Netgear Patched the Air Force's Router Problem Two Years Ago

News
By Lucian Armasu
published

According to the previous Recorded Future report, hackers were able to steal documents about the U.S. Military’s Reaper drones because the Air Force didn’t set the FTP password on its Netgear routers, which allowed the attackers to gain free access to the military’s computers. Netgear has now said this wouldn’t have been a problem if the Air Force had applied the firmware update the company released in 2016 for this very issue.

Air Force Hack

As we know from the previous report, the attackers first learned that the Air Force’s machines were vulnerable to hacking via its Netgear routers by using the search engine Shodan to scan the internet for non-secure devices. Shodan calls itself the “world's first search engine for Internet-connected devices.” However, it’s often used by malicious parties to scan for their hacking targets.

Once the attackers found Air Force’s routers, gaining access to them was trivial due to a two-year-old flaw in Netgear’s routers. The flaw would let anyone gain remote access to its routers because Netgear wasn’t asking for any form of authentication via FTP, which was enabled by default.

Netgear Had Already Solved The Issue

Routers aren’t typically known for being the most secure devices in the world, nor are they often updated by their manufacturers. Even today, many router makers still don’t take security too seriously, which is why we still see things such as hard-coded passwords, backdoor accounts, or default credentials being used by the router makers. All of these “features” make it trivial for attackers to take over hundreds of thousands of routers at once after they learn about these vulnerabilities.

However, in this case, Netgear had known about this particular flaw for more than two years, which is also when it released a fix for it in a firmware update. It may have been Netgear’s fault for releasing a router to which other parties can gain access by default without any authentication being required, but the Air Force also had two years to prevent this attack from happening by patching its own routers.

Netgear told Tom’s Hardware that its registered customers have been notified by email about new firmware updates and also that its customers can check the Router Update page to check if a new update is available. If you still haven't updated your router, even after the VPNFilter saga, then now may be a good time go look into that.

Lucian Armasu
Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
14 Comments Comment from the forums
  • drawingpin
    The updated firmware that Netgear came out with resulted in a lot of connection issues with their routers. They may not have applied this update for that reason. It's the reason why Netgear went back and I'm now using ASUS. Netgear know of the connection issues and have a beta update they'll supply you with when pushed.
    Reply
  • gggplaya
    21138518 said:
    The updated firmware that Netgear came out with resulted in a lot of connection issues with their routers. They may not have applied this update for that reason. It's the reason why Netgear went back and I'm now using ASUS. Netgear know of the connection issues and have a beta update they'll supply you with when pushed.

    I've also dumped all my netgear equipment (NAS and routers), it used to be good, but now their software team is garbage.

    I've since switched to QNAP for my NAS needs and Asus for my router needs. The ASUS router software is awesome, very stable and fast with great features. I'm very happy with it.
    Reply
  • genz
    21138518 said:
    The updated firmware that Netgear came out with resulted in a lot of connection issues with their routers. They may not have applied this update for that reason. It's the reason why Netgear went back and I'm now using ASUS. Netgear know of the connection issues and have a beta update they'll supply you with when pushed.

    Never heard of the USAF using beta gear though haha

    Now that would make for one hell of a drone party! :D
    Reply
  • digitalgriffin
    yep

    Clearly the fault is on the gov't for this. But it's not surprising given the size of government infrastructure and lack of emphasis on security. What I'm more interested in is how classified control systems and data were on a public attached network?

    BTW: I still would not turn on outside access for Netgear Consumer grade for maintenance, FTP, or VPN. There's a known flaw where passwords are transmitted encrypted, making them ripe for exploiting.
    Reply
  • Kewlx25
    My Netgear was good while it lasted, but after 5 years, the wifi started to get flaky. I went with pfSense + managed switch + ubiquiti AP. Everything has been rock solid. Over 1.3 years of uptime. pfSense technically has outstanding security fixes, but they only affect the services, which cannot by hit WAN side. If I can't trust my LAN, all is already lost.
    Reply
  • Lutfij
    The one and only gear from Netgear I've got is a WNDR3800 Premium Edition which is not premium at all. If you apply the latest firmware update, it sends anything you connect to it, to hell. If you're on the second last update, it's smooth as butter. It's miles below the RT-N56U I had from Asus's camp.
    Reply
  • 10tacle
    I cannot believe the USAF, or any branch of the military for that matter, didn't/doesn't have a dedicated security team for protection of compromised data. They should have been testing backdoor breach access vulnerabilities, especially as they were using consumer grade off the shelf networking products instead of proprietary custom designed ones (yeah that means overpriced Mil-Spec).
    Reply
  • USAFRet
    21139568 said:
    I cannot believe the USAF, or any branch of the military for that matter, didn't/doesn't have a dedicated security team for protection of compromised data. They should have been testing backdoor breach access vulnerabilities, especially as they were using consumer grade off the shelf networking products instead of proprietary custom designed ones (yeah that means overpriced Mil-Spec).

    Yes, there is a lot of commodity grade stuff. DoD does not design and build all their own routers.
    Yes, there is a security team. Multiples of those.

    Sometimes, fixing one exploit needs to be put off because the "fix" exposes others.

    And right now, some group of clowns is getting yelled at (or worse) for this.
    Reply
  • 10tacle
    My father worked on a rail gun project for the Air Force two decades ago and they figured it was more cost effective to power the gun with thousands of automotive batteries instead of a sustaining power generation unit. I also remember the USAF buying a bunch of Playstation 3 consoles for tying together and running a supercomputer of some sort. They do what they have to do with what they have available I suppose - especially money.
    Reply
  • USAFRet
    21139605 said:
    My father worked on a rail gun project for the Air Force two decades ago and they figured it was more cost effective to power the gun with thousands of automotive batteries instead of a sustaining power generation unit. I also remember the USAF buying a bunch of Playstation 3 consoles for tying together and running a supercomputer of some sort. They do what they have to do with what they have available I suppose - especially money.

    1,760 PS3's.
    https://phys.org/news/2010-12-air-playstation-3s-supercomputer.html

    Not because they were cheap or they were playstations...but because the chips did what was needed.
    Reply