Through service workers, scripts that browsers run as background processes, Saleem Rashid reckons he can exploit Netgear routers to successfully compromise admin panel credentials.
The beauty – or evil genius, depending on your point of view – of Rashid's attack is that once downloaded, the malicious service worker can persist indefinitely. Or, at least, until the target clears their browser history.
By loading a malicious service worker for the domain routerlogin.com – the default admin panel address for Netgear consumer routers – Rashid said it is possible for a bad actor to capture and read the login credentials by executing a classic man-in-the-middle attack.
As we reported in January, Netgear was bundling valid, signed TLS certificates along with private keys embedded in firmware that anyone could freely download. Working on the basis that routerlogin.com is easier to communicate to non-techie users instead of a unique IP address on the local subnet, Netgear included HTTPS certificates in its firmware so customers didn't get scared off as browsers unable to connect to the internet threw up error messages and warnings when they couldn't authenticate the HTTPS connection to routerlogin.com.
Rashid described his findings in a blog post along with a downloadable proof-of-concept package.
"Even if the user were using DNS-over-TLS or DNS-over-HTTPS, the malicious Wi-Fi network could intercept packets to the IP address behind routerlogin.com and perform the same attack," he posted.
Jake Moore of infosec biz ESET mused that the probability of this being a viable attack in the wild was low but still a cause for concern, telling The Register: "Scammers exploit wherever they can so manufacturers need to do their utmost to help protect their users with best practice in place. Few people play around with the settings after the initial set-up so it's best to reduce the entry points altogether to reduce the risk of attack.
Netgear did not answer when The Register called for comment. ®
Updated at 12:14 on 13 February to add
In an emailed update to El Reg Rashid said:
The user only enters the password when they, at some indeterminate point in the future connect to their home network and deliberately visit routerlogin.com for whatever reason (e.g. to change some router settings). By this point, you've installed the Service Worker and can obtain their password and change router settings — despite the fact they're connected to their secure home network. This is because the Service Worker persists even once they disconnect from your network.
Updated at 11:30 on 19 February to add
Netgear eventually sent through this statement: "We see zero risk to our customers. This proof of concept is in reference to a TLS Certificate disclosure that had already been addressed with a HotFix as well as the revoking of the HTTPS certificate, which means there is no viable case for an exploit."