Register-Orbi-damned: Netgear account order irks infosec bods
Marketing data collection opens potential security nightmare
Netgear has irked some security pros by demanding people register accounts before they can use a mobile app to control their Orbi mesh routers.
Thus, you'll need a Netgear customer account to manage your network infrastructure, thereby "advertising to hackers everywhere that there’s a nice little honeypot on their servers, waiting to be broken into," Australia-based security pro Eran Segev complained.
Segev argued Netgear is "asking for trouble" in demanding customers create a Netgear account to use its Orbi App.
The change was introduced in May. At the time, the networking kit maker said the changes were necessary for manageability and security reasons:
Once your Netgear account is created, you’ll activate your warranty, be able to monitor and manage your network from anywhere, enable voice controls, and more. You will also be able to receive any security updates for your product.
Segev only recently hit the issue after getting a new phone and installing the Orbi app. “It appears that the Orbi app, having been installed on my previous phone prior to the change in policy, just kept working,” he explained.
“The reason it’s a bad idea is that it’s a security risk. There is now a growing database of Orbi users, with email addresses, names, and in all likelihood IP addresses, on a Netgear database, awaiting the inevitable breach. When that happens, a malicious player could combine the list with whatever vulnerability exists on the Orbi at the time to break into a very large number of networks,” he added.
Segev continued: “Routers are nor like printers or TVs. They are sensitive network boundary devices. Creating an additional point of exposure for them is unconscionable.”
The Aussie security pro argues that Netgear’s is running an unnecessary risk.
“To be clear, it’s not like I think giving my details to Netgear will automatically get me hacked. I’ve been in IT security for too long to worry about nonsense. But it’s a completely unnecessary step from a technical perspective and I don’t accept that Netgear suddenly requires me to increase my vulnerability for no good reason,” Segev concluded.
Ken Munro of independent security consultancy Pen Test Partners told El Reg, agreed that Segev may have a point but described Netgear’s move as “odd” rather than risky.
"The Orbi thing does seem a little odd, Munro said. "Strikes me that it’s a backhanded way of gathering marketing data by forcing users to register."
"There are plenty of ways of achieving the same without requiring registration," he added.
El Reg put these criticisms to Netgear. The firm declined to provide a formal statement.
Through industry sources El Reg understands that Orbi as well as regular Nighthawk routers include the use of an app that allows warranty registration, notification of firmware updates and some administrative tools to manage and set up the networks.
The tech is not necessarily there to gather marketing data, contrary to the suspicions of our tipster. Some Mesh Wi-Fi competitors also require an account be set up to associate with their Wi-Fi networks, El Reg further understands. ®