The keys could be used to intercept and tamper with secure connections (man-in-the-middle attacks) and essentially, any of the compromised routers can be hijacked.
Recently Netgear, a computer networking company was found to have vulnerabilities in the firmware of its wireless routers. The report was made by Nicholas Starke who is a threat researcher at Aruba Networks along with Tom Pohl, the head of software architecture at Businessolver.
According to the duo, they were generally looking for vulnerabilities in the company’s firmware when they stumbled upon private keys of signed TLS certificates publicly available.
For the unfamiliar, every Netgear device comes with a minimum of two running signed TLS certificates. The private keys of these could be used to decrypt any traffic passing through that device and hence would naturally put the user at risk exposing all of their traffic.
Furthermore, these keys could be downloaded from Netgear’s support website without any authentication measures in place making it an open house.
The models compromised include R8900, R9000, RAX120 and XR700 wireless routers. Due to no patch having been released yet despite a response by Netgear on Monday, it has advised users to go with the following 2 options until the issue has been fixed:
- Use the Netgear Nighthawk app
- Use the HTTP version of routerlogin.com instead of the usual https, this is indeed something that is highly embarrassing for the company.
However, the key concern here more than the flaw at hand is how the company handled this entire ordeal. The researchers have detailed stating that on 14 January when they discovered the vulnerabilities, they tried to get in touch with their team via Twitter but of no avail.
Then on January 15, they took to Bugcrowd where Netgear has a bug bounty program and attempted to “establish a communication channel outside of the Netgear bug bounty programs.” However, this failed despite the latter responding leading the researchers to publish everything publicly on January 19 on Github.
It is worth noting that if exploited these keys could be used to intercept and tamper with secure connections (man-in-the-middle attacks) and essentially, any of the compromised routers can be hijacked.
Mark Thompson, VP of product management at Keyfactor told HackRead that,
“This is yet another example of manufacturers prioritizing time to market over device security. D-Link made the same mistake in 2015 when developers accidentally published keys in open-source firmware. NETGEAR should store these private keys in a secure HSM or use on-device key generation to generate the public-private key pair. This is unfortunate, but a timely reminder to IT leaders to revisit and revise the way they approach device security to mitigate manufacturer vulnerabilities.”
But this is not all. A user named Kevin Froman took to the comments section of their post telling everyone that Netgear had ruled one of his report on a similar issue on July 23, 2017, as a duplicate one hinting at the fact that the company knew of this flaw since almost 2 and a half years ago.
However, Searchsecurity investigated asking the Netgear team for clarification on if it had been reported before to which they responded that it had not been stating,
“This particular issue related to Entrust private key being available in the plain text has not been reported to us earlier.”
Regardless of this specific vulnerability at hand and it had indeed been reported earlier, it is important that Netgear and every other company follows responsible disclosure practices not only to increase consumer trust but also to adequately protect them. Such behavior as exhibited would only end up hurting their reputation in the long term seeing how security-conscious users have become over the past decade.