Security Alert: Turn Off Your Netgear Router Now

Security Alert: Turn Off Your Netgear Router At present

UPDATED 11 a.m. Tuesday Dec. xiii with new information from Netgear about affected models and temporary patch. UPDATED 3:45 p.m. Midweek with even so more information from Netgear.

Commonly, security news stories go something like this: A researcher found a problems. Information technology's bad, but you tin prevent it by patching your gadget. This is not 1 of those stories.

Credit: Netgear — (Image credit: Netgear)

A huge vulnerability is present in some of Netgear's most popular Nighthawk Wi-Fi routers. Worse nonetheless, it'due south very piece of cake to exploit and would let anyone have complete control of your home Wi-Fi network. At that place'south no prepare available still -- just a somewhat convoluted workaround. It's so bad that the U.Due south. government is alarm people not to use Netgear routers. And the existent kicker? Netgear has reportedly known about this flaw since August, yet does not seem to have done anything about information technology.

To prevent falling victim to this flaw, you can perform i or two somewhat technical hacks while you're on your home Wi-Fi network. (We have details below.) Or you can only unplug your Netgear router and utilize another brand of router until Netgear patches this flaw.

List of affected Netgear routers

One time Reddit got current of air of the vulnerabilities, it did some investigating on its ain, and realized that the flaw went far beyond the initial 2 routers that Rollins researched. Kalypto (In)Security, a blog run by researcher Kalypto Pink, has the near consummate listing of affected routers and so far. These include:

Netgear AC1750-Smart WiFi Router (Model R6400)
Netgear AC1900-Nighthawk Smart WiFi Router (Model R7000)
Netgear AC2300-Nighthawk Smart WiFi Router with MU-MIMO (Model R7000P)
Netgear AC2350-Nighthawk X4 Air conditioning 2350 Dual Band WiFi Router (Model R7500)
Netgear AC2600-Nighthawk X4S Smart WiFi Gaming Router (Model R7800)
Netgear AC3200-Nighthawk AC3200 Tri-Band WiFi Router (Model R8000)
Netgear AC5300-AC5300 Nighthawk X8 Tri-Band WiFi Router (Model R8500)
Netgear AD7200-Nighthawk X10 Smart WiFi Router (R9000)

Other models may be affected as well. Since many Netgear routers run on similar firmware, the vulnerability could be more than widespread than the researchers and Redditors predictable.

UPDATE: Netgear has added the AC1600 Smart WiFi Router (R6250), Nighthawk AC1750 Smart WiFi Router (R6700), Nighthawk AC1900 LTE Modem Router (R7100LG), Nighthawk DST 1900 Dual-Band WiFi Router (R7300DST) and Nighthawk AC3000 X6 Tri-Ring WiFi Router (R7900) to the list of mayhap affected routers.

UPDATE: Netgear has added the Nighthawk AC1900 Smart WiFi Router (R6900), AC1200 WiFi VDSL/ADSL Modem Router (D6220) and AC1600 WiFi VDSL/ADSL Modem Router (D6400) models to the listing of affected routers.

How to tell if your Netgear router is vulnerable

Luckily, there is a very elementary examination you tin perform to see if your model is vulnerable. While you're at abode and connected to the local network, simply go to an Internet browser and type the following control:

http://[RouterIP]/cgi-bin/;REBOOT

substituting your own router's local IP address for the term gear up off by brackets. (Here'due south how to find your abode router'south local IP accost.) Many routers volition answer to the fifty-fifty simpler

http://www.routerlogin.net/cgi-bin/;REBOOT

which does Non require that y'all know your router's local IP address.

If the router reboots, your model is vulnerable to remote infiltration, and you should unplug it until Netgear provides a fix. (You lot can use commands other than reboot, if yous like, but that's a fairly harmless i.)

How to temporarily shield your Netgear router from attack

There are 2 workarounds, although the first is not entirely effective. First, yous can change your router's local IP address. Netgear provides instructions, although just the tech-savvy among you will want to try this; it'south a scrap of a process. Irresolute your IP address will prevent random strangers from finding you online, but won't prevent an infiltration if someone targets you specifically and discovers it, or if someone can get onto your local network, which past default discloses your router'south IP address.

A more complete, but temporary, workaround is to disable the router's administration web interface completely. Ironically, you tin can do this by taking advantage of the same exploit that allows infiltration in the first place. Merely blazon

http://[RouterIP]/cgi-bin/;killall$IFS'httpd'

http://www.routerlogin.net/cgi-bin/;killall$IFS'httpd'

into your Web browser, and the command volition disable Netgear's RouterLogin authoritative software.

This means you lot won't be able to admission any of your router's authoritative functions — similar changing passwords, or opening ports — until you physically reboot the router. On the other hand, neither volition an assaulter. In theory, this fix should not affect your router's ability to provide internet service, making information technology a smart, if imperfect, gear up for the time being.

Alternatively, if you have an older router in the cupboard, now might be the fourth dimension to pull it out and put it to work. There'due south no bear witness that attackers take exploited this vulnerability in the wild, but every bit it's been out for 4 days, and it'south then easy to exercise, the floodgates are open.

UPDATE: Netgear has created temporary firmware that fixes the problem for the R6400, R7000 and R8000. A Netgear security advisory states that a permanent solution is being worked on for these models and all other afflicted models.

UPDATE: Netgear has added beta firmware for the R6250, R6700, R6900, R7100LG, R7300DST, R7900, D6220 and D6400.

Who institute this attack, and what is Netgear doing virtually information technology?

The information on the vulnerability comes from a variety of sources, only here'south the rough chronology. On Aug. 25, Andrew Rollins, a St. Louis-based security researcher who used the name Acew0rm, found a huge flaw in two high-end Netgear routers. He says he contacted the company, which did not respond to his concerns. Subsequently giving Netgear more three months to answer, Acew0rm went public with his concerns on Twitter and YouTube late last calendar week.

The flaw is so severe that the U.S. government issued a warning well-nigh information technology Friday (Dec. 9). The Computer Emergency Response Team (CERT) at Carnegie Mellon University, which is affiliated with the Department of Homeland Security, informed users about the vulnerability, explaining that there is no fix, and recommending that users disconnect affected routers until Netgear cleans up its act.

As for Netgear itself, the visitor acknowledged Rollins' concerns, merely maybe too late to make a difference. In a security informational, Netgear admitted that the flaw exists and pledged to investigate further. The advisory did not contain any concrete details on how to lock a potential attacker out.

Responding to a request for comment from Tom's Guide, a Netgear spokesman referred to the posted security informational and said that the company was "still investigating the upshot" and would update the informational with more data in one case it became available.

How the Netgear router attack works

Here's how the vulnerability works: Offset, y'all find the IP accost of a router y'all'd like to attack. If you lot have admission to a local network, this process is little.

Once you know the IP accost, yous blazon the following into an Internet browser'due south accost field:

http://[RouterIP]/cgi-bin/;COMMAND

That's information technology. Naturally, y'all'd supervene upon [RouterIP] with the victim's IP address, and Command with whatever yous wanted the router to practice next. This could be something every bit innocuous as rebooting the router, or as malicious as giving yourself an undetected backdoor into an entire network.

Because near users never bother to modify their routers' local IP addresses from a handful of default configurations (such as "192.168.ane.1" or "172.sixteen.0.i"), the attack too works from the internet. A malicious web page tin embed the attacking command in an paradigm link that goes to one of those default local router IP addresses.

He or she who controls the router effectively controls the unabridged network. You could spy on someone'due south webcam, draft the router into a botnet, redirect Google searches or Facebook updates to malicious pages, or just steal social media and financial logins for yourself. The possibilities are endless.

If you're thinking, "that exploit sounds also simple; am I missing something?", you're not. Information technology really is that trivial. A malefactor demand only craft a simple website that links to the command, then hide it behind a URL shortener (like Chip.ly), and tons of unsuspecting users would probably autumn for it.

Best Wireless Abode Security Cameras
Your Router's Security Stinks: Here'southward How to Ready It
All-time Antivirus Software and Apps

Marshall Honorof is a senior editor for Tom's Guide, overseeing the site'south coverage of gaming hardware and software. He comes from a science writing background, having studied paleomammalogy, biological anthropology, and the history of science and applied science. After hours, yous tin can find him practicing taekwondo or doing deep dives on archetype sci-fi.