Home
 » ISP News » 
Sponsored

Virgin Media UK SuperHub Leaks User Passwords via WiFi During Reboot

Tuesday, March 11th, 2014 (3:50 pm) - Score 8,733
superhub-v2

The NetGear-based SuperHub (VMDG485) broadband routers, which are supplied by cable provider Virgin Media, appear to be suffering from a new security flaw that means your administrative settings web page and WiFi passphrase is left exposed for around 7 seconds when the device reboots.

The flaw, which was spotted by IT consultant Paul Moore, apparently occurs because some bright spark of security genius decided that it would be a clever idea if the router initially launched its wireless networking component (during a reboot) without first engaging encryption (the encryption is only enabled after a few seconds).

In other words, for a very brief period, a savvy hacker could potentially record your wifi password while it is being sent over the network during the initial restart. However the hacker would naturally need to be within range of the wireless network to do this and, unless they’re very patient, they’d also need to artificially force the router to reboot (Mr Moore has also demonstrated how to do this).

A VM Forum Support Team Member said (here):

As mentioned earlier on in this thread, the security of our services is of the highest importance and we are working with Netgear to develop and test a software update which will initialise encryption immediately from reboot and this is close to being issued.

We encourage all our customers to change their default passwords when they are installed, if anyone is unsure whether they have made this change, instructions on our website provide an easy guide on how this can be done at any time on our help pages at http://virg.in/sh2pass

If customers are concerned, then we would recommend that after changing the default password, they should also change the WiFi passphrase for additional security.

To confirm, the issue only relates to the Netgear VMDG485 device (SuperHub2) and, although we agree with the person who identified it that this is highly unlikely to happen; we have thanked them for bringing this to our attention.”

So the good news is changing the default password, which is something that Virgin and other ISPs recommend you do anyway, is a good temporary fix for the problem. Credits to The Register for spotting this issue, which can be added to the growing list of router related security blunders that seem to be cropping up in 2014.

Share with Twitter
Share with Linkedin
Share with Facebook
Share with Reddit
Share with Pinterest
By Mark Jackson
Mark is a professional technology writer, IT consultant and computer engineer from Dorset (England), he also founded ISPreview in 1999 and enjoys analysing the latest telecoms and broadband developments. Find me on Twitter, , Facebook and Linkedin.
Leave a Comment
7 Responses
  1. DanielM says:

    am surprised its took so long for anyone to investigate or even report this, the superhub has had the same problem since beta of the device.

  2. Raindrops says:

    hardly an issue at all i suspect many routers do this.

    1. Rupees Burdoch says:

      Just because other routers do it doesn’t make this “hardly an issue at all”. It’s a huge security flaw and probably not difficult to exploit.

    2. Raindrops says:

      It is not a huge security flaw, Older BT home hubs do the same thing, so do most netgears, and probably any router that when you initially power on or reset it briefly has its wireless light come on then go off then come on again.

      The only security flaw is the human and if they are the type of stupid that leaves every user/pass/ssid as the default.

  3. Guest says:

    Over the past few weeks, it looks like EVERY router company has had an exploit published – it’s not just he ones mentioned here.

  4. Guest says:

    Over the past few weeks, it looks like EVERY router company has had an exploit published – I think many all come from some big factory in China and have the brand stuck on at the end :-). Anyway, it’s not just he ones mentioned here so even if you are not using the ones listed, you should be wary and use latest firmware etc.

  5. George says:

    This happens with a whole bunch of routers. D-Links, Netgears, Virgins, BTs, TP-Link ive even seen it on an old Billion. Easily tested by just running something like inSSIDer and powering on off/reset of your router and watching what happens.

    Not really a news story

Comments are closed.

Comments RSS Feed

Javascript must be enabled to post (most browsers do this automatically)

Privacy Notice: Please note that news comments are anonymous, which means that we do NOT require you to enter any real personal details to post a message. By clicking to submit a post you agree to storing your comment content, display name, IP, email and / or website details in our database, for as long as the post remains live.

Only the submitted name and comment will be displayed in public, while the rest will be kept private (we will never share this outside of ISPreview, regardless of whether the data is real or fake). This comment system uses submitted IP, email and website address data to spot abuse and spammers. All data is transferred via an encrypted (https secure) session.

NOTE 1: Sometimes your comment might not appear immediately due to site cache (this is cleared every few hours) or it may be caught by automated moderation / anti-spam.

NOTE 2: Comments that break our rules, spam, troll or post via known fake IP/proxy servers may be blocked or removed.
Cheapest Superfast ISPs
  • Vodafone £19.50 (*22.50)
    Speed 38Mbps, Unlimited
    Gift: None
  • NOW £20.00 (*32.00)
    Speed 36Mbps, Unlimited
    Gift: None
  • Hyperoptic £20.00 (*25.00)
    Speed 50Mbps, Unlimited
    Gift: Promo Code: BIRTHDAY10
  • Shell Energy £21.99 (*30.99)
    Speed 35Mbps, Unlimited
    Gift: None
  • Plusnet £22.00 (*38.20)
    Speed 36Mbps, Unlimited
    Gift: £60 Reward Card
Large Availability | View All
Cheapest Ultrafast ISPs
  • Gigaclear £24.00 (*49.00)
    Speed: 300Mbps, Unlimited
    Gift: None
  • Vodafone £24.00 (*27.00)
    Speed: 100Mbps, Unlimited
    Gift: None
  • Community Fibre £25.00 (*27.50)
    Speed: 200Mbps, Unlimited
    Gift: None
  • Hyperoptic £25.00 (*35.00)
    Speed: 150Mbps, Unlimited
    Gift: Promo Code: BIRTHDAY10
  • Virgin Media £28.00 (*52.00)
    Speed: 108Mbps, Unlimited
    Gift: None
Large Availability | View All
The Top 20 Category Tags
  1. FTTP (3552)
  2. BT (3021)
  3. Politics (1935)
  4. Building Digital UK (1924)
  5. FTTC (1887)
  6. Openreach (1834)
  7. Business (1690)
  8. Mobile Broadband (1478)
  9. Statistics (1408)
  10. FTTH (1365)
  11. 4G (1276)
  12. Fibre Optic (1172)
  13. Virgin Media (1167)
  14. Wireless Internet (1159)
  15. Ofcom Regulation (1147)
  16. Vodafone (845)
  17. EE (834)
  18. 5G (770)
  19. TalkTalk (769)
  20. Sky Broadband (747)
Promotion
Helpful ISP Guides and Tips
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
Sponsored

Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved - Terms , Privacy and Cookie Policy , Links , Website Rules , Contact