Virgin Media Fixes Security Flaw in SuperHub 2 and 2AC Backup System

Cable operator Virgin Media has patched a security flaw in their NETGEAR based SuperHub 2 (VMDG485) and 2AC (VMDG490) broadband routers, which meant that a hacker could abuse a file backup routine for the device’s configuration and use it to gain admin level access.

The vulnerability was discovered by researchers at Context and a detailed account of what they found has been posted online (here). Most routers include a backup feature, which allows you to save your custom router configuration / settings to an external file on your computer (useful if your device ever needs a hard-reset or you lose your settings and need to restore them etc.).

The backup files are encrypted but unfortunately the private key that is used for this was found to be the same across all SuperHubs in the UK, which makes it easy for a hacker with access to the router’s admin interface (granted you’d already have to be on their network) to download a config file, add some naughty code (e.g. enable remote access) and then restore the file back to the hub.

Context’s Timeline

On discovering these issues, Context reported them to Virgin Media and provided proof-of-concept code. After verifying our findings, Virgin Media worked with us to develop mitigations which were released as part of their existing firmware patching cycle. We would like thank Virgin Media for their professionalism and responsiveness in working with Context to fix this issue.

The following shows the main events in the disclosure timeline:

• 20 Oct 2016: Initial disclosure via http://virginmedia.com/netreport .
• 20 Oct 2016: VM’s Internet Security Team request further detail which Context provide.
• 24 Oct 2016: Context and Virgin Media hold conference call to discuss disclosure in detail. Context provide proof-of-concept code.
• Nov 2016 – Feb 2017: Virgin Media work with Netgear and Context to develop and test patch across both devices.
• May 2017: Virgin Media roll out patch as part of scheduled firmware update.

A spokesperson for Virgin Media told The Register, “[We’ve] deployed a firmware patch to our SuperHub 2 and 2AC routers that addresses this issue. We take the security of our customers very seriously and experts within our organisation often work with trusted third parties to help keep our customers as secure as possible. We thank Context for their professionalism and co-operation.”

However we note that some customers haven’t received a firmware update for their 2/2AC routers since towards the end of last year, which suggests that they could still be vulnerable.