Home
 » ISP News » 
Sponsored

Virgin Media O2 UK Still Suffers Router Bug that Exposes VPN IPs

Saturday, September 18th, 2021 (12:01 am) - Score 19,992
virgin media superhub 3 router

Broadband ISP Virgin Media UK (VMO2) has confirmed to ISPreview.co.uk that they’ve yet to fix a long-running security issue in their HUB 3.0 routers (ARRIS TG2492), which among other things could be used to “silently unmask” the actual, ISP issued, IP address of Virtual Private Network (VPN) users.

A Virtual Private Network (VPN) operates a bit like a network within a network. Such services essentially sit in their own secure and encrypted layer on top of your main internet connection, which routes your traffic over the VPNs own servers and assigns you a different Internet Protocol (IP) address from your ISP.

Suffice to say, VPNs add some extra security to your internet connection, which is especially useful (we’d say essential) when remote working or travelling on holiday (it’s wise to never trust public WiFi or Hotel connections etc.). But at the same time, this does mean putting a lot of trust in the VPN provider itself.

In any case, the one thing that a VPN user really wouldn’t like is for their real – ISP assigned – IP address to be exposed, which appears to be exactly what the aforementioned exploit in Virgin Media’s widely used HUB 3.0 router would allow.

NOTE: This vulnerability was assigned a candidate code of CVE-2019-16651, but the page for that has yet to disclose the details.

The vulnerability was first discovered by security researchers at Fidus back in October 2019, which was acknowledged by Virgin Media two days later. But in February 2020 the operator requested that Fidus hold back on public disclosure until Q1 2021 and the group agreed. Since then, Fidus has, on several occasions, attempted to secure an update from VM, but none was forthcoming. Details on the issue were then published in March 2021.

Fidus’ Description of CVE-2019-16651

Fidus’ R&D team identified a vulnerability within Virgin Media Super Hub 3 routers that permitted for exfiltration of sensitive information remotely, which, among other things, can be used to determine the actual, ISP issued IP address of VPN users. A vulnerability we were asked to hold back from releasing for a whole year.

A DNS rebinding attack is utilised to reveal a user’s actual IP address by simply visiting a webpage for a few seconds. This has been made graphical for Proof of Concept purposes, but it is important to note this can be silently executed. During our testing, it was possible to unmask the true IP address of users across multiple popular VPN providers – resulting in complete deanonymisation.

The underlying model of router (ARRIS TG2492) and related models are a series of DOCSIS fibre routers known to be used by multiple ISPs around the world, many of which are owned by Liberty Global, who also owns Virgin Media.

In short, such an attack, which involves some DNS rebinding (i.e. manipulating the resolution of domain names), only takes a matter of seconds and a user’s actual underlying IP address can thus be unmasked by doing something as simple as visiting a URL (website / web page). But constructing that attack does take a bit more effort, and it’s unclear if anybody is actively deploying it.

We note how the exploit that Fidus found worked with some VPN providers, but not all. For example, a VPN provider that blocks access to local IP addresses by default will prevent this attack, but many such providers do not do that.

Needless to say, Virgin Media’s seeming inability to respond to Fidus’ requests for an update on their progress toward a resolution led us, following a prompt from one of our readers (credits to Wayne), to chase the operator up. Sadly, they haven’t fixed it yet, which probably explains their earlier silence.

A Virgin Media spokesperson told ISPreview.co.uk:

“We are aware of a highly technical issue which, in very particular circumstances, could impact customers using a VPN while accessing a malicious website. A very specific set of circumstances would need to be in place for a customer to be impacted, meaning that the risk to them is very low.

We have strong security measures in place to protect our network and keep our customers secure. We are not aware of any customers being affected by this issue and they do not need to take any action.”

The fact that a patch has yet to be produced for the HUB 3.0 suggests that it may still be impacting other cable operators that supply the same device from ARRIS. But in Virgin Media’s mind, only a small portion of their base actually use a VPN (small is a relative term when you have 5.5 million+ customers), although that will be little consolation to those who do.

The severity of all this does perhaps depend, at least in part, on how you view the exposure of an ISP supplied IP address in general. Customers who use the internet on a general day-to-day basis will, as a matter of course, be exposing their IP address when visiting any website. But obviously, if one of your expectations when using a VPN is not to expose your ISP assigned IP address, then this may be a much bigger issue.

Arguably the bigger concern here is the passage of time and how the issue, despite being reported two whole years ago, still hasn’t been fixed. Virgin Media did inform us that they were working on a technical fix, which could be implemented while avoiding disruption for all of their customers. But there’s no indication of how much longer that will take before it’s deployed.

Share with Twitter
Share with Linkedin
Share with Facebook
Share with Reddit
Share with Pinterest
By Mark Jackson
Mark is a professional technology writer, IT consultant and computer engineer from Dorset (England), he also founded ISPreview in 1999 and enjoys analysing the latest telecoms and broadband developments. Find me on Twitter, , Facebook and Linkedin.
Leave a Comment
37 Responses
  1. Connor says:

    Is there a POC for this issue? I’m interested to see if it also affects the Hub 4.

    1. Finneas McClintock says:

      Here: https://fidusinfosec.com/silently-unmasking-virgin-media-vpn-users-in-seconds-cve-2019-16651/

      I tried it and for me (Hub 3) you just get a completely zeroed field back, so I’m curious to know if its still an issue.

  2. Anonymous says:

    Do you know what vpns that block your IP address by default that are not vulnerable to this issue are as I am with Virgin Media and it is the Superhub 3 I use and I use a VPN also and I’m concerned about this issue security vulnerability

    1. Charlie says:

      Would this bug work on VPNs that have kill switches? Mine won’t let me connect, ping, browse or anything without the VPN being active.

    2. Tom says:

      Can you still access your routers web interface when on the VPN? IF so.. this problem will exist still.

    3. Charlie says:

      Tom, on my VPN that’s optional.

      There is an option for me that says “Invisible to devices” “Make your device invisible to other devices, and vice versa, on your LAN”. When I turn that option on, I cannot see or connect to anything on my home net, not my NAS, not my CCTV cameras .. nothing. If I try to go to the VM router page, chrome says “Your Internet access is blocked Firewall or antivirus software may have blocked the connection. ERR_NETWORK_ACCESS_DENIED”.

  3. anon says:

    can virgin media just let you dump their crappy routers without having to use modem mode

    1. John says:

      No, but the issue isn’t present in modem mode when using another router.

    2. Gary says:

      @John

      Thanks for the info! I didn’t think it would.

  4. Daniel says:

    Virgin won’t allow you to use your own modem so my purchase of a Netgear CM600 has been a waste of time. Shame, because abroad in the US, it’s fairly common for ISPs to activate subscribers’ own modems for them to use.

    1. Roger_Gooner says:

      No ISP voluntarily allows customers to use their own modems. US ISPs are obligated to allow customers to use their own modems by an FCC regulation.
      Ҥ 76.1201 Rights of subscribers to use or attach navigation devices.

      No multichannel video programming distributor shall prevent the connection or use of navigation devices to or with its multichannel video programming system, except in those circumstances where electronic or physical harm would be caused by the attachment or operation of such devices or such devices may be used to assist or are intended or designed to assist in the unauthorized receipt of service.”

    2. Iain says:

      Which is, alas, a clear violation of net neutrality rules.

  5. Chris Sayers says:

    I do wonder if VM do deep inspection of your data, hence no fix, I’m glad we have moved to FTTP, that’s not to say OR are doing the same, but if you’re running hardware that cannot easily be swapped then a provider has greater control and possibly snooping, just saying.

    1. JitteryPinger says:

      Last I heard was that Virgin do deep inspection of data on their network.

    2. Charlie says:

      how does that work on TLS connections? unless VM implements a man-in-the-middle attack on it’s users how can they see inside the traffic? Genuine question i’m not an expert, would they only see welp yep the user is doing TLS to this IP ? or will they somehow be able to see actual traffic unencrypted?

    3. Winston Smith says:

      There was an article from 2009 about VM trialling deep packet inspection:

      https://www.ispreview.co.uk/story/2009/11/26/virgin-media-uk-trial-deep-packet-inspection-to-track-illegal-file-sharing.html

      Did VM actually use this or any similar technology?

      If you use proper DNS encryption it would prevent any man-in-the-middle inspection of encrypted packets.

  6. Anon says:

    VM and fixing software bugs, name a more iconic duo. How’s that fix for SH3 bug that affects 6in4 tunnel speeds coming along? Any day now, right?

  7. Steve says:

    Is the issue dependant upon which mode the router is in? I run it in modem only mode with my own firewall behind the VM device.

    1. Felis corvus says:

      Have the modem mode and your own router with the capacity to install VPN 24 hours a day, or failures.

  8. Christopher says:

    The Hub 3 is a terrible price of hardware. I honestly wouldn’t be surprised if the answer was that it can’t be fixed.

    On a related point; Everyone I know who has a Hub 3 complains about how crappy their internet connection is. I will tell anyone who’ll listen, to get a separate router and put the Hub 3 into modem mode. It’s not a perfect solution, but sorts 99% of the problems.

  9. Sean says:

    Hub 3 is only any good in modem mode with your own router. I’ve never used VM any other way.

  10. dark jaguar says:

    Is it a bug though? 😉

  11. Dark Jaguar says:

    Oh and the hub 4 is not any better than hub 3, pretty much the reason why I shifted to Vodafone with cityfibre installation, day and night difference.

    1. Laurence 'GreenReaper' Parry says:

      It is faster, 2Ghz Vs 1.2Ghz, and 1GB RAM Vs 256MB, IIRC. And you can feel that at times. Support for DOCSIS 3.1 will also be significant for some users, and for better support of all.

      But the software isn’t noticeably better beyond the liability to change the light ring; and the Wi-Fi, despite having more channels, isn’t better in terms of reach, which is why I have an old BT Smart Hub linked up as a WAP via Ethernet and powerline wireless.

  12. Mr Anonymous says:

    The deals that Virgin Media had with ARRIS are now contracts with Commscope, due to the sale of ARRIS.

    All this means is that there are likely no engineers left from ARRIS working on Virgin Media due to the buyout and subsequent reform.

  13. Robo says:

    I’m glad to have moved away from virgin media and their crappy, bug ridden “super hub”. Virgin media barely ever fix any problems with the device

  14. Mark says:

    When I had VM installed years ago the first thing I did was turn on modem mode while the installer was still present, I have never once used the built in router and instead went directly to pfsense, I now have it connected to a full TP-Link OMADA setup and it’s always been flawless, saying that as soon as cityfibre goes live in my area VM is getting the call to say I’m leaving.

  15. Sam P says:

    It’s not a bug. It’s a feature.

    Seriously though, don’t use Virgin Media.

    1. Charlie says:

      little other choice for me. I live in an area that has 60mbit DSL or 1Gig VM. Which would you choose? House of 5, all into streaming stuff and games. If openreach would fit FTTP, i’d buy it. But were are one of the failed gfast areas that openreach has decided to let suffer (FTTP is available here, but not in the areas that gfast is. Yet apparently this is BS according to some ISPReviewers. Despite the fact you can go to the BT broadband checker and verify it yourself)

      Can you tell I’m not happy about it?

  16. David says:

    Does this happen also when using the Hub 3.0 as a modem or only as a router?

    1. James White says:

      Only as router I believe, it requires leveraging an exploit with DNS rebinding. If you use your own router it likely won’t be vulnerable to the specific DNS rebind attack, present in the Hub 3.

      It is a good idea though even if not, to check you have DNS rebinding enabled if available.

    2. James White says:

      Should have said “DNS rebinding protection” enabled.

  17. Cherif Vooo says:

    Liberty global is only here to make Money Bug or no Bug they always say Virginmedia Superfast Fibre Broadband and still isn’t Fibre its coaxial connection with Fsss and Badly Maintained Cabinets and Network
    And your IP are all static very easy….

  18. Rich Branston says:

    I hope VM’s got an Intel-free Hub 5 well into software development so I can skip 4 and 5 entirely.

    1. Winston Smith says:

      Given that VM are moving to an entirely FTTP network by 2028, Hub 4 may be the last DOCSIS hub.

  19. Buggerlugz says:

    Virgin really need to ditch the ARRIS Hubs, they’ve always been utter rubbish.

  20. Bob says:

    ‘We note how the exploit that Fidus found worked with some VPN providers, but not all. For example, a VPN provider that blocks access to local IP addresses by default will prevent this attack, but many such providers do not do that.’ Nordvpn provides an option to be invisible on the LAN. Would enabling this on all devices the VPN runs on, prevent these types of attacks?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Comments RSS Feed

Javascript must be enabled to post (most browsers do this automatically)

Privacy Notice: Please note that news comments are anonymous, which means that we do NOT require you to enter any real personal details to post a message. By clicking to submit a post you agree to storing your comment content, display name, IP, email and / or website details in our database, for as long as the post remains live.

Only the submitted name and comment will be displayed in public, while the rest will be kept private (we will never share this outside of ISPreview, regardless of whether the data is real or fake). This comment system uses submitted IP, email and website address data to spot abuse and spammers. All data is transferred via an encrypted (https secure) session.

NOTE 1: Sometimes your comment might not appear immediately due to site cache (this is cleared every few hours) or it may be caught by automated moderation / anti-spam.

NOTE 2: Comments that break our rules, spam, troll or post via known fake IP/proxy servers may be blocked or removed.
Cheapest Superfast ISPs
  • Vodafone £19.50 (*22.50)
    Speed 38Mbps, Unlimited
    Gift: None
  • NOW £20.00 (*32.00)
    Speed 36Mbps, Unlimited
    Gift: None
  • Hyperoptic £20.00 (*25.00)
    Speed 50Mbps, Unlimited
    Gift: Promo Code: HYPERFALL21
  • Shell Energy £21.99 (*30.99)
    Speed 35Mbps, Unlimited
    Gift: None
  • Plusnet £22.00 (*38.20)
    Speed 36Mbps, Unlimited
    Gift: £70 Reward Card
Large Availability | View All
New Forum Topics
Cheapest Ultrafast ISPs
  • Gigaclear £24.00 (*49.00)
    Speed: 300Mbps, Unlimited
    Gift: None
  • Vodafone £24.00 (*27.00)
    Speed: 100Mbps, Unlimited
    Gift: None
  • Community Fibre £25.00 (*27.50)
    Speed: 200Mbps, Unlimited
    Gift: None
  • Hyperoptic £25.00 (*35.00)
    Speed: 150Mbps, Unlimited
    Gift: Promo Code: HYPERFALL21
  • Virgin Media £28.00 (*52.00)
    Speed: 108Mbps, Unlimited
    Gift: None
Large Availability | View All
The Top 20 Category Tags
  1. FTTP (3570)
  2. BT (3024)
  3. Politics (1943)
  4. Building Digital UK (1929)
  5. FTTC (1888)
  6. Openreach (1838)
  7. Business (1694)
  8. Mobile Broadband (1480)
  9. Statistics (1410)
  10. FTTH (1365)
  11. 4G (1278)
  12. Fibre Optic (1176)
  13. Virgin Media (1174)
  14. Wireless Internet (1163)
  15. Ofcom Regulation (1150)
  16. Vodafone (847)
  17. EE (837)
  18. 5G (772)
  19. TalkTalk (770)
  20. Sky Broadband (748)
Promotion
Helpful ISP Guides and Tips
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
Sponsored

Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved - Terms , Privacy and Cookie Policy , Links , Website Rules , Contact