× NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
× Introducing the new Orbi 770 Series Mesh System. To learn more click here.
Orbi WiFi 7 RBE973
Reply

Re: Security Gap: How to enable https communication between orbi RBR50 router and RBS50 satellite

HaroldCarl
Tutor

Security Gap: How to enable https communication between orbi RBR50 router and RBS50 satellite

It seems that there is a high security risk in the communication (normal and backhaul) (RBK50) with occurs between the Orbi RBR50 and RBS50. The communications are http and not https.

 

I would like to see if anyone has a fix for this, especially when using theses products in AP mode?

 

It seems that this has not been addressed as a part of the most recent firmware? 

Model: RBK50| Orbi AC3000 High-Performance Tri-Band WiFi System
Message 1 of 5
FURRYe38
Guru

Re: Security Gap: How to enable https communication between orbi RBR50 router and RBS50 satellite

What FW version do you have loaded?

Can you let us know how your finding this? 

Does this happen in router mode as well? 

What security mode do you have set on the Orbi? WPA2 and AES only is recommended. 

 

You should file a support ticket here and notifiy NG:

https://www.netgear.com/mynetgear/registration/login.aspx


@HaroldCarl wrote:

It seems that there is a high security risk in the communication (normal and backhaul) (RBK50) with occurs between the Orbi RBR50 and RBS50. The communications are http and not https.

 

I would like to see if anyone has a fix for this, especially when using theses products in AP mode?

 

It seems that this has not been addressed as a part of the most recent firmware? 


 

 

 

Message 2 of 5
CrimpOn
Guru

Re: Security Gap: How to enable https communication between orbi RBR50 router and RBS50 satellite

I, also, am interested in how this conclusion about the backhaul was reached.

 

It is well-known that the connection to Orbi's web interface is HTTP instead of HTTPS.  This is one reason the default configuration is not to allow "remote administration."  It is also a reason to use a wired computer to administer the router.  (Not just Orbi, but any router that uses HTTP.)  No packets "in the air" is reasonably secure.

 

Traffic between the router and satellites is encrypted.  Here's a community thread discussing the process: https://community.netgear.com/t5/Orbi/Orbi-Backbone-Password-Generation/td-p/1260457

As the thread mentions, anyone who lacks confidence in Netgear's randomly generated password can create their own on the Orbi web interface by going to Advanced->Wireless Settings->Backhaul Password.

 

I think we're always concerned about potential security threats and want to know what you found.

Model: RBK50| Orbi AC3000 High-Performance Tri-Band WiFi System, RBR50| Orbi AC3000 Tri-band WiFi (Router Only)
Message 3 of 5
Flibbidyfloo
Guide

Re: Security Gap: How to enable https communication between orbi RBR50 router and RBS50 satellite


@CrimpOn wrote:

 

It is well-known that the connection to Orbi's web interface is HTTP instead of HTTPS.  This is one reason the default configuration is not to allow "remote administration."  It is also a reason to use a wired computer to administer the router.  (Not just Orbi, but any router that uses HTTP.)  No packets "in the air" is reasonably secure.

By "remote administration" do you mean "remote management"? I can't find any options for disabling remote administration, but it seems like what you'd want to do is disable administration over wireless connections, which I also can't find a setting for. This is a common setting on the other routers I've used, so maybe I'm just missing it in the labrynthine Orbi config menus.

 

The option "enable remote management" in the app is turned off, but I can still access the admin menus via http from a wifi connected PC.

Model: RBR20|Orbi AC2200 Tri-band WiFi Router
Message 4 of 5
CrimpOn
Guru

Re: Security Gap: How to enable https communication between orbi RBR50 router and RBS50 satellite


@Flibbidyfloo wrote:

The option "enable remote management" in the app is turned off, but I can still access the admin menus via http from a wifi connected PC.

This observation is correct (and sad).  Alas, those of us who have desktop and laptop computers with ethernet ports are a dying breed.  Customers without such devices purchase WiFi routers to connect their phones, tablets, televisions, IoT devices, etc.  Without WiFi access to Orbi, they could not set it up.  In recent months, numerous questions have been asked on this Forum by people who rely on the Orbi app do manage their system, not the web interface.

 

I believe this is the factor that will drive Netgear to implement https: on the router.  (When it is no longer acceptable to say, "use a desktop for that.") My guess is that for now, they are relying on WiFi encryption to protect the router.  The average neighbor is not likely to have the expertise or patience to crack a home WiFi.  It would be fascinating to know if the "Pro" Orbi line secures the web interface.

Message 5 of 5
Top Contributors
Discussion stats
  • 4 replies
  • 4943 views
  • 3 kudos
  • 4 in conversation
Announcements

Orbi 770 Series