Orbi WiFi 7 RBE973

Re: RBK653 Firmware Woes

SteveD_DC
Guide

RBK653 Firmware Woes

Firmware not there: RBK653 = RBR750 + 2x RBR350

 

I purchased the Netgear RBK653 kit (Router + two satellites) a year and a half ago. Two months ago, Netgear released a firmware update for the router — but not the satellites:

SteveD_DC_0-1717359053604.png

I’ve learned (the hard way!) that one should never update the router unless (1) you’ve updated the satellites first, and (2) the target firmware versions (satellite and router) are a match.

 

Since the v7.3.x.y firmware update, according to the release notes, “addresses security vulnerabilities,” that means that anyone with an RBK653 kit has been operating for almost two months with an under-patched router — and is therefore vulnerable — because Netgear has not provided a patch for a fairly recent device (which I think is irresponsible of them). 

 

Other than buying additional Netgear hardware (which I would not want to do right now), is there any alternative — or way to goose Netgear into actually supporting their recent products?

 

And recommendations would be welcome.

Message 1 of 10
schumaku
Guru

Re: RBK653 Firmware Woes

RBK653 Downloads

RBK653 — Orbi Tri-band Mesh WiFi 6 System

(1) Orbi Router (RBR750) + (2) Orbi Satellites (RBS350)

 

RBK653 Firmware Version 4.6.14.3 

...consisting of...

RBR750:https://www.downloads.netgear.com/files/GDC/RBK752/RBR750-V4.6.14.3.zip

RBS350: https://www.downloads.netgear.com/files/GDC/RBK653/RBS350-V4.6.14.3.zip

Message 2 of 10
FURRYe38
Guru

Re: RBK653 Firmware Woes

Just disable Auto update on your RBR. V7 FW is not compatible with RBS350 series units. Not sure if NG will be updating them or not. If the system works with v4 version loaded on all units, you'll need to keep v4 version on all units. You can't update the RBR to v7 or the RBS350s will no longer work.

 

Maybe later at some point if NG doesn't do anything for the 350s, find you some used 750 RBS on places like Amazon, Ebay or Shopgoodwill. Get one or two 750s then update them to v7 FW first the the RBR lastly.

 

If your having problems with your system, please post the details and we can help you trouble shoot them. 

 

Good Luck


@SteveD_DC wrote:

Firmware not there: RBK653 = RBR750 + 2x RBR350

 

I purchased the Netgear RBK653 kit (Router + two satellites) a year and a half ago. Two months ago, Netgear released a firmware update for the router — but not the satellites:

SteveD_DC_0-1717359053604.png

I’ve learned (the hard way!) that one should never update the router unless (1) you’ve updated the satellites first, and (2) the target firmware versions (satellite and router) are a match.

 

Since the v7.3.x.y firmware update, according to the release notes, “addresses security vulnerabilities,” that means that anyone with an RBK653 kit has been operating for almost two months with an under-patched router — and is therefore vulnerable — because Netgear has not provided a patch for a fairly recent device (which I think is irresponsible of them). 

 

Other than buying additional Netgear hardware (which I would not want to do right now), is there any alternative — or way to goose Netgear into actually supporting their recent products?

 

And recommendations would be welcome.


 

Message 3 of 10
SteveD_DC
Guide

Re: RBK653 Firmware Woes

Hi, @schumaku, thank you for trying to help.

 

The links you provided are for the firmware versions currently installed — and were released in December 2022 (a long time ago).  The current firmware for the RBR750 is 7.2.6.31 (released on April 10), which would be what I would like to use if Netgear had provided that update for the RBS350’s that came with my RBR750. Without the corresponding 7.2.6.31 for the satellites, the 7.2.6.31 update for the router should not be used. That is precisely what you posted — and precisely the problem I am asking about.

 

I wish it was that easy, but clearly it is not.

Message 4 of 10
SteveD_DC
Guide

Re: RBK653 Firmware Woes

@FURRYe38, having no problems with the system. But running out-of-date firmware on a router, especially when vulnerabilities have been identified and patched, represents a security risk. Once a firmware update is released, it is frighteningly easy for the bug(s) it fixes to be reverse engineered and exploits developed.

 

So, I am deeply troubled that it has taken this long for Netgear to get around to updating the other satellites that pair with the RBR750s. It is damn irresponsible of them. It would be one thing if the RBS350’s were five years past the point where they were being sold (and therefore end-of-life). And for there to be no indication of when the update would be available (if ever) makes me really question the wisdom of my spending hundreds of dollars on this kit less than two years ago. I’ve been a fan of Netgear for a long time, but it seems as if they don’t really care about existing customers as long as they can sell new, shiny toys to new ones.

 

Thank you for posting. If you have any sway with Netgear (you are clearly a prolific contributor to the forums, so maybe they will listen to you), please give them a poke for me.

 

Message 5 of 10
FURRYe38
Guru

Re: RBK653 Firmware Woes

What are these vulnerabilities that you refer too? 

Links please. 

 

Something to check with as well:

If you are a NETGEAR customer with a security-related support concern, you can contact NETGEAR customer support at techsupport.security@netgear.com
For all other issues, visit http://www.netgear.com/about/security/

To report a security vulnerability, visit https://bugcrowd.com/netgear

 

It's up to NG to deploy fixes for issues they find or brought to them. 

Also up to NG to set EoL policy and such. The AC series is EoL as well as some AX series I see:

https://www.netgear.com/about/eos

 

Message 6 of 10
SteveD_DC
Guide

Re: RBK653 Firmware Woes

@FURRYe38, the release notes for firmware v7.2.6.31 specifically cites, "This firmware addresses security vulnerabilities," which indicates that it incorporates fixes over and above the prior firmware (v4.6.14.3) -- which makes sense since it's been almost a year and a half since the last update.  But Netgear doesn't cite what is fixed; they only provide a link to the all-encompassing page that you also linked to:  https://www.netgear.com/about/security.

 

I've started to wade through the many notices therein, and it is clear that there have been a LOT of programming flaws squashed in the past 18 months. So, I'm not in a position to point to specifics at this point (it's a "target rich environment"). But given that bad actors will reverse engineer an update and quickly develop an exploit shortly after firmware is released (especially for Internet-connected devices), it is very likely that they already know what was fixed (even before we do) and the vulnerability of users like me.

 

You are correct that, "It's up to NG to deploy fixes for issues they find or brought to them," and they have done so for the RBR750 -- but only for users who aren't also using them with the RBS350 that they bundled them with.

 

If the RBS350 was definitively listed for EOL, then at least I would know the way things are. But at this point, and since none of the devices released around the time frame that the RBS350 are already listed, it is possible that the RBS350 is not EOL, but in a "zombie"/neglected state.  In other words, users like me are being ignored. I'm not happy about that.  

 

Thank you for techsupport.security@netgear.com. I'll contact them tonight.

 

Message 7 of 10
FURRYe38
Guru

Re: RBK653 Firmware Woes

Good Luck.

Message 8 of 10
SteveD_DC
Guide

Re: RBK653 Firmware Woes

Just to conclude this discussion. After a lot of back-and-forth with Netgear on support (initiated by contacting  techsupport.security@netgear.com as recommended by @FURRYe38), it comes down to the fact that Netgear doesn't care. They made it clear that they are no longer supporting the RBS350, and are just selling off the remaining ones before officially listing it as end-of-service. And the satellites I purchased a year and a half ago are never going to get a firmware version that will enable them to work with the current firmware for the router that they were boxed with when I purchased the RBK653 kit.

 

In other words, I'm s#!+ out of luck. I can either ditch my RBS350s (thereby allowing me to update the RBR750 to a current, security bug-fixed v7.2.6.31), buy a pair of new satellites, or get a completely different mesh routing system (not from Netgear).

 

I am very disappointed in Netgear and the disregard for the security of its customers that it has shown here. I have been a long-time user, purchased well over a dozen routers and other hardware from them, and recommended Netgear to many people. That ends with this treatment. I will stop recommending Netgear to my students, my associates, and my family. My current Orbi system is my last. And that is sad.

Message 9 of 10
FURRYe38
Guru

Re: RBK653 Firmware Woes

Understand your stance. 

Hope you find something that works better for you in the future. 

 

 

Message 10 of 10
Top Contributors
Discussion stats
  • 9 replies
  • 990 views
  • 5 kudos
  • 3 in conversation
Announcements

Orbi 770 Series