Through service workers, scripts that browsers run as background processes, Rashid Saleem reckons he can exploit Netgear routers to successfully compromise admin panel credentials.
There’s just one catch: for Saleem’s method to work, the target has to try to log into their home router after connecting to a compromised Wi-Fi point and downloading malware.
By loading a malicious service worker for the domain routerlogin.com – the default admin panel address for Netgear consumer routers – Saleem said it is possible for a bad actor to capture and read the login credentials by executing a classic man-in-the-middle attack.
As we reported in January, Netgear was bundling valid, signed TLS certificates along with private keys embedded in firmware that anyone could freely download. Working on the basis that routerlogin.com is easier to communicate to non-techie users instead of a unique IP address on the local subnet, Netgear included HTTPS certificates in its firmware so customers didn’t get scared off as browsers unable to connect to the internet threw up error messages and warnings when they couldn’t authenticate the HTTPS connection to routerlogin.com.
“Even if the user were using DNS-over-TLS or DNS-over-HTTPS, the malicious Wi-Fi network could intercept packets to the IP address behind routerlogin.com and perform the same attack,” he posted.
Jake Moore of infosec biz ESET mused that the probability of this being a viable attack in the wild was low, telling The Register: “To me, it seems crazy that you would want to access your home router so desperately that you need to do it remotely – unless, of course, you’ve just realised that your username and password are still the defaults whilst at work.”
Echoing UK calls for mandatory security standards enforced on industry, he continued: “Scammers exploit wherever they can so manufacturers need to do their utmost to help protect their users with best practice in place. Few people play around with the settings after the initial set up so it’s best to reduce the entry points altogether to reduce the risk of attack.”
It appeared from his blogpost that Saleem had not contacted Netgear in advance, on the grounds that the HTTPS certificates it issued have all now been revoked.
Netgear did not answer when The Register called for comment. ®