×

Introducing the Orbi 970 Series Mesh System with WiFi 7(BE) technology. For more information visit the NETGEAR Press Room.

Start a New Discussion

Start a New Discussion

Orbi WiFi 7 RBE973
Reply

Is a Factory Reset Sufficient to Resolve Suspected System Compromise?

elmnoise
Aspirant
Aspirant
‎2023-03-31 07:29 AM
‎2023-03-31 07:29 AM

Is a Factory Reset Sufficient to Resolve Suspected System Compromise?

My question: I'm concerned that my Orbi was compromised/hacked. If I do a factory reset is that "sufficient" to resolve a security incident? My gut is to throw the devices out because I don't know enough about the system architecture (i.e. is it susceptible to a root kit, etc.).


Background: I have an RBR50 and 2 RBS50s. All were on 2.4.x firmware. Yesterday morning I started getting "Access Control" errors when accessing any Internet address. The same issue occurred from multiple devices. I logged into the RBR50 admin panel to check the Access Control page. Over half of my devices were flagged as blocked. I had never seen this issue before, and had never setup any Access Control policies. That was my first time logging into the Admin panel in several months, and nobody else in my house has the login. I disconnected the RBR50 from the AT&T gateway, and manually applied the 2.7.5.4 firmware update. After reboot everything worked.

Message 1 of 8
Labels:
0 Kudos
Reply
FURRYe38
Guru Guru
Guru
‎2023-03-31 07:41 AM
‎2023-03-31 07:41 AM

Re: Is a Factory Reset Sufficient to Resolve Suspected System Compromise?

Yes.

 

Your ISP Modem already has a built in router and wifi. This would be a double NAT (two router) condition which isn't recommended. https://kb.netgear.com/30186/What-is-Double-NAT
https://kb.netgear.com/30187/How-to-fix-issues-with-Double-NAT
Couple of options,
1. Configure the modem for transparent bridge or modem only mode. Then use the Orbi router in router mode. You'll need to contact the ISP for help and information in regards to the modem being bridged correctly.
2. If you can't bridge the modem, disable ALL wifi radios on the modem, configure the modems DMZ/ExposedHost or IP Pass-Through for the IP address the Orbi router gets from the modem. Then you can use the Orbi router in Router mode.
3. Or disable all wifi radios on the modem and connect the Orbi router to the modem, configure AP mode on the Orbi router. https://kb.netgear.com/31218/How-do-I-configure-my-Orbi-router-to-act-as-an-access-point and https://www.youtube.com/watch?v=H7LOcJ8GdDo&app=desktop

 

Try option #2 first...

Message 2 of 8
0 Kudos
Reply
elmnoise
Aspirant
Aspirant
‎2023-03-31 08:05 AM
‎2023-03-31 08:05 AM

Re: Is a Factory Reset Sufficient to Resolve Suspected System Compromise?

I think this was a response to a different question.

Message 3 of 8
0 Kudos
Reply
FURRYe38
Guru Guru
Guru
‎2023-03-31 08:14 AM
‎2023-03-31 08:14 AM

Re: Is a Factory Reset Sufficient to Resolve Suspected System Compromise?

Nope. 

Message 4 of 8
0 Kudos
Reply
KevinLiT
NETGEAR Moderator
NETGEAR Moderator
‎2023-03-31 12:10 PM
‎2023-03-31 12:10 PM

Re: Is a Factory Reset Sufficient to Resolve Suspected System Compromise?

Hello @elmnoise ,

 

Welcome to the NETGEAR Community!

 

I understand that you experienced issues with access control on your RBR50 on FW 2.7.4.24. The issues expressed in the original post could be linked to not using the most updated FW available for Orbi Mesh System. Please ensure to always use the most current FW for your RBR50 mesh system. Ensure that you also update the satellites that are associated with your RBR50 to FW version 2.7.5.4.


Please navigate to the link below for the download file for your RBR53: 
https://www.netgear.com/support/product/RBK53#download

For more information on manually updating your RBK53 please navigate to the link below:
https://kb.netgear.com/31573/How-do-I-manually-upgrade-firmware-on-my-Orbi-router-using-orbilogin-co...

Best,
Kevin
Community Team

Message 5 of 8
0 Kudos
Reply
michaelkenward
Guru Guru
Guru
‎2023-04-01 08:14 AM
‎2023-04-01 08:14 AM

Re: Is a Factory Reset Sufficient to Resolve Suspected System Compromise?

@elmnoise wrote:


I disconnected the RBR50 from the AT&T gateway, and manually applied the 2.7.5.4 firmware update.

What is that AT&T gateway?

 

It could be that it too is a router and the symptoms that you see have  nothing t do with being hacked but are the consequence of using two routers at the same time.

 

Two routers on your network can cause headaches. For example, you can end up with local address problems. Among other things, the other router can misdirect addresses that the Netgear router usually handles, such as routerlogin.net or the usual IP address for a router, 192.168.1.1.

This explains some of the other drawbacks.

What is Double NAT? | Answer | NETGEAR Support

I would diagnose what is happening before you conclude that you have been hacked.

 

Message 6 of 8
0 Kudos
Reply
elmnoise
Aspirant
Aspirant
‎2023-04-01 08:19 AM
‎2023-04-01 08:19 AM

Re: Is a Factory Reset Sufficient to Resolve Suspected System Compromise?

Hello. The AT&T Gateway is the Pace 5268AC. I set it up to open a "pinhole" to the RBR50. The RBR50 is on a 10.X network, and the Pace is on the normal 192.168.X. I've had this configuration for a couple of years without issue. I agree it's not necessarily a problem with the Orbi, but that's where the errors were coming from. I factory reset everything and ensured the latest firmware was applied. No problems now, but still a bit nervous about using this Orbi.

Message 7 of 8
0 Kudos
Reply
FURRYe38
Guru Guru
Guru
‎2023-04-01 02:39 PM
‎2023-04-01 02:39 PM

Re: Is a Factory Reset Sufficient to Resolve Suspected System Compromise?

Your ISP Modem already has a built in router and wifi. This would be a double NAT (two router) condition which isn't recommended. https://kb.netgear.com/30186/What-is-Double-NAT
https://kb.netgear.com/30187/How-to-fix-issues-with-Double-NAT
Couple of options,
1. Configure the modem for transparent bridge or modem only mode. Then use the Orbi router in router mode. You'll need to contact the ISP for help and information in regards to the modem being bridged correctly.
2. If you can't bridge the modem, disable ALL wifi radios on the modem, configure the modems DMZ/ExposedHost or IP Pass-Through for the IP address the Orbi router gets from the modem. Then you can use the Orbi router in Router mode.
3. Or disable all wifi radios on the modem and connect the Orbi router to the modem, configure AP mode on the Orbi router. https://kb.netgear.com/31218/How-do-I-configure-my-Orbi-router-to-act-as-an-access-point and https://www.youtube.com/watch?v=H7LOcJ8GdDo&app=desktop
https://kb.netgear.com/000061277/Which-features-are-disabled-on-my-Orbi-router-when-it-is-set-to-AP-...

 

I would try option #2 first or if your overly conserned, try option #3 and let the ISP gatway handle security. 

 

Message 8 of 8
0 Kudos
Reply
Top Contributors
See All
Discussion stats
  • 7 replies
  • ‎2023-03-31 07:29 AM
  • 833 views
  • 0 kudos
  • 4 in conversation
Announcements

Orbi WiFi 7