Nighthawk RAX45 Security vulnerability, need ways to revoke OpenVPN client certificate
The VPN service (based on OpenVPN) relies solely on a client certificate and its private key files to be stored on a PC or smartphone for authentication. There is no user ID/password credential checking. If the client certificate and the associated private key files are compromised (for example the laptop is stolen and if its hard drive is not encrypted, the client certificate and key files can be very easily extracted) your internal network can be accessed maliciously via this VPN service. Once you detect your laptop is stolen, there is nothing you can do to revoke the compromised certificate. The only solution is to shut down the VPN service at the expenses of inconvenience to other VPN users whose client certificates are still valid. The other workaround is to use the Access Control to require approval of every new device in the network to mitigate the problem, but it's a huge inconvenience.
In the OpenVPN implementation, there is a way to revoke the compromised client certificate as well as additional module to enforce user ID/password. It's that the implementation on the Netgear Nighthawk does not expose this critical feature.
Has anyone using the VPN service come to the same conclusion? How do I escalate this issue to the product manager?
Re: Nighthawk RAX45 Security vulnerability, need ways to revoke OpenVPN client certificate
I recently purchased an RAX70 and was surprised to discover the same issues. When I searched for a solution I discovered the problem has been around for years. I'm returning my router and I'd suggest anyone with the same issue to do the same. If Netgear haven't fixed this lazy implementation by now they never will.
