TLS: Netgear distributes private keys in firmware


A recent case of Netgear shows that poor collaboration with security researchers and the community can often have negative consequences for companies. The manufacturer of network equipment apparently distributes the private keys for HTTPS connections in its firmware. Two security researchers now have them less than a week after discovery published directly on Github, This apparently happened out of frustration with Netgear's handling of vulnerabilities.

Job market

  1. Engelbert Strauss GmbH & Co. KG, Biebergem√ľnd
  2., Berlin

To simplify the use of router login pages for end users, many manufacturers as well as Netgear use a special domain instead of an internal IP address. The changes in browsers, to display HTTP connections as no longer secure or not to automatically complete passwords and to warn against logging in, however, causes some problems.

Netgear has therefore apparently decided to make this special domain available via HTTPS and secure it with a certificate that has been issued by a CA. The browsers then trust the certificate and display the login page appropriately secured. So that this can also be used by the actual router, the private key for the certificate must also be supplied with the router firmware.

The certificate and the private key could theoretically be used to perform man-in-the-middle attacks. In the specific case, the practical feasibility of such an attack is likely to be rather low, as Mozilla developer Adam Roach writes, Nevertheless, it is generally not a good idea to still trust the certificate, since the private key is now known for it. This should also cause the CA that issued the certificate to withdraw it.

Publication as top priority

The reason for the security researchers is of particular interest in the one-sided publication of the private keys, without Netgear having been able to react appropriately. On the one hand, they write that, despite repeated attempts, they were unable to establish direct contact with the company. However, it is also important to emphasize that the two researchers only spent four working days on it.

On the other hand, the researchers point out that Netgear's public bug bounty programs fundamentally prohibit publication of the details of security vulnerabilities. But the researchers think "that the public should know about these certificate leaks in order to adequately protect themselves and that the certificates in question should be revoked so that large browsers no longer trust them", Both could not have been guaranteed with the bug bounty programs.

Please activate Javascript.

Or use that Golem-pur offer

and read

  • without advertisement
  • with javascript turned off
  • with RSS full text feed