If you own a router made by Netgear, a US government-backed security group is warning it may be vulnerable to hackers. The firm, which has confirmed the problems exist, is now working to rush out urgent fixes after the critical flaws were discovered to impact a slew of its products.
The US Computer Emergency Readiness Team (US-CERT) at Carnegie Mellon University says users should consider disabling their routers completely until a proper fix is rolled out. In an advisory, it explained how the easily-exploitable flaw could be used to allow complete control over the router.
"Exploiting this vulnerability is trivial," the researchers warned. "By convincing a user to visit a specially crafted web site, a remote unauthenticated attacker may execute arbitrary commands with root privileges on affected routers."
It said users should use a different device or consider "discontinuing use" altogether.
After conducted tests on its product range, Netgear said the vulnerability impacts the following routers: R6250, R6400, R6700, R7000, R7100LG, R7300, R7900, and R8000. According to security blog CSO, there are nearly 10,000 devices at immediate risk.
Routers that can be exploited are currently being hijacked by cybercriminals to be used in massive botnets which can utilise the computing power of infected machines for malicious purposes. One major botnet, called Mirai, was recently used to take down multiple major websites in the US including Twitter, Netflix and Reddit.
The Netgear flaw was first discovered by Andrew Rollins, a security researcher who uses the Twitter handle @Acew0rm. He claimed to have first notified the company about the gaping security gaps way back on 25 August. The firm, Rollins said, never responded.
Eventually, after disclosing the flaw to US-CERT, Netgear was forced to acknowledge the problems. In a blog post, the firm said it is aware of the security issue and said urgent fixes are now being released to impacted users. Three beta versions are now available.
A statement posted to its own advisory, updated on 13 December, noted the beta version of the firmware updates have "not been fully tested and might not work for all users." It said the fixes are "a temporary solution" but stressed users should update their devices as soon as a fix is released.
"We appreciate and value having security concerns brought to our attention," it said. "Netgear constantly monitors for both known and unknown threats. Being pro-active rather than re-active to emerging security issues is fundamental for product support.
"Netgear is continuing to review our entire portfolio for other routers that might be affected by this vulnerability. If any other routers are affected by the same security vulnerability, we plan to release firmware to fix those as well."
As a last resort, again designed as a temporary fix, Netgear has directed users to Bas' Blog, a security-focused website managed by a London-based data scientist. It is highly advised that impacted users should only try this if an official fix is yet to be released.