too....
Look, if bad guys want something from your organisations they will either seek for physical access, or abuse the poor security awareness of the users on your network anyway. Much easier, much less expensive, much less effort.
But hey, of course I do agree with you!
You obviously don't get how man in the middle and malware snooping for plain text works.
mdlockwood understand your frustration in a way.
mdlockwood wrote:It only supports http for local administration (with no way to disable)
In absence of https a little bit difficult to be without a management access, isn't it?
mdlockwood wrote:and can not limit to "wired" connections.
Unless you use an open wireless, when using WPA2-PSK the connection is AES encrypted isn't it? Nobody will see the content of your wireless, including credentials.
mdlockwood wrote:In addition, it proudly displays my credentials in plain text on the http rendered interface (wireless setup page).
Not without a password authorisation. More and more routers offer home assistant features allowing to query the WiFi password, apps show wireless details as QR code and in plain text. This called convenience.
Under what scenario can someone from outside your local network get into the Netgear genie web page? And under what are circumstances can someone on the local network can break in uninvited?
This issue keeps coming up, but as yet no one has provided a convincing explanation of why this leaves them open to attack.
More important, no one has reported a case of being attacked in this way.#
Congratulations on finding, and using the desktop genie. Netgear is doing its best to deter people from using this valuable tool. It has certainly stopped providing updates.
I'm guessing it's intentional. Probably a way for backdoor access when any 3 letter comes asking. Netgear sells you out pronto.
Yes, it does. That's why I've relegated mine to being an access point and have installed a generic box (Protectli Vault 4 Port, Firewall Micro Appliance/Mini PC - Intel Quad Core) running op sense firewall. opnsense is open source, has regular updates and there was only one small fee to get regular suricata intrusion detection updates.
I just purchased the Netgear Nighthawk AC1900 R7000 and couldn't figure out why I couldn't connect to the router over https. It only supports http for local administration (with no way to disable), and can not limit to "wired" connections. In addition, it proudly displays my credentials in plain text on the http rendered interface (wireless setup page). Thank goodness for return policies.
The router came with firmware 1.0.9.88_10.2.88. The setup wizard was a good experience, telling me there was no firmware update available, which was a lie (the router automatically updates by default). I was able to update to 1.0.11.100_10.2.100 hoping it would have some additoinal features. No luck.
Considering this thread was opened 4 years ago, I guess that tells us about their stance on security.
Just bought my first Netgear router for over $400 and I was shocked to discover that it is not even an advanced option to enable HTTPS for the LAN admin interface. Every other router I've used over the years has supported this.
Wow. Want to see what direction Netgear is going in? I bought the RAX80 AX newest router (which by power and range is actually quite good) and have now found out that it only works when UPnP is enabled!
Yep. I haven't had that garbage turned on for years and it's a confirmed bug now in multiple firmwares.
Check out my new post which details why UPnP is so dangerous.
We need an https in our device, for what we already paid!
