- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
Re: Security Gap: How to enable https communication between orbi RBR50 router and RBS50 satellite
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Security Gap: How to enable https communication between orbi RBR50 router and RBS50 satellite
It seems that there is a high security risk in the communication (normal and backhaul) (RBK50) with occurs between the Orbi RBR50 and RBS50. The communications are http and not https.
I would like to see if anyone has a fix for this, especially when using theses products in AP mode?
It seems that this has not been addressed as a part of the most recent firmware?
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Security Gap: How to enable https communication between orbi RBR50 router and RBS50 satellite
What FW version do you have loaded?
Can you let us know how your finding this?
Does this happen in router mode as well?
What security mode do you have set on the Orbi? WPA2 and AES only is recommended.
You should file a support ticket here and notifiy NG:
https://www.netgear.com/mynetgear/registration/login.aspx
@HaroldCarl wrote:
It seems that there is a high security risk in the communication (normal and backhaul) (RBK50) with occurs between the Orbi RBR50 and RBS50. The communications are http and not https.
I would like to see if anyone has a fix for this, especially when using theses products in AP mode?
It seems that this has not been addressed as a part of the most recent firmware?
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Security Gap: How to enable https communication between orbi RBR50 router and RBS50 satellite
I, also, am interested in how this conclusion about the backhaul was reached.
It is well-known that the connection to Orbi's web interface is HTTP instead of HTTPS. This is one reason the default configuration is not to allow "remote administration." It is also a reason to use a wired computer to administer the router. (Not just Orbi, but any router that uses HTTP.) No packets "in the air" is reasonably secure.
Traffic between the router and satellites is encrypted. Here's a community thread discussing the process: https://community.netgear.com/t5/Orbi/Orbi-Backbone-Password-Generation/td-p/1260457
As the thread mentions, anyone who lacks confidence in Netgear's randomly generated password can create their own on the Orbi web interface by going to Advanced->Wireless Settings->Backhaul Password.
I think we're always concerned about potential security threats and want to know what you found.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Security Gap: How to enable https communication between orbi RBR50 router and RBS50 satellite
@CrimpOn wrote:
It is well-known that the connection to Orbi's web interface is HTTP instead of HTTPS. This is one reason the default configuration is not to allow "remote administration." It is also a reason to use a wired computer to administer the router. (Not just Orbi, but any router that uses HTTP.) No packets "in the air" is reasonably secure.
By "remote administration" do you mean "remote management"? I can't find any options for disabling remote administration, but it seems like what you'd want to do is disable administration over wireless connections, which I also can't find a setting for. This is a common setting on the other routers I've used, so maybe I'm just missing it in the labrynthine Orbi config menus.
The option "enable remote management" in the app is turned off, but I can still access the admin menus via http from a wifi connected PC.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Security Gap: How to enable https communication between orbi RBR50 router and RBS50 satellite
@Flibbidyfloo wrote:
The option "enable remote management" in the app is turned off, but I can still access the admin menus via http from a wifi connected PC.
This observation is correct (and sad). Alas, those of us who have desktop and laptop computers with ethernet ports are a dying breed. Customers without such devices purchase WiFi routers to connect their phones, tablets, televisions, IoT devices, etc. Without WiFi access to Orbi, they could not set it up. In recent months, numerous questions have been asked on this Forum by people who rely on the Orbi app do manage their system, not the web interface.
I believe this is the factor that will drive Netgear to implement https: on the router. (When it is no longer acceptable to say, "use a desktop for that.") My guess is that for now, they are relying on WiFi encryption to protect the router. The average neighbor is not likely to have the expertise or patience to crack a home WiFi. It would be fascinating to know if the "Pro" Orbi line secures the web interface.
• Introducing NETGEAR WiFi 7 Orbi 770 Series and Nighthawk RS300
• What is the difference between WiFi 6 and WiFi 7?
• Yes! WiFi 7 is backwards compatible with other Wifi devices? Learn more