Home
 » ISP News » 
Sponsored

Virgin Media Fixes Security Flaw in SuperHub 2 and 2AC Backup System

Monday, June 12th, 2017 (11:07 am) - Score 3,221

Cable operator Virgin Media has patched a security flaw in their NETGEAR based SuperHub 2 (VMDG485) and 2AC (VMDG490) broadband routers, which meant that a hacker could abuse a file backup routine for the device’s configuration and use it to gain admin level access.

The vulnerability was discovered by researchers at Context and a detailed account of what they found has been posted online (here). Most routers include a backup feature, which allows you to save your custom router configuration / settings to an external file on your computer (useful if your device ever needs a hard-reset or you lose your settings and need to restore them etc.).

The backup files are encrypted but unfortunately the private key that is used for this was found to be the same across all SuperHubs in the UK, which makes it easy for a hacker with access to the router’s admin interface (granted you’d already have to be on their network) to download a config file, add some naughty code (e.g. enable remote access) and then restore the file back to the hub.

Context’s Timeline

On discovering these issues, Context reported them to Virgin Media and provided proof-of-concept code. After verifying our findings, Virgin Media worked with us to develop mitigations which were released as part of their existing firmware patching cycle. We would like thank Virgin Media for their professionalism and responsiveness in working with Context to fix this issue.

The following shows the main events in the disclosure timeline:

  • 20 Oct 2016: Initial disclosure via http://virginmedia.com/netreport .
  • 20 Oct 2016: VM’s Internet Security Team request further detail which Context provide.
  • 24 Oct 2016: Context and Virgin Media hold conference call to discuss disclosure in detail. Context provide proof-of-concept code.
  • Nov 2016 – Feb 2017: Virgin Media work with Netgear and Context to develop and test patch across both devices.
  • May 2017: Virgin Media roll out patch as part of scheduled firmware update.

A spokesperson for Virgin Media told The Register, “[We’ve] deployed a firmware patch to our SuperHub 2 and 2AC routers that addresses this issue. We take the security of our customers very seriously and experts within our organisation often work with trusted third parties to help keep our customers as secure as possible. We thank Context for their professionalism and co-operation.”

However we note that some customers haven’t received a firmware update for their 2/2AC routers since towards the end of last year, which suggests that they could still be vulnerable.

Leave a Comment
0 Responses

Comments RSS Feed

Javascript must be enabled to post (most browsers do this automatically)

Privacy Notice: Please note that news comments are anonymous, which means that we do NOT require you to enter any real personal details to post a message. By clicking to submit a post you agree to storing your comment content, display name, IP, email and / or website details in our database, for as long as the post remains live.

Only the submitted name and comment will be displayed in public, while the rest will be kept private (we will never share this outside of ISPreview, regardless of whether the data is real or fake). This comment system uses submitted IP, email and website address data to spot abuse and spammers. All data is transferred via an encrypted (https secure) session.

NOTE 1: Sometimes your comment might not appear immediately due to site cache (this is cleared every few hours) or it may be caught by automated moderation / anti-spam.

NOTE 2: Comments that break our rules, spam, troll or post via known fake IP/proxy servers may be blocked or removed.
Cheapest Superfast ISPs
  • Hyperoptic £19.95 (*22.00)
    Avg. Speed 50Mbps, Unlimited
    Gift: Promo Code: HYPER20
  • SSE £22.00
    Avg. Speed 35Mbps, Unlimited
    Gift: None
  • xln telecom £22.74 (*47.94)
    Avg. Speed 66Mbps, Unlimited
    Gift: None
  • Plusnet £22.99 (*35.98)
    Avg. Speed 36Mbps, Unlimited
    Gift: £60 Reward Card
  • Onestream £22.99 (*34.99)
    Avg. Speed 35Mbps, Unlimited
    Gift: None
Prices inc. Line Rental | View All
The Top 20 Category Tags
  1. BT (2745)
  2. FTTP (2679)
  3. FTTC (1769)
  4. Building Digital UK (1724)
  5. Politics (1634)
  6. Openreach (1598)
  7. Business (1405)
  8. FTTH (1330)
  9. Statistics (1226)
  10. Mobile Broadband (1198)
  11. Fibre Optic (1049)
  12. 4G (1029)
  13. Wireless Internet (1012)
  14. Ofcom Regulation (1005)
  15. Virgin Media (993)
  16. EE (680)
  17. Sky Broadband (663)
  18. TalkTalk (654)
  19. Vodafone (651)
  20. 5G (491)
Promotion
Helpful ISP Guides and Tips
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
Sponsored

Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved - Terms , Privacy and Cookie Policy , Links , Website Rules , Contact