In working on reporting a few bugs with a major Modem & Wifi Router, I came across a very serious Security & Privacy Breach that puts a consumer's private data out in open text and renders them in a seriously vulnerable state.
After some functional issues were reported to the Manufacturer’s Modem & Router support portal, I was asked to provide debug logs off the router using usual methods whilst you are within the LAN network (see below for instructions on how to generate and retrieve debug logs). It took me less than 3 days for the router to collect logs. At the end of it, it produced a zipped package containing many log files. Upon inspection, what I found left me completely stunned. Router Admin username & password, all 2.4G and 5G WiFi SSIDs and their passwords were sprinkled across the multiple files in clear text. Boy, I was glad I reviewed the debug logs (But, how many consumers actually do that?). There was no attempt to obfuscate this private data.
In addition, I was instructed by the support personnel to send the zip file over email (unencrypted, not instruction to password protect it) that is subject to a man in the middle attack, besides what’s to say a disgruntled employee having access to all debug logs containing admin passwords and WiFi credentials won’t take this data and release it out in the open quite easily.
Upon reporting this to the support, I was given canned responses. I provided them with fair warnings of going out to the media reporting this serious Security & Privacy breach that almost happened had it not been for my curiosity, but they cared less. So here I am, with this report. The Manufacturer is Netgear and the device in question is Nighthawk CAX80. And here is their response:
As stated from the email, this is part of the Data Collection Analytics and we're sincere apologize if this seems to be not quite good for you as you may see. Hence, we wish to inform you that even that admin passwords and also user name are being showed up from the debugs logs, NETGEAR Support are not allowed to copy nor duplicate those such information from our customers
Please be advised that our NETGEAR products are programmed to gather data collectively, and the intention is definitely not to acquire their passwords, it just happened that it is part of the analytics data. Technical data about the functioning and use of NETGEAR routers and their WiFi networks will help NETGEAR improve its products. This data collection will enable us to:
• Isolate and debug general technical issues,
• Improve router features and functionality,
• Improve the performance and usability of NETGEAR routers.
https://kb.netgear.com/000038665/What-is-router-analytics-data-collection-for-my-NETGEAR-router
The distillation of Netgear’s official stance is “Insider / Rouge Employee Threat” or “Man In the Middle Attack” is essentially out of scope and the vulnerability report was ignored.
As one may see from above, Netgear has refused to consider this as a bug in their design or even an unintentional collection of our private and sensitive information. Netgear assumes that this was intentional collection and that it is a normal practice to collect consumers' WiFi passwords.
Anyone that has a CAX80, must be aware to not collect debug files and send them to Netgear for any reason; their engineering will have access to all your wifi and admin passwords if you choose to do so, or if you have already done so in the past (please change your admin password & all your WiFi passwords). I am currently exploring my legal options.
Here is the method used to collect and retrieve logs off the Netgear Nighthawk CAX80 Modem-Router Unit:
- Make sure you are logged in to the local WiFi or Ethernet hosted by the Nighthawk CAX80.
- Open any web browser (I used Safari on a Mac) and type the following address - http://<Modem’s IP address - eg. 192.168.1.1>/debug.htm
- Hit enter
- You will be asked to enter your admin and password for the router. Enter it and hit “Log In"
- You will see the following screen. Hit “Start Capture”
- Here I spent around 2 days to allow for the logs to capture, then I hit the “Save Debug Log”. It takes a while for the log to download if allowed to collect for 2 days (One can simply allow a few seconds and still collect the logs). Hit the “Close” button, and the log file will be downloaded when done.
- You should see a zip file in your download location - “Debug_log.zip”
- Un-zip and search for your admin passwords or your wifi passwords. You will find your admin password in UNPND.txt.0, and wifi passwords in wifi_vendor_hal.log / console.log / 5g_WIGetDriverStats.txt, 5g_WIGetDriverCfg.txt, 2g_WIGetDriverStats.txt, 2g_WIGetDriverCfg.txt files, all in clear text.
Here are some of the attacker profiles due to the two vulnerabilities:
- Insider / Rouge Employee attack - A disgruntled employee can collect all the log files accessible to him/her and siphon out 1)Admin Passwords & 2)WiFi SSIDs and corresponding passwords from the debug logs and leak them out in the open.
- Man In The Middle Attack - Debug logs emailed to Netgear unencrypted could be collected by an adversarial sniffer tool and 1)Admin Passwords & 2)WiFi SSIDs and corresponding passwords from the debug logs can be made available in the open.
I would like to thank all the reviewers who provided guidance during the responsible disclosure of this issue - Prabhu Jayanna, Sudhir Mathane & Florian Lukavsky / Julia Alunovic (our friends @ iot-inspector.com)
Raj Kapoor