Reply

Re: Why We Require Registration on Smart Pro Switches

GruensFroeschli
Initiate

Re: Why We Require Registration on Smart Pro Switches

This is the first step of the end of Netgear.

I will never buy a Netgear product again until this has been reverted.

 

Message 26 of 44
qweasdzxcA
Initiate

Re: Why We Require Registration on Smart Pro Switches

For those on this thread that are clueless as to why this is a concern, not all switches implement this requirement the same. For instance, GSE116E performs a call to Netgear via the browser everytime you connect to the management page which results in a persistent XSS vulnerability.  There is also zero communication to the customer that the switch will be communicating secretly with Netgear from the moment they connect to it. That alone is a huge security risk since nobody in their right mind would assume that a switch is making HTTP calls behind their back.  This poor choice has to rank up their with the likes of Westinghouse requiring registration of their TVs just to view free OTA channels.  Locking out functionality until a user registers is the same as not being able to turn left in your car until you register it--it makes no sense and it only damages your brands reputation beyond repair by alienating those customers that have trusted them up until this point. They cannot regain their former customers trust back after this failure.  Any attempt by the company to say "trust us with your data" and "we only use your data for X" are meaningless because they can change their mind at anytime or they can get hacked (nobody gets hacked, right?).  There are also those who have zero desire to share their information with Netgear because they don't care about registering their device for whatever reason they choose and it is none of Netgears business as to why they don't want to.

 

The new switches that enforce product registration are also vulnerable to XSS attack from the first time you log into the management interface. The switch performs a JSONP call which means any response from the server will get executed in the browser under the context of the currently logged in user. If my.netgear.com gets comprimised or a DNS redirect is performed then malicious code will be run on your switch with the full control of the currently logged in user. The switch doesn't implement any sort of control over the code (CORS, Content-Security-Policy, etc). One possible hack would be for a malicious script to simulate the login screen, get the management login credentials, then use that to connect to any other switches in the accessible network that happen to use the same credentials. The implications of this are serious enough for any serious network team to return their switch immediately for another brand that takes security more seriously. It obvious that the marketing and customer service management teams are getting their hands into this in an attempt to find another revenue stream or cost savings.

It is obvious that Netgear wants to lose their long time customers by making this choice, and for those that are willing to live under their authoritarian rule then we say let them.  There are plenty of other brands that take network security serious and that sell switches and routers that do their job as intended so please give them your money instead.

Message 27 of 44
EzNetworks
Initiate

Re: Why We Require Registration on Smart Pro Switches

This mandatory registration to anable full functionality is insane!

I just bought a small GS108TV3 and I swear this is my last NETGEAR product I'll buy in my life.

Hey, NETGEAR, do yu know how you will lose your customers? One at time.

But hey, with this Insight nonsense you will manage to lose PLENTY of customers at time.

Well done, really!

Message 28 of 44
schumaku
Guru

Re: Why We Require Registration on Smart Pro Switches


@EzNetworks wrote:

This mandatory registration to anable full functionality is insane!


And why exactly please? I understand it might be a problem if you are living on a space station or an Antarctica research station and face a chicken-and-egg problem. In exchange, you get limited lifetime warranty (EoS + three years) instead of just the liegal minimum (US 12 months, EU six months, or can you proof that a problem existed as the device was new to get 24 months)?

 


@EzNetworks wrote:

But hey, with this Insight nonsense you will manage to lose PLENTY of customers at time.


Not a single customer is enforced to use Insight at any point - full local Web UI based management continues to be available - except for the dedicated Insight managed GC models - local web management is the default.

 

 

Message 29 of 44

Re: Why We Require Registration on Smart Pro Switches


@EzNetworks wrote:

This mandatory registration to anable full functionality is insane!

I just bought a small GS108TV3

 

Well. Your. Mis. Take.

 

We already threw out 10 of our Netgear switches for exactly this reason. And we will not make the mistake again of buying a Netgear product.

 

It looks like, support does not understand that many customers DO NO WANT this feature.

 

Maybe their wallet will understand 🙂

Message 30 of 44
schumaku
Guru

Re: Why We Require Registration on Smart Pro Switches

Look, I'm not support, just a user here - I'm just behind of finding the killer argument and pushing potential solutions options to convince Netgear my friend.

Message 31 of 44

Re: Why We Require Registration on Smart Pro Switches

No problem @schumaku. Just trying to catch - finally - the attention of support or sales ... so that they, hopefully, start to understand. I consider it a community service as well.

Message 32 of 44
Iphie_C
NETGEAR Expert

Re: Why We Require Registration on Smart Pro Switches

Hi,

 

The registration will NO longer be mandatory on Smart Pro switches with Insight Management in the next firmware release, which will happen early Q1 next year. Users can then skip registration to access UI with full features.

 

It's still highly recommended to register your devices to activate full warranty entitlement and get updated with future firmware release including updates that enhance the security of your network.

 

Please find more details in the NETGEAR  Product Registration FAQ in the link below:

 

https://kb.netgear.com/1160/NETGEAR-Product-Registration-FAQ#why

 

Message 33 of 44
schumaku
Guru

Re: Why We Require Registration on Smart Pro Switches

Hello @Iphie_C 

 


@Iphie_C wrote:

The registration will NO longer be mandatory on Smart Pro switches with Insight Management in the next firmware release, which will happen early Q1 next year. Users can then skip registration to access UI with full features.


Will this come along together with disabling the Insight agents on local Web managed switches, too?

 

Regards,

-Kurt

 

PS. @Username194506 @EzNetworks faster than expected - cool eh?

Message 34 of 44
Ezg2
Aspirant

Re: Why We Require Registration on Smart Pro Switches

I found this discussion just in time after researching which NetGear managed switch to buy for a few weeks. I will not be buying anything from NetGear anymore, because of the forced registration for full functionality tactic. Once my NetGear WiFi routers quit working of old age then I will have to find somewhere else to go too.

 

I have been looking forward to finally choosing which model(s) but thankfully there are a few other company's with similar offerings. Although they don't have the same features to price ratio, so I guess I will be giving them more Money!

Spoiler
 

 

Message 35 of 44
schumaku
Guru

Re: Why We Require Registration on Smart Pro Switches


@Ezg2 wrote:

I found this discussion just in time after researching which NetGear managed switch to buy for a few weeks. I will not be buying anything from NetGear anymore, because of the forced registration for full functionality tactic.


This issue never existed on the Netgear Managed switches or the routers, only the Smart Managed Pro Models were affected.

 

Your decision is kind of obsolete - read this:

 


@Iphie_C wrote:

The registration will NO longer be mandatory on Smart Pro switches with Insight Management in the next firmware release, which will happen early Q1 next year. Users can then skip registration to access UI with full features.


 

Message 36 of 44

Re: Why We Require Registration on Smart Pro Switches

It certainly is good news that the strategy is changed. But, as we all know: While it takes a while to build up trust - ruining it is a fast process. And, as well: You do not change brands so quickly. It might, for us, take a time until we return. 😕

Message 37 of 44
ingsocgear
Aspirant

Re: Why We Require Registration on Smart Pro Switches

Could you briefly explain where, in your apparently utterly deranged communist mind, is the idea of hard-wiring your smart switches to automatically connect to your "Netgear Registration Server" acceptable, commercially productive, or even legal to spy on your paying customers? Yes you are, by even connecting, you attempt to expose the status of a switch, which is already a data breach planned, planted, and executed against your customers.

 

There also seems to be no way to disable this feature. No sane customer should ever trust you, for even trying this. You have not offered this feature as an opt-in either, or even disclosed the full range of IP addresses related to your "Registration", so that your customers could exercise their right to not use this coupled "service". One would need to monitor network traffic on a trunk to explicitly detect & block you backdoor snooping, which fulfills the crtieria of Netgear having deployed an exploit device.

Message 38 of 44
schumaku
Guru

Re: Why We Require Registration on Smart Pro Switches

The server or the service if you want so belongs to Netgear, so it must be capitalism.

So for the interested reader, please explain exactly where or how the switch does contact this registration server.
Message 39 of 44
DennisT1
Aspirant

Re: Why We Require Registration on Smart Pro Switches

This is my 1st purchase of Netgear in a couple years and I came across this issue.  I have a box of 5 switches that are going back to the distributor.  Ntegear is no OFF our approved vendor list.

 

Bye!

Message 40 of 44
Iphie_C
NETGEAR Expert

Re: Why We Require Registration on Smart Pro Switches

Hi @DennisT1 

 

Thanks for considering NETRGEAR Business switches. We are sincerely sorry if our products caused inconvenience and confusion.

 

All the Smart Managed Pro switches with Optional Insight Cloud Management now have new firmware available at our Support website for download. The new firmware allows full access to GUI functions without registering the switch. Registration can be skipped at GUI login.

 

Simply enter your product model number and go to "Download" and install the new firmware on the switch:

https://www.netgear.com/support/

 

 

Message 41 of 44
AndroGen
Guide

Re: Why We Require Registration on Smart Pro Switches

Dear Netgear,

 

in your reply you have not stated whether the "call my home" functionality is going to be disabled in the new Firmware.

You simply skipped it. You just "allow" do not ask for the registration.

 

Thinking loudly in the positive direction.

To avoid mass migration from your brand you might want to make a clear statement about

  • why you do this "call my home"
  • what exactly is sent
  • what protocols are used (ports etc.)
  • and how this can be disabled if customer does not want / or what is more critical is not allowed to do so.
  • you might also add end explicit switch in the settings, which will disable this "call my home" functionality completely and in some cases irreversible forever (until e.g. the devise goes thought the HW reset), that it is not "reenabled after the firmware update.

 

Otherwise customers with strict compliance rules will have to abandon your ship, and if this happens, it is a reputational damage, which is usually irreversible in case of the security related violations/reasons.

 

Kind Regards,

Andrey

Message 42 of 44
DennisT1
Aspirant

Re: Why We Require Registration on Smart Pro Switches

Results from ProSafe Plus Utility - No switch exists in the local area network!

 

I now have a box full of switches I need to get rid of.  These are all the existing switches we have (had).  The original 5 I had that started this are long gone.

 

Bye Netgear.

Message 43 of 44

Re: Why We Require Registration on Smart Pro Switches

I thought I would put in my $0.02 on this since nobody has figured it out yet.

People are smart enough to figure out that Netgear was lying when they said the reason they required registration was for security patches/etc.  But nobody seems to have cottoned on to the real reason they tried this stunt.

 

The real reason is because Netgear wants to insure that if an older switch of theirs is sold the new buyer will have no ability to take advantage of the lifetime warranty.   Since the hardware device key is now tied to the original owner, any later owner will not be able to get any support on the product.

 

They are not the first company to try this and unfortunately won't be the last.  Essentially they want to be able to advertise a lifetime warranty without actually providing an unlimited lifetime warranty.

Message 44 of 44
Top Contributors
Discussion stats
  • 43 replies
  • 12970 views
  • 65 kudos
  • 16 in conversation
Announcements