Skip to content ↓ | Skip to navigation ↓

This post is part of an ongoing series of posts designed to provide clear instructions for implementing Tripwire’s Vulnerability and Exposures Research Team’s (VERT) SOHO router recommendations found here.

This guide assumes that the reader has a NETGEAR branded wireless router and knows it’s address on the network. For help identifying your router, please refer to this introduction article.

If you have forgotten the administrative password for your device, it may be necessary to perform a factory reset as outlined in this NETGEAR knowledge base article and then to login with the default password.

Please note that while performing these steps, a malicious web page could potentially issue commands to your router if there are not appropriate CSRF protections. To minimize this risk, it is best to avoid surfing while logged into the router.

Firmware Upgrade

The web interface of the NETGEAR router will vary between models and even between firmware revisions so the first thing to note will be whether the web page says at the top ‘NETGEAR genie’ or ‘NETGEAR Smart Wizard’ similar to the screenshots below. Before proceeding with a secure configuration, it is first important to confirm that the router is running the latest available software and update it if not.

If the router uses the ‘NETGEAR genie’ software, use the following steps:

  1. Choose the ‘Advanced’ tab as shown here:
    NETGEAR genie Advanced Tab
  2. Click to expand ‘Administration’ from the navigation buttons on the left side of the page
  3. Choosing ‘Firmware Update’ will show a page similar to this:
    Netgear Genie Firmware Update Screen
  4. Click the ‘Check’ button to check for a new firmware version from the Internet
  5. Follow the onscreen instructions to proceed with the firmware update as needed

If the router uses the ‘Smart Wizard’ software, use the following steps:

  1. Clicking ‘Router Upgrade’ (located under Maintenance in the left navigation panel) should load a page similar to this:
    NETGEAR Smart Wizard Firmware Update
  2. Click the ‘Check’ button to check the Internet for firmware updates
  3. Follow the onscreen instructions to install new firmware as needed

Changing the Administrative Password

Now that we are certain the device has the latest security updates, it is a good idea to change the password if it is still using the default or has not been changed for a while. It is advisable to choose a ‘strong’ password which will not be easily guessed by an intruder or hacking tool.

Google is full of helpful suggestions for choosing a strong password but my preferred password model is to use a memorable quote or favorite song lyrics (complete with spaces and punctuation). I also recommend using a prefix like ‘!!’, ‘@@’, or ‘##’ just to make the password a little more complex without making it too difficult to remember. As with the firmware update process, the procedure will vary depending on the model and installed firmware version.

If the router uses the ‘NETGEAR genie’ software, use the following steps:

  1. Choose the ‘Advanced’ tab as shown here:
    NETGEAR genie Advanced Tab
  2. Click to expand ‘Administration’ from the navigation buttons on the left side of the page
  3. Click ‘Set Password’ to load the password change form similar to the following
    NETGEAR Genie Set Password
  4. Click ‘Apply’ and enter the new password when prompted by your web browser

If the router uses the ‘Smart Wizard’ software, use the following steps:

  1. In the left navigation panel, click ‘Set Password’ which is found under the ‘Maintenance’ heading
  2. Follow the onscreen instructions to change the password
  3. Apply the settings and enter the new password when prompted by your browser.

Configuring LAN Settings to Minimize Risk

At this point, the router software is fully up to date and the administrator password has been changed but there are still other settings which may jeopardize your online safety. A prime example of this is the Internet Protocol (IP) address your computer uses to communicate with the router.

NETGEAR routers use which is configured as a factory default. If an attacker can predict or guess this address, it then becomes easier for them to exploit weaknesses and gain control of your router through malicious web content. For this reason, VERT recommends changing the LAN address to something which is less likely to be guessed by an attacker. Although you cannot choose just any address, the powers that be have set aside 3 address ranges for private networks:

  1. 10.0.0.0 – 10.255.255.255
  2. 172.16.0.0 – 172.31.255.255
  3. 192.168.0.0 – 192.168.255.255

So for example, 10.1.2.3, 172.20.10.5, and 192.168.250.12 are all allocated for private use but using something like 8.8.8.8 (Google’s DNS server) could create problems for you. Generally speaking it is also best to avoid using an address ending ‘.0’ or ‘.255’ unless you have a good understanding of subnetting. Addresses commonly used as router defaults include 192.168.0.1, 192.168.1.1, 192.168.2.1, 192.168.11.1, 10.0.1.1, and 10.1.1.1 so picking one of these addresses would somewhat defeat the purpose of this exercise.

If the router uses the ‘NETGEAR genie’ software, use the following steps:

  1. Choose the ‘Advanced’ tab as before
  2. Expand the ‘Setup’ button
    NETGEAR genie Advanced Setup Menu
  3. Click ‘LAN Setup’
    NETGEAR genie Advanced LAN Setup Form
  4. Enter new values for the IP address numbers (For example, change the 192.168.0.1 to 10.9.8.7)
  5. Write down the new IP address for future reference
  6. Click ‘Apply’ at the top and acknowledge the notification that you have changed the address
  7. Wait while the router reboots and then confirm access with the new address
  8. Check DNS settings
  9. Update DHCP settings
  10. Click ‘Apply’

If the router uses the ‘Smart Wizard’ software, use the following steps:

  1. Choose ‘LAN Setup’ from under the ‘Advanced’ heading (close to the bottom of the navigation bar)
    NETGEAR Smart Wizard LAN Setup
  2. Enter a new address in the ‘LAN TCP/IP Setup’ section
    NETGEAR Smart Wizard IP Change Form
  3. Click ‘Apply’ and wait for the device to reload
  4. Confirm that the router is accessible with its new IP address

Configuring Wireless Security

Many of VERT’s router security recommendations are designed to protect a router from Internet-based threats such as those which successfully compromised 300,000 underprotected routers. It is important however not to overlook the risks from nearby attackers looking to gain access to your home network.

Many routers come configured to use the convenient but insecure WiFi Protected Setup (WPS) protocol. WPS makes it easy to connect to your home network by entering a secret PIN but weaknesses in the system can make it trivial for an attacker to find the correct PIN and gain access to your network. As such VERT recommends that WPS be disabled on all devices.

If the router uses the ‘NETGEAR genie’ software, use the following steps:

  1. Choose ‘Wireless’ from the navigation panel
  2. At the bottom of the wireless settings look for a WPS Settings section
    NETGEAR genie WPS
  3. If this section is found, clear the check-box next to ‘Enable Router’s PIN’
  4. Click the ‘Apply’ button at the top and wait for the device settings to reload

If the router uses the ‘Smart Wizard’ software, use the following steps:

  1. Choose ‘Wireless Settings’ under the ‘Advanced’ heading (Another ‘Wireless Settings’ appears under ‘Setup’)
    Advanced -> Wireless Settings
  2. Scroll to the bottom and locate the ‘WPS Settings’ section
    WPS Settings
  3. Make sure that the ‘Disable Router’s PIN’ is checked
  4. Click the ‘Apply’ button if the setting has been change

In addition to disabling WPS, it is important to choose appropriate wireless encryption options. VERT recommends WPA2-PSK with AES using a strong passphrase. It is always possible for an attacker to crack this password but by choosing wisely it is unlikely that an attacker will have the computing power to figure out the passphrase in a reasonable amount of time. An example of a good passphrase is ‘!!!Tripwire St@te 0f Security!!!’ compared to a bad passphrase such as ‘Internet’ which would be cracked instantly.

If the router uses the ‘Genie’ software, use the following steps:

  1. Choose ‘Wireless’ from the ‘Basic’ tab
  2. Scroll down until you find ‘Security Options’
    NETGEAR genie Wireless Security Options
  3. Choose ‘WPA2-PSK (AES)’ and enter your new passphrase
  4. Some routers support multiple networks so update security options for all networks listed
  5. Click ‘Apply’ and wait for the device settings to reload
  6. Wireless devices will need the new passphrase to connect

If the router uses the ‘Smart Wizard’ software, use the following steps:

  1. Choose ‘Wireless Settings’ under the ‘Basic’ heading (Another ‘Wireless Settings’ appears under ‘Advanced’)
  2. Scroll to locate the ” section
    NETGEAR Smart Wizard WiFi Security
  3. Choose WPA2-PSK (AES) and enter a strong passphrase
  4. Some models support multiple networks so be sure to scroll through the page and update all networks
  5. Click the ‘Apply’ button and wait for device settings to reload
  6. The new passphrase will be required on all wireless devices

Disable Remote Management

The average user should not need remote management access to their router. NETGEAR routers do not have remote management enabled by default, but it is a good idea to verify the setting as this can be an indicator that someone has already attacked your device and you should seek CERT guidance.

If the router uses the ‘Genie’ software, follow these steps:

  1. Choose the ‘Advanced’ tab
  2. Click to expand ‘Advanced Setup’
  3. Click ‘Remote Management’
    NETGEAR Genie Remote Management Option
  4. Verify that the ‘Turn Remote Management On’ option is not set

If the router uses the ‘Smart Wizard’ software, follow these steps:

  1. Choose ‘Remote Management’ under the ‘Advanced’ heading on the navigation panel
    Smart Wizard Remote Management
  2. Verify that the ‘Turn Remote Management On’ option is not set

Don’t Forget To Logout

As I mentioned earlier, a common attack known as CSRF works by crafting a web page which will trick your web browser into changing the settings on your router. If you’ve followed my advice, the risk of a CSRF attack is minimal but after you are done with the router, it is still a good idea to click the ‘Logout’ link and further block this attack vector.

 

Related Articles:

 

Resources:

picCheck out Tripwire SecureScan™, a free, cloud-based vulnerability management service  for up to 100 Internet Protocol (IP) addresses on internal networks. This new tool makes vulnerability management easily accessible to small and medium-sized businesses that may not have the resources for enterprise-grade security technology.

 

picThe Executive’s Guide to the Top 20 Critical Security Controls

Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].

 

Title image courtesy of ShutterStock

Hacking Point of Sale
  • Matthew

    Thanks for this article.I am with Plusnet broadband and they no longer use the original Netgear router and use a Technicolour which is a lot harder if you are not a computer buff to secure WPS pin.
    A simple tick in the Netgear router.
    Does the security threat still affect anything you so happen to connect up wired or wirelessly that has WPS facility built into it such as a tv box or mobile but you do not connect with it via wps.

  • Matthew

    Also UPnP I have switched that off in Netgear after reading similar articles about security.

    Again if you connect something that has this built in and connect that to the router is it unsecure again.
    How do we make them safe. Does a smart TVs use UPnP can it be disabled . What about Homplugs too or is that a different type of UPnP.

  • Wireless&Clueless

    This is a great article. However, When trying to reconfigure the LAN away from the factory defaults, it stops my access to the router.
    Please advise how to get around this. After a factory reboot I cannot see any settings for checking DNS or DHCP.

    Yes, I'm not a technical geek, but I do try.

    I have been navigating the minefield of persistent wireless hackers for about a year in the UK. They have been stealing my bandwidth just like a thief breaking into my home and stealing the food from my fridge. I have no idea of how to stop them and the police and my ISP cannot (do not want to) do anything. This is costing me a fortune.

    I have turned off WPS. I have secured the router through complex 50 character passphrases and the final step is the LAN config. Any ideas would be very much appreciated.

    Many thanks

  • Tony lance

    You can setup your router by plug in your router to modem and access it by typing in your browser 192.168.0.1 or 192.168.1.1. You would be able to access your router and change its settings.

    If you are unable to fix this just visit http://www.netgearrouterhelp.com/ and get a certified technician on a single call.

  • I found the WPS settings under Advanced Tab -> Advanced Setup -> Wireless Settings for my R6400. Just in case anyone else is looking.