Netgear Orbi: A security vulnerability by any other name

WiFi dead zones around the home are a source of frustration for many, and after reading about mesh technologies, and researching solutions (including Eero, Linksys Velop, and Netgear Orbi), I decided to take a stab at fixing that frustration in my own home with a three-unit Orbi set-up. In retrospect, I probably wouldn’t have chosen the Orbi had I realized that it has what I’d argue to be a security vulnerability.

The Orbi won out over its competitors in large part due to its support for OpenVPN (an open source VPN technology), and the ability to VPN into and securely access my home network remotely. I overlooked the fact that the Orbi is not true mesh, and I overlooked the fact that Orbi has no support for wired backhaul (Update: Since this article was written, Netgear added wired backhaul support, then later broke it.) — two things that were originally on my requirements list. Why? OpenVPN support. Why do you need a VPN? You may not, and if you don’t, then this post and the issues I raise will not apply to you. But the reasons I do need and want a VPN are straightforward:

  • Oops, I forgot a file. I travel regularly, and I choose not to store certain types of files in the cloud (in, say, Dropbox, or OneDrive). Cloud storage is great for many things, but I don’t find it an appropriate choice for all types of file storage, due to security issues, file size, file type, and other factors. When I need one of those files when I’m not at home, a VPN connection back into my home network is the only way to retrieve or work with those files.
  • A family member needs an assist — or I need to do something on a home computer. Remote Desktop, the ability to see the screen of, and remotely control the keyboard and mouse of a computer from afar, is something I’ve come to depend on. If a family member needs support, I can use Remote Desktop to actually show them how to do something, rather than describe it. And I often need to access one of my own home computers from the road to do something. Remote Desktop only works if you’re on the local network that the target computer is on, and again, a VPN connection is really the only way to do that (securely anyway) from the road.

With these needs in-mind, I chose the Orbi. The problem? Netgear’s implementation of OpenVPN leaves a security hole that I would consider relatively problematic, big enough that it’s a show-stopper, and has caused me to disable OpenVPN on my Orbi, and even to reconsider my choice of WiFi solution.

So what’s the deal? There’s no authentication of any kind. When you enable OpenVPN on the Netgear Orbi, you can then download a configuration file for your desktop computer, tablet or smartphone. (See the featured image; it’s a screen shot of the Orbi config screen for the VPN.) That configuration file is then used to set-up the OpenVPN client on the devices you want to use to connect back to your home network. Making that connection is as simple as a single click or touch, and therein lies the problem — there are no user accounts, and there is no single-factor authentication of any kind, let alone a preferred two-factor. What this means is that whoever has access to a configured device or the configuration file has access to your home network. Lose a computer or phone? Or have it stolen? Leave it sitting someplace unlocked? Whoever has that device potentially also has network access to your home, and anyone who has that configuration file — at rest, or in-flight — definitely does. No enterprise that takes network security seriously would permit remote network access like this, and neither should you for your home network.

Now, admittedly, those with an iOS device configured in this way probably don’t have much to worry about; if an iOS device is lost or stolen, getting into the device itself is not easy stuff; breaking into a locked Windows or Mac computer is difficult but easier.

Probably the greater concern is access to the configuration file; to get that file where it needs to go, either to your iOS or Android device, or to a computer, means sending it via e-mail, text message, or perhaps putting it on a USB key. Again, whoever has or could have access to that file can use it to access your home network with ease.

All of that aside, the still-bigger issue here is that there’s no way to cut-off a device; once it’s configured, that’s it. There’s no way to remotely “undo” it, or prohibit a previously-configured device from using the VPN connection back to the Orbi. Once it’s configured, a lost or stolen device, or anyone with the configuration file, can use it to access your home network anytime, anywhere, unless your dynamic DNS name changes, and/or your static IP address changes (depending on your situation).

The entire purpose of a VPN is network security; that’s the reason the technology even exists to begin with. For Netgear to take a perfectly serviceable and secure VPN technology (OpenVPN), and implement it in a way that is inherently insecure, boggles my mind. In short, Netgear Orbi’s VPN support gives a false sense of network security, and until or unless Netgear adds some sort of authentication support to the equation, I don’t think anyone in their right mind should actually consider enabling it.

If that wasn’t bad enough, there’s a worse problem here in my view: If Netgear can be so careless in the implementation of security in this area, what reason do I even have to trust that the Orbi doesn’t have other equally weak areas of security? Network security is a mindset — not series of checkboxes. And what I feel is a shortsighted implementation of OpenVPN in the Orbi seems like evidence enough to me that Netgear doesn’t take the subject that as seriously as it arguably should.

Here’s to hoping that Netgear makes some revisions in a future firmware update to the Orbi. In the meantime, VPN support will remain disabled while I ponder whether the Orbi kit I purchased (roughly $500 from Costco.com) will be returned to Costco in favor of a solution that I feel I can trust.