An Automatic Upgrade to Uncontrolled Access

  • Comments 0

How could they get it so wrong? I've been very happy with all the other Netgear hardware scattered across my network, including ADSL modems, switches, and the NAS box, but I'm beginning to wonder if the WNDR 4500v2 wireless router I upgraded to last year was such a great idea. Especially when a firmware update seem so problematic. It's a shame because, other than the management UI issues, it's a really nice piece of kit that seems to offer very solid, fast, and reliable wireless connectivity.

The latest problems all came about because I read of a serious security vulnerability in the wireless feature of Virgin cable modems, which it seems are based on Netgear wireless routers. I have wireless disabled in my Virgin modem, and you can't actually upgrade the firmware yourself anyway - I assume Virgin will do an automatic update at some point. But it prompted me to check for updated firmware for my Netgear wireless router (which I use as an access point for my network). Supposedly it checks automatically, but you can also kick off a version check manually.

So I did, and after 10 minutes it was obvious that it couldn't connect to the Netgear server. Maybe it uses some esoteric port that my firewall blocks, or maybe it's just broken. So I toddle over to the Netgear website and discover there is an update that fixes several issues and vulnerabilities. No problem; read the release notes, download it, and install it through the router's web UI. Which seems to have worked fine when everything comes back up again.

Interestingly, the release notes say you should do a full settings erase after upgrading, but then says that you should write down all the settings you changed from the default values, since you may need to re-enter them manually. My guess is that you'll definitely need to re-enter them afterwards. But mine is configured with a fixed IP address and set up as an access point, so I'd need to mess around plugging in wires just to reload the configuration from a previously saved config file (although this turned out to be the least of my worries).

Instead, after the update, I ran through the settings to confirm everything was as expected. It's nice to see that they have finally finished the UI section for setting up the router as an access point (see Missing The (Access) Point). And it actually does say "Access Point" in the main menu instead if the cryptic "AP Mode" entry. They even populated the empty section of the "help" pop-up. Though help sections for some other pages of the configuration seem to bear little relationship to the actual UI.

They also removed the link to configure the MAC address-based access control settings from its previous home, and now it lives in the main menu. And when I did find it, I was amazed (and seriously perturbed) to discover that it was completely disabled - and that half a dozen unrecognized devices were shown as connected. Reloading the previous configuration from a saved backup file made no difference. How on earth can they get away with that?

So I set about reconfiguring the access control using a list of MAC addresses I thankfully printed out a while ago. And realized what a hash they've made of what was a quite usable and informative approach in the previous version. Yes, after you turn on access control you can quickly allow or block any currently connected device. The list also shows the NETBIOS names of each device and the IP address on the network. Though several non-Windows devices don't show a name, and some don't show an IP address either. It does say in the UI that "intruders" will also show up in the list, but without a name how can you tell?

In the previous version it remembered all allowed devices and allowed you to add a description for each one so it was easy to see what they all are. In this new version you can create a list of "allowed devices that are not currently connected" and provide a description. Though you have to turn off any devices that are connected and reboot the router so they aren't shown in the "currently connected" list before you can add them as an allowed device with a description – otherwise you get a "duplicate MAC address error" message. And after all that effort, when they do connect again, the list doesn't show the name or description (even though the router now knows what they are) so you still don't know what's actually connected.

Besides which, it's a long multi-click routine to add each device to the allowed list, made worse by the fact that the list is hidden under a "Click here" link every time the page loads. And if you make a mistake and want to remove an item from this list you're back in the half-finished UI world. There's a checkbox next to each item and an "Add" button, plus a small unmarked blue square that turns out to be the "Delete" button when you adopt the usual practice of clicking wildly around the page to see what happens.

And then, as computers that are allowed access are shut down, they appear in the "allowed devices that are not currently connected" list. Except they often appeared with the last two segments of the MAC address set to "00" and no name/description. It's almost impossible to tell what's going on. Yet, strangely, after a few days it seems to have started remembering the names of devices - at least those that have a NETBIOS name - and successfully shuffles them from one list to another as they come online or go offline. Perhaps if I just leave it alone it will sort itself out.

You now also have to allow or block wired devices that are on your network, but don't use wireless. Where a device has both wired and wireless interfaces you have to allow both separately. Why? All this does is stop something physically connected to your network from trying to open the config UI. OK, it does add some extra security if you don't know who might get physical access you your network, but it seems perverse blocking this but still allowing wireless access to the config UI. I suspect that any intruders that manage to get into the premises will have more pressing things to do that plug their laptops into the router – even if they did remember to bring an Ethernet cable with them.

But at least Netgear did manage to populate the pop-up help section with useful advice about using the access control feature. Though it seems odd that they "strongly suggest" choosing the "Allow all new devices to connect automatically" option, rather than "Block all new devices from connecting". If you allow the connection of any previously unknown device that you didn't specifically add to the blocked list, what's the point in turning on the access control feature?

Mind you, MAC-based access control might be less vital if the router had the two most obvious security features that others seem to include - the ability to block access to the management UI from all non-wired connected devices (to prevent wireless intruders from accessing the configuration) and the ability to reduce the power of the wireless signal so that it doesn't fill the whole street. I was hoping to find these options in the updated firmware, but no luck. You can change the maximum speed of the wireless connection, but nowhere does it indicate if this changes the power of the signal.

Of course, I'm guessing that I'm in a very small minority of people who bother with setting up access control, and that millions of these routers will never see any firmware updates anyway because most users will set them up and never look at the management UI again until something breaks. Maybe the firmware updates should be applied automatically, as with Windows update? Though an automatic update that automatically turns off security settings (as this one does) would be seriously worrying.

And should I actually be concerned about someone in the street connecting to my wireless network? They'd need to know the SSID (which I configure the router not to broadcast) and the passkey, though it seems that the latest firmware upgrade fixes a vulnerability that might allow intruders to bypass the authentication. Well, it would put them on my internal network behind the firewall, even though they'd need a username and password to connect to any other resource. It would also allow them to soak up some of my bandwidth, which could be a problem because one of my ISP connections is metered and chargeable beyond a certain limit.

Plus, with the increasing focus on ISPs blocking "inappropriate content" of various kinds, how long would it be before I get a visit from the thought police when my ISP records lots of attempted accesses to nefarious websites or illegal file sharing sites? I'm guessing that there will be plenty of technically savvy young people whose home connection is monitored or filtered, and who figure that someone else's Wi-Fi is an alternative source of connectivity.

However, it's increasingly the case that open Wi-Fi connections are popping up all over. When I first saw one or two appearing in my network connections dialog, bearing SSIDs that include the names of our major telcos, I wondered where they were coming from. The answer is that most new wireless routers include a guest network that is enabled by default. OK, so it's isolated from your own connection, but it shares your bandwidth. And I sincerely hope they also use a different IP address, or we're back with the thought police issue again. I haven't got round to testing this - I disable the guest network on all my routers, but I'll bet that most non-technical people don't even know it's there.

In fact it seems like a rather interesting (and somewhat insidious) way that the major telcos have found to widen Wi-Fi access without paying for it themselves, or even telling people what's happening. In most cases the customers have to pay for the router when subscribing to a package from an ISP, and they certainly pay for the electricity it uses. Though to be fair, and only because I have a business package, Virgin did tell me about the guest network capability of their modem. But that's because they punt it as an advantage - it allows visitors to my company premises to "enjoy the benefits of wireless connectivity".

Meanwhile I've discovered how hotels can afford to offer free Wi-Fi. During our recent trip to Iceland, the free hotel Wi-Fi required an email address and "click the link in the email" confirmation - which meant I had to use a real email address to avoid getting kicked off after 15 minutes. Since then I've been flooded with spam emails, all in Icelandic...

Leave a Comment
  • Please add 4 and 7 and type the answer here:
  • Post

An Automatic Upgrade to Uncontrolled Access