Leaving your admin interface's TLS cert and private key in your router firmware in 2020? Just Netgear things

Leaving your admin interface's TLS cert and private key in your router firmware in 2020? Just Netgear things

Finding sparks debate over bug disclosure – and how do you secure a local gateway's web control panel


Netgear left in its router firmware key ingredients needed to intercept and tamper with secure connections to its equipment's web-based admin interfaces.


Specifically, valid, signed TLS certificates with private keys were embedded in the software, which was available to download for free by anyone, and also shipped with Netgear devices. This data can be used to create HTTPS certs that browsers trust, and can be used in miscreant-in-the-middle attacks to eavesdrop on and alter encrypted connections to the routers' built-in web-based control panel.


In other words, the data can be used to potentially hijack people's routers. It's partly an embarrassing leak, and partly indicative of manufacturers trading off security, user friendliness, cost, and effort.


Security mavens Nick Starke and Tom Pohl found the materials on ..

Support the originator by clicking the read the rest link below.