How to Update Firmware on Netgear Router R7000

Thousands of Netgear routers can be hacked — here’south what to practice

The Netgear Nighthawk RS400 home Wi-Fi router.

(Image credit: Netgear; Shutterstock)

Dang kids. Because of an optional parental-control feature that obviously wasn’t so optional, well-nigh a dozen widely used Netgear habitation Wi-Fi router models accept a serious security flaw and demand to be patched.

The affected models are the R6400v2, R6700, R6700v3, R6900, R6900P,
R7000,
R7000P, R7850, R7900,
R8000
and
RS400, well-nigh of them in the “Nighthawk” line and physically about identical. Firmware updates are now bachelor for all of them.

The flaw tin can be exploited by a bad guy who gets access to your Wi-Fi network, which may not always be as hard to practise as it seems, and and then used to seize control of your home or small-scale-office network and send you God-knows-where on the cyberspace.

Considering Netgear markets its home routers using somewhat misleading terminology — for case, the R7000 is likewise labeled every bit the “Nighthawk AC1900 Smart WiFi Dual Band Gigabit Router” — you might desire to flip your router over and bank check the sticker on the lesser for the real model name.

How to update your Netgear router’s firmware

To update your router’southward firmware, Netgear’s
security advisory
(opens in new tab)

recommends going to its support page at
https://www.netgear.com/support/
(opens in new tab)
, and then punching in your model’s number. From there, you’ll be taken to your model’southward support page. You can download a Zip file to your PC and unpack the file.

And so use your favorite web browser to admission your router’due south authoritative interface (it’due south most likely at http://192.168.1.i), click the Advanced tab, select Assistants and click Router Update. Yous can upload the file to the router from there.

Read: How to Update Zoom H4n Drivers and Firmware

However, for nearly of these routers, information technology’south going to be but as piece of cake to download the firmware update directly to the router. Follow the web administrative-interface instructions in the paragraph to a higher place, and then click the check-for-update push instead of uploading a file from your PC or Mac.

Vulnerable Disney Circle software

The trouble here stems from the Disney-designed Circle parental-control feature, which was rolled out to Netgear Nighthawk and Orbi mesh routers, some of them already in customers’ homes, as an optional add-on feature in 2017.

The Orbis and newer Wi-Fi 6 Nighthawks got parental-control software built in-house by Netgear earlier this year, while the Circumvolve service was discontinued for older Nighthawk models in late 2020.

Here’s the catch: If y’all accept one of the affected routers, the vulnerable Circle software is on your device regardless of whether you always ponied up the $4.99 monthly charge for the Circle feature.

“The Circle update daemon that contains the vulnerability is enabled to run past default, even if yous oasis’t configured your router to apply the parental control features,” explained
Adam Nichols
(opens in new tab)

of the D.C.-area security firm GRIMM in a blog post. (Bleeping Estimator
(opens in new tab)

earlier reported this story.)

“While it doesn’t set the underlying issue, merely disabling the vulnerable lawmaking when Circle is non in utilise would have prevented exploitation on well-nigh devices.”

In other words, y’all’ve got a problem that came with software you probably didn’t ask for and that may have been introduced to your device via a firmware update later on you bought it.

A side note about Netgear security patches

Nosotros’ve run a lot of Netgear router security alerts in the by few years, with
at least ii
in 2020. So nosotros want to reiterate that Netgear’s consistent policy of finding, patching and publicizing its security flaws is a Good Thing, despite the resulting negative headlines.

Read: Realme 5 RMX1911 Firmware Asli

The only reason you don’t hear about many security flaws with another major router makers is because they don’t tell you about the flaws. At least nosotros know when something goes wrong with Netgear routers and how to set up it.

The same principle goes for Windows PCs, Macs, iPhones and Android phones. All of those devices get regular security updates to set flaws and are the better for it. You don’t want a router that never receives firmware updates.

Your router’s security stinks: Here’s how to set information technology

What’southward going on here?

This flaw, catalogued as CVE-2021-40847, was discovered by GRIMM researchers. They noticed that there was a Circle update daemon, or mini-program, called “circled” (presumably pronounced “circle-dee”) on older Netgear Nighthawk routers.

Later on some probing, they constitute that the Circumvolve update daemon ran equally root, was enabled by default and could still be exploited even if information technology was disabled.

“The update process of the Circumvolve Parental Control Service on various Netgear routers allows remote attackers with network access to gain RCE [remote lawmaking execution] every bit root via a Human being-in-the-Middle (MitM) attack,” Nichols wrote on the GRIMM blog.

Because Netgear’south firmware updates are downloaded over plain onetime HTTP and are not encrypted, Nichols explained, they could in theory be intercepted, contradistinct, and and then passed along in poisoned grade to the routers — a classic
man-in-the-middle assail.

Netgear protects against this by encrypting its firmware update files and digitally signing them, making information technology pretty difficult for an assaulter to read, change or install altered firmware.

Not so Circumvolve. Its update file is just a compressed database without any kind of internal protections.

Read: Steam Vr Wont Detect Controllers When Updating Firmware

GRIMM showed that it wasn’t difficult to sneak malicious lawmaking into a Circle update and from there completely seize command of a router, which in turn would grant the aggressor complete control of your home (or small office) internet traffic.

This may not entirely exist Circle’s fault. It could be that the firmware-update connections on its since-discontinued
Circle with Disney
hardware devices were encrypted, removing the necessity of encrypting the update files as well.

If so, and so this new flaw may exist the result of something falling between the cracks in the differing update models when the Circle software was ported to Netgear devices.

The Netgear firmware yous want to end up with

Here’due south a listing from the Netgear site of the firmware versions that you want to have on each device.

R6400v2 fixed in firmware version one.0.four.120
R6700 stock-still in firmware version 1.0.2.26
R6700v3 fixed in firmware version 1.0.4.120
R6900 fixed in firmware version ane.0.2.26
R6900P stock-still in firmware version iii.3.142_HOTFIX
R7000 fixed in firmware version 1.0.11.128
R7000P fixed in firmware version one.3.3.142_HOTFIX
R7850 fixed in firmware version 1.0.5.76
R7900 fixed in firmware version one.0.4.46
R8000 stock-still in firmware version ane.0.4.76
RS400 stock-still in firmware version one.5.ane.eighty

Paul Wagenseil is a senior editor at Tom’s Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul commuter, code monkey and video editor. He’southward been rooting around in the information-security space for more than xv years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom’southward Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown upward in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. Yous can follow his rants on Twitter at
@snd_wagenseil.