Re: Why isn't ORBI Login Secure

SeanW · ‎2020-07-30

I am not sure you would know as somebody who is able to intercept the cleartext traffic and read the admin credentials has all the tools they need on the router to cover their tracks. Good luck finding any trace of unauthorised access. Not securing an administration interface with even the most basic form of encryption as we approach the end of 2020 is simply ignorant and / or negligent.

Assuming your network is compromised is the default position taken by any security professional for the last 10 years, so I can only asume that Netgear do not employ any security staff.

CrimpOn · ‎2020-07-30

It appears that short of replacing their Orbi system (and being very careful* to learn how the replacement system is secured), people have two choices:

Use the insecure http web interface, with the convenience of being able to address it as http://orbilogin.net, or
Use the secure https web interface, which requires them to address it as https://<ip of orbi>, and ignore the warning about the invalid SSL certificate.

With the first method, managing the Orbi router with a wired computer would shield the plain text login from anyone who has broken the Orbi WiFi security and is snooping on WiFi traffic to capture packets. And, if a WiFi connected computer is being used to manage the Orbi, then the attacker still has the task of breaking the WPA2 security.

* It would be useful to have a list of the WiFi routers which are "secure" for comparison. As a test, I looked up the user manual for the Asus ZenWiFi CT-8, one of the very newest WiFi6 products. Page 13 of the user manual indicates how to access the router web interface:

https://dlcdnets.asus.com/pub/ASUS/wireless/ZenWiFi_CT8/E16735_ZenWiFi_CT8_UM.pdf

And, yes, the instructions are: http://router.asus.com. NOT SECURE.

michaelkenward · ‎2020-07-30

This "insecure" http login is local.

Can anyone think of scenarios where naughty people, as opposed to delinquent teenage children, can break into their routers?

Remote access uses https.

By the way, the last time I looked, as @CrimpOn reports, http was industry standard. Not just Netgear.

FURRYe38 · ‎2020-07-30

I use HTTP all the time for local router web page access. No body nefarious in my house doing anything bad on the local side. Besides, I'm the only one managing the network. HTTPS isn't needed for local access IMO. Been like this for years across many HOME CLASS router mfrs. Though HTTPS is supported on Orbi AC from last discussion about it. NG has had odd issues with it so if users are seeing a problem, then please make contact with NG support an let them know about it. Theres nothing we can do to fix any HTTPS or certificate issues here in the forum.

Good Luck.

philbast · ‎2020-10-11

Using encrypted communications for logins and administrative access is a basic necessity in 2020. I would also add using MFA for those accounts and disabling non encrypted logins. Netgear needs to up their game on the security side.

Not everybody wants to configure their router/AP from the cloud, I for one do not. Mine is actually setup only as an AP behind my firewall and the the main AP and it's satellite do not access the internet they only serve wifi throughout my house.

I don't know what security measures are in place from netgear for a remote access but any access from the Internet needs to be protected by encryption and MFA...

michaelkenward · ‎2020-10-11

@philbast wrote:

Using encrypted communications for logins and administrative access is a basic necessity in 2020. I would also add using MFA for those accounts and disabling non encrypted logins. Netgear needs to up their game on the security side.

There is widespread uproar over on the Arlo (ex Netgear) community because MFA is due to be introduced any day now. Many many users want nothing to do with this attempt to protect their access to their data.

Choice seems to be what they want.

CrimpOn · ‎2020-10-11

@philbast wrote:
I don't know what security measures are in place from netgear for a remote access but any access from the Internet needs to be protected by encryption and MFA...

The default condition for remote access to Orbi is none. Total isolation. Does not respond to any attempt to connect.

Users can choose to activate three forms of remote access:

Enabling https access to the Orbi web interface. This (a) provides encrypted traffic and (b) requires login. The user can decide how 'secure' to make the login. Mine is 25 characters, although I do not have remote access enabled at this time.
VPN access using OpenVPN. This gets a user into the Orbi LAN. Reaching the Orbi web interface requires that same password. This is what I use.
The Orbi "app" remote access. This requires the Netgear user ID/password. Have no idea if the traffic is encrypted, but would imagine that the same SSL mechanism is used. (Could capture WAN traffic and look at it, but not much interested in the answer.) Since I find the Orbi app pretty much worthless, I have this disabled.

Encryption: Yes. MFA: No.

Would love to learn of a consumer WiFi router that requires (or even offers) MFA.