UPDATE YOUR ROUTER NOW
Emergency fix for your system’s weakest link
Netgear
has released emergency firmware updates for 11 of its routers that are deemed to be at risk of being hacked. Some of these are among the company’s best-selling models.
The flaws in the routers are so serious that even the US Department of Homeland Security advised people not to use them until a fix was released.
Anyone with a Netgear router should visit the company’s website to check whether their model requires a fix: www.snipca.com/22949. These are being released first as betas (which haven’t been fully tested) and then as more comprehensive ‘production firmware’ updates.
Netgear says that the beta fixes are a “temporary solution” and “might not work for all users”. It “strongly recommends” that all users install the production firmware fixes.
If your router is listed, click its link (see screenshot 1), then click the Download Link (see screenshot 2) and follow Netgear’s instructions.
You can see the 11 affected routers in the box below. Netgear’s D7000 router was initially listed as a vulnerable model, but after testing it the company said it is safe and doesn’t need to be updated.
‘Incompetent’ Netgear
Security researcher Andrew Rollins, known as ‘Acew0rm’ on Twitter, said that he told Netgear about the vulnerabilities in August, but claims the company never got back to him.
After he went public with the flaws three months later, the Computer Emergency Response Team (CERT), part of the Department of Homeland Security, issued its warning on 9 December ( www.snipca.com/22950).
The flaws are easy to exploit. Hackers would be able to access a user’s router by directing them to a website that contained malicious code. A hacked router could then be assimilated into a botnet, which is a network of devices used for huge internet attacks, often to knock websites offline.
Netgear first acknowledged the flaws on 11 December,
admitting that more routers were at risk than security researchers had originally indicated. It took until 13 December for Netgear to start releasing the updates.
Rollins slammed Netgear as “incompetent” for forcing users to install the updates themselves, rather than issuing them directly to routers ‘over the air’.
Another leading security specialist, Bas Van Schaik, who published a temporary fix before Netgear did, said it was “appalling and baffling” that Netgear didn’t act upon Rollins’ warning in August.