Reply

WARNING: Do not use Netgear VPN - Security Vulnerability

xantari
Star

WARNING: Do not use Netgear VPN - Security Vulnerability

All,

The VPN server in Netgear routers uses a static certificate. Meaning if you own one you can get on other peoples private networks if you have a netgear nighthawk of your own. Just setup the VPN and then change the IP address of the configuration file and point it to another VPN.

Voila, you are on someone elses internal network!

See here for more information: http://forum1.netgear.com/showthread.php?t=92130&highlight=VPN+password

Obviously netgear should be doing the following things to secure their implementation of VPN:

1. Build random certificates.
2. Provide a way to setup username/passwords

Having just a certificate as a means of authentication is only 1-factor authentication.

Anyone who has any sense of security knows that 2-factor security is better, meaning they NEED to implement username/passwords in order for OpenVPN to connect.

If you are using Netgear stock firmware, reflash to something more secure such as DD-WRT. The netgear engineers really botched this one.

Message 1 of 2
xantari
Star

Re: WARNING: Do not use Netgear VPN - Security Vulnerability

Disregard. I compared the certificates between the two R7000's I have and they are generated unique per router.

However, the security concern regarding missing username/passwords is still present.

Without username/password this VPN implementation is only 1-factor authentication. If you loose your key (lost laptop / computer, hacked laptop/computer, etc) then you are compromised.

Atleast with 2-factor they would also have to get your password in addition to the keys.

Someday netgear may get the hint... Until then, DD-WRT is the way to go.
Message 2 of 2
Top Contributors
Discussion stats
  • 1 reply
  • 7678 views
  • 1 kudo
  • 1 in conversation
Announcements

Orbi WiFi 6E