Virgin Media O2 UK Still Suffers Router Bug that Exposes VPN IPs
Broadband ISP Virgin Media UK (VMO2) has confirmed to ISPreview.co.uk that they’ve yet to fix a long-running security issue in their HUB 3.0 routers (ARRIS TG2492), which among other things could be used to “silently unmask” the actual, ISP issued, IP address of Virtual Private Network (VPN) users.
A Virtual Private Network (VPN) operates a bit like a network within a network. Such services essentially sit in their own secure and encrypted layer on top of your main internet connection, which routes your traffic over the VPNs own servers and assigns you a different Internet Protocol (IP) address from your ISP.
Suffice to say, VPNs add some extra security to your internet connection, which is especially useful (we’d say essential) when remote working or travelling on holiday (it’s wise to never trust public WiFi or Hotel connections etc.). But at the same time, this does mean putting a lot of trust in the VPN provider itself.
In any case, the one thing that a VPN user really wouldn’t like is for their real – ISP assigned – IP address to be exposed, which appears to be exactly what the aforementioned exploit in Virgin Media’s widely used HUB 3.0 router would allow.
The vulnerability was first discovered by security researchers at Fidus back in October 2019, which was acknowledged by Virgin Media two days later. But in February 2020 the operator requested that Fidus hold back on public disclosure until Q1 2021 and the group agreed. Since then, Fidus has, on several occasions, attempted to secure an update from VM, but none was forthcoming. Details on the issue were then published in March 2021.
Fidus’ Description of CVE-2019-16651
Fidus’ R&D team identified a vulnerability within Virgin Media Super Hub 3 routers that permitted for exfiltration of sensitive information remotely, which, among other things, can be used to determine the actual, ISP issued IP address of VPN users. A vulnerability we were asked to hold back from releasing for a whole year.
A DNS rebinding attack is utilised to reveal a user’s actual IP address by simply visiting a webpage for a few seconds. This has been made graphical for Proof of Concept purposes, but it is important to note this can be silently executed. During our testing, it was possible to unmask the true IP address of users across multiple popular VPN providers – resulting in complete deanonymisation.
The underlying model of router (ARRIS TG2492) and related models are a series of DOCSIS fibre routers known to be used by multiple ISPs around the world, many of which are owned by Liberty Global, who also owns Virgin Media.
In short, such an attack, which involves some DNS rebinding (i.e. manipulating the resolution of domain names), only takes a matter of seconds and a user’s actual underlying IP address can thus be unmasked by doing something as simple as visiting a URL (website / web page). But constructing that attack does take a bit more effort, and it’s unclear if anybody is actively deploying it.
We note how the exploit that Fidus found worked with some VPN providers, but not all. For example, a VPN provider that blocks access to local IP addresses by default will prevent this attack, but many such providers do not do that.
Needless to say, Virgin Media’s seeming inability to respond to Fidus’ requests for an update on their progress toward a resolution led us, following a prompt from one of our readers (credits to Wayne), to chase the operator up. Sadly, they haven’t fixed it yet, which probably explains their earlier silence.
A Virgin Media spokesperson told ISPreview.co.uk:
“We are aware of a highly technical issue which, in very particular circumstances, could impact customers using a VPN while accessing a malicious website. A very specific set of circumstances would need to be in place for a customer to be impacted, meaning that the risk to them is very low.
We have strong security measures in place to protect our network and keep our customers secure. We are not aware of any customers being affected by this issue and they do not need to take any action.”
The fact that a patch has yet to be produced for the HUB 3.0 suggests that it may still be impacting other cable operators that supply the same device from ARRIS. But in Virgin Media’s mind, only a small portion of their base actually use a VPN (small is a relative term when you have 5.5 million+ customers), although that will be little consolation to those who do.
The severity of all this does perhaps depend, at least in part, on how you view the exposure of an ISP supplied IP address in general. Customers who use the internet on a general day-to-day basis will, as a matter of course, be exposing their IP address when visiting any website. But obviously, if one of your expectations when using a VPN is not to expose your ISP assigned IP address, then this may be a much bigger issue.
Arguably the bigger concern here is the passage of time and how the issue, despite being reported two whole years ago, still hasn’t been fixed. Virgin Media did inform us that they were working on a technical fix, which could be implemented while avoiding disruption for all of their customers. But there’s no indication of how much longer that will take before it’s deployed.
Mark is a professional technology writer, IT consultant and computer engineer from Dorset (England), he also founded ISPreview in 1999 and enjoys analysing the latest telecoms and broadband developments. Find me on X (Twitter), Mastodon, Facebook and Linkedin.
« Affinity Systems Target Expansion of Small Rural UK Fibre Network
Latest UK ISP News
- FTTP (5568)
- BT (3525)
- Politics (2547)
- Openreach (2308)
- Business (2276)
- Building Digital UK (2250)
- FTTC (2049)
- Mobile Broadband (1984)
- Statistics (1795)
- 4G (1675)
- Virgin Media (1632)
- Ofcom Regulation (1472)
- Fibre Optic (1405)
- Wireless Internet (1397)
- FTTH (1382)
Is there a POC for this issue? I’m interested to see if it also affects the Hub 4.
Here: https://fidusinfosec.com/silently-unmasking-virgin-media-vpn-users-in-seconds-cve-2019-16651/
I tried it and for me (Hub 3) you just get a completely zeroed field back, so I’m curious to know if its still an issue.
Do you know what vpns that block your IP address by default that are not vulnerable to this issue are as I am with Virgin Media and it is the Superhub 3 I use and I use a VPN also and I’m concerned about this issue security vulnerability
Would this bug work on VPNs that have kill switches? Mine won’t let me connect, ping, browse or anything without the VPN being active.
Can you still access your routers web interface when on the VPN? IF so.. this problem will exist still.
Tom, on my VPN that’s optional.
There is an option for me that says “Invisible to devices” “Make your device invisible to other devices, and vice versa, on your LAN”. When I turn that option on, I cannot see or connect to anything on my home net, not my NAS, not my CCTV cameras .. nothing. If I try to go to the VM router page, chrome says “Your Internet access is blocked Firewall or antivirus software may have blocked the connection. ERR_NETWORK_ACCESS_DENIED”.
can virgin media just let you dump their crappy routers without having to use modem mode
No, but the issue isn’t present in modem mode when using another router.
@John
Thanks for the info! I didn’t think it would.
Virgin won’t allow you to use your own modem so my purchase of a Netgear CM600 has been a waste of time. Shame, because abroad in the US, it’s fairly common for ISPs to activate subscribers’ own modems for them to use.
No ISP voluntarily allows customers to use their own modems. US ISPs are obligated to allow customers to use their own modems by an FCC regulation.
Ҥ 76.1201 Rights of subscribers to use or attach navigation devices.
No multichannel video programming distributor shall prevent the connection or use of navigation devices to or with its multichannel video programming system, except in those circumstances where electronic or physical harm would be caused by the attachment or operation of such devices or such devices may be used to assist or are intended or designed to assist in the unauthorized receipt of service.”
Which is, alas, a clear violation of net neutrality rules.
I do wonder if VM do deep inspection of your data, hence no fix, I’m glad we have moved to FTTP, that’s not to say OR are doing the same, but if you’re running hardware that cannot easily be swapped then a provider has greater control and possibly snooping, just saying.
Last I heard was that Virgin do deep inspection of data on their network.
how does that work on TLS connections? unless VM implements a man-in-the-middle attack on it’s users how can they see inside the traffic? Genuine question i’m not an expert, would they only see welp yep the user is doing TLS to this IP ? or will they somehow be able to see actual traffic unencrypted?
There was an article from 2009 about VM trialling deep packet inspection:
https://www.ispreview.co.uk/story/2009/11/26/virgin-media-uk-trial-deep-packet-inspection-to-track-illegal-file-sharing.html
Did VM actually use this or any similar technology?
If you use proper DNS encryption it would prevent any man-in-the-middle inspection of encrypted packets.
VM and fixing software bugs, name a more iconic duo. How’s that fix for SH3 bug that affects 6in4 tunnel speeds coming along? Any day now, right?
Is the issue dependant upon which mode the router is in? I run it in modem only mode with my own firewall behind the VM device.
Have the modem mode and your own router with the capacity to install VPN 24 hours a day, or failures.
The Hub 3 is a terrible price of hardware. I honestly wouldn’t be surprised if the answer was that it can’t be fixed.
On a related point; Everyone I know who has a Hub 3 complains about how crappy their internet connection is. I will tell anyone who’ll listen, to get a separate router and put the Hub 3 into modem mode. It’s not a perfect solution, but sorts 99% of the problems.
Hub 3 is only any good in modem mode with your own router. I’ve never used VM any other way.
Is it a bug though? 😉
Oh and the hub 4 is not any better than hub 3, pretty much the reason why I shifted to Vodafone with cityfibre installation, day and night difference.
It is faster, 2Ghz Vs 1.2Ghz, and 1GB RAM Vs 256MB, IIRC. And you can feel that at times. Support for DOCSIS 3.1 will also be significant for some users, and for better support of all.
But the software isn’t noticeably better beyond the liability to change the light ring; and the Wi-Fi, despite having more channels, isn’t better in terms of reach, which is why I have an old BT Smart Hub linked up as a WAP via Ethernet and powerline wireless.
The deals that Virgin Media had with ARRIS are now contracts with Commscope, due to the sale of ARRIS.
All this means is that there are likely no engineers left from ARRIS working on Virgin Media due to the buyout and subsequent reform.
I’m glad to have moved away from virgin media and their crappy, bug ridden “super hub”. Virgin media barely ever fix any problems with the device
When I had VM installed years ago the first thing I did was turn on modem mode while the installer was still present, I have never once used the built in router and instead went directly to pfsense, I now have it connected to a full TP-Link OMADA setup and it’s always been flawless, saying that as soon as cityfibre goes live in my area VM is getting the call to say I’m leaving.
It’s not a bug. It’s a feature.
Seriously though, don’t use Virgin Media.
little other choice for me. I live in an area that has 60mbit DSL or 1Gig VM. Which would you choose? House of 5, all into streaming stuff and games. If openreach would fit FTTP, i’d buy it. But were are one of the failed gfast areas that openreach has decided to let suffer (FTTP is available here, but not in the areas that gfast is. Yet apparently this is BS according to some ISPReviewers. Despite the fact you can go to the BT broadband checker and verify it yourself)
Can you tell I’m not happy about it?
Does this happen also when using the Hub 3.0 as a modem or only as a router?
Only as router I believe, it requires leveraging an exploit with DNS rebinding. If you use your own router it likely won’t be vulnerable to the specific DNS rebind attack, present in the Hub 3.
It is a good idea though even if not, to check you have DNS rebinding enabled if available.
Should have said “DNS rebinding protection” enabled.
Liberty global is only here to make Money Bug or no Bug they always say Virginmedia Superfast Fibre Broadband and still isn’t Fibre its coaxial connection with Fsss and Badly Maintained Cabinets and Network
And your IP are all static very easy….
I hope VM’s got an Intel-free Hub 5 well into software development so I can skip 4 and 5 entirely.
Given that VM are moving to an entirely FTTP network by 2028, Hub 4 may be the last DOCSIS hub.
Virgin really need to ditch the ARRIS Hubs, they’ve always been utter rubbish.
‘We note how the exploit that Fidus found worked with some VPN providers, but not all. For example, a VPN provider that blocks access to local IP addresses by default will prevent this attack, but many such providers do not do that.’ Nordvpn provides an option to be invisible on the LAN. Would enabling this on all devices the VPN runs on, prevent these types of attacks?