As I wrote recently, Netgear introduced a severe bug into their router firmware around seven months ago, making all newer firmware releases since then unusable for many router owners. In the intervening time, numerous severe security holes in their routers have been publicized and patched by them. However, those of us who are running into the seven-month-old bug can’t upgrade to the security-patched firmware versions without making our routers unusable. We’re therefore forced to choose between an insecure router that works and a (less in)secure router that doesn’t.
Netgear continues to sell the routers with the defective firmware, without informing purchasers about the problem.
After waiting patiently for seven months for Netgear to fix this problem, I’ve finally had enough. I just sent the following letter to Netgear’s CEO:
May 28, 2018
Patrick Lo, CEO
350 East Plumeria Drive
San Jose, CA 95134
via Certified Mail
Dear Mr. Lo,
This letter constitutes a “Chapter 93A demand letter” under Massachusetts law.
The firmware for your company’s “R8000P – Nighthawk X6S AC4000 Tri Band WiFi Router” has been broken since you released version 18.104.22.168 on or about November 2, 2017. Starting with that release, I and many other owners of this router have found that the router needs to be rebooted every 1‑3 days, because network connectivity through the router stops functioning completely or becomes so slow that it is unusable.
Downgrading the router to firmware release 22.214.171.124 restores proper networking functionality. However, there are many known security holes in the 126.96.36.199 firmware, whose details have been published and which can therefore be leveraged by hackers to compromise the routers, so owners of R8000P routers are forced to choose between a dangerously insecure router whose networking works properly, or a router with security fixes which needs to be rebooted every 1‑3 days.
Netgear’s failure to release safe firmware that works properly for nearly seven months is grossly negligent, and is therefore an unfair and deceptive practice under Massachusetts law Chapter 93A. An even more egregious Chapter 93A violation is the fact that Netgear continues to sell R8000P routers without disclosing this known defect to purchasers.
I and many other Netgear customers have waited patiently for seven months while you have failed to solve this problem. You cannot claim to have been unaware of it. See, for example (not a complete list):
Furthermore, I contacted Netgear about this via your Facebook page and received this response on February 14: “Thank you for bringing this to our attention. Our engineering team is currently investigating this issue. The fix will likely be implemented in a future release.”
I also notified you about this issue via Twitter on February 7 (https://twitter.com/jikamens/status/961224353118588929). Since I see on your Twitter feed that you read and reply to tweets tagged with “@NETGEAR”, you cannot claim not to have seen my tweet.
My demand for rectifying these willful violations of Massachusetts law is simple: release a new version of the firmware for this router which fully fixes the issue described above within 30 days of receipt of this letter. If you are unable to do that, then my demands are, instead, as follows:
- Buy back my R8000P router for the full cost I paid for it, which is $326.73 including tax and shipping.
- Send me a shipping label to return the defective router to you at your expense.
- Contact all registered owners of this router in Massachusetts (i.e., under the jurisdiction of Chapter 93A) and offer to buy back the router and pay for the return shipping of any owner who is experiencing this problem, has proof of purchase, and wants to be rid of the router.
- Until such time as a fixed firmware version is released for this router, allow all R8000P owners in Massachusetts who choose not to take advantage of the buy-back program to access Netgear’s technical support at no charge.
These demands are entirely reasonable and proportionate to the harm caused by failing to address a material defect in your product and continuing to sell it despite said defect.
Please be advised of my intent to file suit against Netgear if these demands are not met. In my suit, I will ask for treble damages and legal fees as permitted by Chapter 93A. I will, furthermore, ask the court to certify my suit as a class action representing all Massachusetts owners of R8000P routers, again as permitted by Chapter 93A.
Please consider this letter a demand that Netgear preserve all evidence related to its knowledge of and attempts to address this firmware defect, including (but not limited to) any discussion threads in the Netgear Community about this problem with the R8000P and other Netgear routers. Note that I have preserved the Netgear Community articles listed above in the Internet Archive’s “Wayback Machine,” and I have saved a copy of the KnowledgeBase article listed above. One might imagine that if those pages were to suddenly disappear, that might be interpreted by the court as an attempt by Netgear to conceal its culpability in this matter.
I am under the impression that the firmware may be similarly broken for other Netgear routers, but as I only have first-hand experience with, and have been personally damaged by, the broken R8000P firmware, I am including only that router in the scope of this complaint. However, I reserve the right to expand its scope if I am able to obtain reliable information that other Netgear routers are also suffering from the problem described in this letter.
I look forward to your prompt, constructive reply.