R7000 open vulnerability with unencrypted logon

I am no expert, but not sure what you expect? Even if there were encryption, it would be the same for all users, which defeats the purpose as if it were figured out, it would work for all users. However, Encryption can use certificates, but I think you'd have to buy one, and that probably would mean everyone would have to buy one to use the router to have unique encryption.

If you worry about this, get Wireshark and look at the TCP/IP packets that are sent out when you get e-mail.

https to the router ip address

---

@duckwarewrote:

https to the router ip address

---

Does the R7000 support https access to the local Netgear Genie Web UI at all (or already)?

https://routerlogin.net (and of course http://routerlogin.net) works for me on R7800

Don't think so, I entered in Firefox https://192.168.1.1/, and this is what I get:

==========

Unable to connect

Firefox can’t establish a connection to the server at 192.168.1.1.

    The site could be temporarily unavailable or too busy. Try again in a few moments.
    If you are unable to load any pages, check your computer’s network connection.
    If your computer or network is protected by a firewall or proxy, make sure that Firefox is permitted to access the Web.

============

http://192.168.1.1 works fine. Does it work for you?

I tried https://routerlogin.net/ on Firefox and got the same error? http://routerlogin.net/ works fine? It even fails on MS Edge?

Does the OS have something to do with this? Or the F/W version? I'm on W10 V1709 and the V1.0.9.26 F/W.

@duckware, just noticed you mentioned you are on an R7800. Might work there but doesn't seem to on the R7000.

Interesting.  Time for Netgear to chime in (@JamesGL)   -- when was https support added?

---

@duckwarewrote:

... when was https support added?

---

Only selected models have got https on the LAN recently. No idea if and when older Nighthawk models will get it, too.

---

@Case850wrote:

You just have to look them up. It's just that Netgear used invisible ink to type up the release notes!

---

 Lemon juice?

Be careful what you wish for. We all know how NG handles Firmware updates, right?

I'd rather have SMB1 usage removed from the R7000 and upgraded to SMB3 for instance than this. Have you ever used something like a TCP/IP packet capture program and see how your e-mail client works? Plain text... I'd more worry about that than how one works with the router.

If your email client is sending and receiving emails unencrypted, then you only have yourself to blame (for being over a decade behind the times).  All modern email clients support encrypted communications with the server, but only if you set it up that way!

True I guess, still use POP3... I'm old fashioned...

encryption for POP3 is very common -- look for that option in your email program (google it)

---

@IrvSpwrote:

I'd rather have SMB1 usage removed from the R7000 and upgraded to SMB3 for instance than this.

---

Yes, both SMB 2.x and SMB 3.0 support, similar as already available on the R9000. Plus a WSD discovery client of course to make it visible in WIndows Explorer as a PC/Server properly.

@IrvSp wrote:

Have you ever used something like a TCP/IP packet capture program and see how your e-mail client works? Plain text... I'd more worry about that than how one works with the router.

At least the recent Netgear Nighthawk firmware implemented SMTP client does allow using SMTP submission port like 587/TCP supporting TLS automatically - I hope this applies ot the R7000, too.

Pretty sure logs in on the LAN side are only plain text log ins since it's a LAN side access. If remote management is enabled then of course HTTPS would be used using the public IP address and a pre-assinged port address. Web UI access log ins to the routers web page on the LAN side isn't needed. Unless you think someone on the LAN side is trying to gain access. 

Most router Mfrs don't use HTTPS on the web UI log in. Maybe some newer models. I have 3 new NG routers. All use HTTP to access UI for the log in. 

@schumaku, yes, the logs are sent with port 587.

I just checked my Thunderbird setting, I'm using 587 there too. Also 995 out.

I was thinking back 'many many' years when I was managing a port of the old Netscape Navigator to another OS. Was checking what was going out using a packet sniffer. I was very surprised to see my UID, PW, and message go out in plain text. Old POP3 then. I'm OK now...

Most log ins are hidden. At least the PW is when you type it in. Dots are seen, not actual characters. Usually users who are managing the router is or should be alone if there typing in PWs. 

I do see some Mfrs that have the option to hid or no hid the PW as well. It's up to the Mfr I presume to let the user choose this option. 

@FURRYe38, it does not matter if the UI does kind of hide the password field, or if there is some kind of obfuscation code in place. 

---

@SirThomaswrote:
But NG should fix this in a firmware update so that logon information is not easily seen even on LAN side.

---

We buy a product based on the product specifications on the box and the related documents like a data sheet. There is no word of a secured management interface.

@SirThomas wrote:
This is a security vulnerability, that and having to pay for product support from NG!

No, it's not a vulnerability. Well, the term "trusted network" is a commonly accepted mitigation. Making a https access and disable the http would make your "expensive" security system to shut up.

Of course, you are a happy camper at this point, too.

I'm not. Because I know that the most critical information in this "secure" connection is not secure enough: My router private key is well known. And so is the Entrust signed certificate. All similar routers out there make use of the same private key, the same certificate serial number, and the very same fingerprint.

This "green" https connection is not any better than the plain text http connection on my trusted network. But it's OK because it's my private network again. Figure.

And no - I'm not aware we pay NTGR for software maintenance, enhancements, new services, new features.

I know. I know some don't understand the HTTP vs HTTPS and password field opertion and what it all means being on the LAN side of the router and what real vulnerabilities are. 

---

@schumakuwrote:

@FURRYe38, it does not matter if the UI does kind of hide the password field, or if there is some kind of obfuscation code in place. 

---

I'm sure most of the additional apps and features are not vulnerable as they use secure connections. Just having the UI access is debatable. Most routers Mfrs don't use HTTPS for the LAN side log in. Again, they do for WAN side access. I presume Mfr could make the log in more secure. However, on a average or daily basis, usually not needed. Are there a croud hanging around you while your trying to log in or have someone with nefarious ideas of trying to hack in to your routers log in the LAN side? How often does this happen? If they wanted in, they would just reset the router and blow the configuration away, if they had physical access. 

Just saying.