Admin ID Security Risk

gslabbert5119 · ‎2019-06-12

How is it possible that a company the size of Netgear, can leave a huge security hole in their router - Orbi firmware.
Not being able to disbale the admin ID of "admin" removes a layer of security as the userid "admin" is a well known username, now all a hacker has to deal with is hacking the password and not have to trouble themselves with the userid. This makes the task of hacking a system exponentially easier.

This is my first Netgear system, and I have always used Linksys, where I have been able to not only add a different admin id that is secret and known only to me (just like a password), but linksys has the ability to assign mulitple admin id's so that various network admins can have access to the config and make changes.

I would go back to linksys, if it were not for the fact that the linksys meshed network does not have the range of the Orbi network, and I am stuck with a system that has a huge security hole in my opinion.

Any suggestions or ideas how i can bring this to Netgear with sufficient vigor that they will include this in a soon to be released update?

CrimpOn · ‎2019-06-12

This is correct. If a person is able to (1) gain physical access to an Orbi LAN port, or (2) break the WiFi password, then only the (complicated?) administrative password securess the router.

It may be possible to telnet into the Orbi and change the name from "admin" to something else:

https://community.netgear.com/t5/Orbi/How-to-change-Admin-as-UserID-on-Orbi-RBR50/m-p/1695642#M50858

(Disclaimer: I have not actually done this myself. If you are able to do this *successfully*, it would be nice to have confirmation that "it worked")

michaelkenward · ‎2019-06-13

@gslabbert5119 wrote:

Not being able to disbale the admin ID of "admin" removes a layer of security as the userid "admin" is a well known username, now all a hacker has to deal with is hacking the password and not have to trouble themselves with the userid. This makes the task of

Netgear is not alone in this "crime against humanity".

In years of watching this place, I cannot remember seeing any reports that people have accessed a device by breaking that security.

After all, as @CrimpOn says, someone has to all but break into your house to get local access to your hardware.

Were this really that dangerous a move, the world, and this place, would be awash with complaints and reports of hacked systems. It has come up from time to time as a "feature request", but even those have gone away.

Anyone seriously paranoid, you could always intert a modem/router in front of an Orbi system and put that into AP mode. That would add one layer of security.

Just another user.
My network DM200 -> R7800 -> GS316 -> PL1000 -> Orbi RBR40 -> Orbi RBS50Y -> RBS40V

Ragar99 · ‎2019-06-13

@michaelkenward wrote:
@gslabbert5119 wrote:

Not being able to disbale the admin ID of "admin" removes a layer of security as the userid "admin" is a well known username, now all a hacker has to deal with is hacking the password and not have to trouble themselves with the userid. This makes the task of

Netgear is not alone in this "crime against humanity".

In years of watching this place, I cannot remember seeing any reports that people have accessed a device by breaking that security.

After all, as @CrimpOn says, someone has to all but break into your house to get local access to your hardware.

Were this really that dangerous a move, the world, and this place, would be awash with complaints and reports of hacked systems. It has come up from time to time as a "feature request", but even those have gone away.

Anyone seriously paranoid, you could always intert a modem/router in front of an Orbi system and put that into AP mode. That would add one layer of security.

Belittling someone on the basis of "some other vendors do it also" is incredibly ignorant when it comes to security.

gslabbert5119 · ‎2019-06-13

Ok, so just because as far as you know a netgear router or Orbi system has never been hacked, does not mean it has not happened. Further consumers are a small portion of netgears business and there a many not so small businesses using home type routers and networks for their comms. In fact a rather large mortgage company that was taken of by the #3 bank at the time, had netgear routers and your and my personal info was at risk there, so it does affect you, or can, and we know that they were hacked, we found evidence when we did the conversion.
Simply put just because you live in a place where you can leave the keys to your kingdom does not mean that you should and eventually it will be stolen, and no I am not that paranoid, all I ask is that I am able to practice safe security as is mandated by the security industry.

Not fixing the issue is shortsighted, and one once of prevention is better than 10 lbs of cure.

CrimpOn · ‎2019-06-13

In addition to the administrative user name, Netgear also does not secure the administrative web site, i.e. uses "http" rather than "https". IF someone were to snoop on an Orbi long enough to break the WiFi encryption, and IF the Orbi administrator accessed the web site over WiFi while the snoop was recording, it would be possible to gather the Orbi login password. My Netgear Nighthawk router is exactly the same.

I, personally, handle this vulnerability by using only a wired computer for administration.

Welcome to the Orbi Community

Admin ID Security Risk

Re: Admin ID Security Risk

Re: Admin ID Security Risk

Re: Admin ID Security Risk

Re: Admin ID Security Risk

Re: Admin ID Security Risk