back to article Virgin Media resolves flaw in config backup for Super Hub routers

A recently resolved flaw in Virgin Media wireless home routers gave hackers a means to gain unauthorised administrative-level access to the devices. Security shortcomings in software from the Super Hub 2 and Super Hub 2AC, manufactured by Netgear, were uncovered by researchers from Context Information Security, Jan Mitchell …

  1. Anonymous Coward
    Anonymous Coward

    The same encryption key ! It's about time there were substantial fines on manufacturers for such basic security failures then they may take it a bit more seriously than just paying lip service.

    1. Voland's right hand Silver badge

      I am surprised by your outrage.

      End of the day it's made by Netgear. I would not have expected anything different from them.

    2. Dan 55 Silver badge
      Trollface

      The fix is they've XOR'd by MAC address instead.

      1. Anonymous Coward
        Anonymous Coward

        They've actually made the fix doubly strong by xor-ing twice.

  2. Duffaboy
    Trollface

    Article Correction

    Super Hub should read Hub

    1. big_D Silver badge
      Joke

      Re: Article Correction

      Maybe someone should tell Virgen, that the rest of the industry stopped using hubs back in the 80s and moved to switches...

      1. illiad

        Re: Article Correction

        hub, switch, router, modem... No one (even most VM support staff!!!) have no Idea of the difference of these!!! :):) :P

        they would call it 'internet thingy' but it's not 'cool' enuff... :/

        at least its not called 'cable modem' like most switches / routers are in dixons... :(

  3. frank ly Silver badge

    "Virgin rolled out a patch last month."

    How did they do that? I'm sure I have a Hub 2 but I wasn't aware of it. Should I have been? It was some time last month that my internet connection started being slow and flaky. I fixed that by powering the hub down for a minute then turning it back on again.

    1. Chunky Munky

      Re: "Virgin rolled out a patch last month."

      "by powering the hub down for a minute then turning it back on again."

      Have you been reading from their (no)helpdesk script?

    2. Anonymous Coward
      Anonymous Coward

      Re: "Virgin rolled out a patch last month."

      how do they, etc? Well, they control the hub, which kind of makes me uneasy, but on the other hand, well, it is THEIRS, legally and technically. They issue patches remotely, and the patch is applied on the go. Sadly, it always seems to happen in the daytime, interrupting internet access. Fortunately, the outage lasts rarely longer than several minutes.

      1. Anonymous Coward
        Anonymous Coward

        Re: "Virgin rolled out a patch last month."

        "Control" should be taken loosely..

        Every time I subject myself to their customer service they claim that they can't even see my hub.

        1. Anonymous Coward
          Anonymous Coward

          Re: "Virgin rolled out a patch last month."

          "Every time I subject myself to their customer service they claim that they can't even see my hub."

          Last time I spoke to one of their reps, they said they could... even though I'd powered it down at the time 'cause I didn't believe them (evil of me, I know, but they kept telling me there was no fault yet I wasn't getting a connection to anywhere!).

          Yesterday, however, I called (again, no internet connection) and it was all automated, including running tests on the equipment which it reported as taking a very long time... before saying 'its all clear but we'll do something automated anyway, just give it 10 minutes'...

          Am guessing another Hub patch went out yesterday...

          1. Down not across Silver badge

            Re: "Virgin rolled out a patch last month."

            Am guessing another Hub patch went out yesterday...

            Hmm..interesting. Mine is still the old original "SuperHub" (ie VMDG480) and strangely enough had reverted to default settings (why of course I run it in "modem mode") over the weekend. No, I wasn't expecting it and hence took a little while to realise that some issues were due to double-NATting.

            I do wonder if the update wasn't just for for SH2 and later.

            If only VM would allow dumping their crap and let customers source their own DOCSIS modem. Not least because if anything happens to the current one I do not want the buggy Puma 6 based version.

    3. Lee D Silver badge

      Re: "Virgin rolled out a patch last month."

      Have you never had your hub reboot on you, or do you just not monitor it?

      My SamKnows broadband monitoring box often picks up the reboot and so knocks the statistics.

      But my Draytek router also just fails-over to whatever else it likes when it happens (e.g. 4G / VDSL).

      This is an IT site, yes? And you're just running a plain Superhub and haven't noticed this stuff?

  4. The Infamous Grouse

    My SH2 firmware revision is 1.01.33 which according this page is the latest version, updated last November. I hope VM aren't going to drag their heels on this one now it's in the wild.

    1. Snowy

      Super hub 1, 2, 2ac and Hub 3.0 firmware [ Edited ]

      Post options

      on ‎07-11-2016 13:36 - last edited an hour ago by Community Lead James_W

      Super hub 1, 2, 2ac and Hub 3.0 firmware

      Updated 7/4/17

      Super Hub 1 V2.39.02

      Super Hub 2 V1.01.33

      Super Hub 2ac V1.01.11

      Hub 3.0 V9.1.116V

      (We are currently rolling out this firmware to all Hub 3.0 devices over the next month)

      Which is 2 months ago but the page itself was updated 1 hour ago.

      1. kpanchev

        How very interesting... my SH 2AC is version 1.01.14.....

    2. Velv Silver badge
      Boffin

      There is a confirmation on the page that 1.01.33 is the latest version, allegedly released 07/04/17.

      My SH2 has this version, but is showing an uptime of 69 days. 7/4 is only 66 days ago, so they must have been rolling it out earlier (or they can load a new firmware without a reboot, which I doubt)

  5. druck Silver badge
    WTF?

    ISP Provided Crap

    While ISP-provided routers like this are generally subject to more security testing than a typical off-the-shelf home router

    Really? ISP provided routers are normally the cheapest nastiest piece of crap they can lay their hands on.

    On services where you can use your own equipment such as ADSL/VDSL use their router to check the services is up, then put it back in the box and use your own choice of router. I'd say bin it, but if you are unlucky enough to have a line fault, you may need to reconnect it just to get past some hell desk check list entry.

    1. werdsmith Silver badge

      Re: ISP Provided Crap

      With Virgin you can switch of the router part and just use the thing as a DOCSIS 3 cable modem and patch a cable through to your own router equipment.

      1. jeffdyer

        Re: ISP Provided Crap

        I do that and use my Asus router instead.

      2. Anonymous Coward
        Anonymous Coward

        Re: ISP Provided Crap

        Which is what I also do, fine and dandy, as far as it goes.

        The issue is that you still have to use their 'lowest common denominator' domestic router (in my case, a Superhub 3.0) in modem mode to access their network.

        I quite understand why they'd want a reasonably homogeneous interface between customer equipment and theirs, and I don't really want the facility to purchase my own DOCSIS 3.0 modem and plonk it onto their cables, I just wish they'd offer us a choice between their 'all singing and dancing Superwhatevers' and a plain simple old modem, à la the old ambit ones, something along the lines of a SB6141.

  6. Anonymous Coward
    Anonymous Coward

    One key to rule them all.

  7. adam 40

    SH3 rebooting twice a day

    I have recently gone over to Virgin cable and initially my SH3 was fine, but now reboots once or twice a day.

    This really plays havoc with long downloads, why can't they make these things reliable?

  8. inmypjs Silver badge

    Am I missing something?

    You need access to the router's administrative control panel to down/up load theses encrypted configuration files which means you already have access to all available settings to 'pawn' the device.

    A router I use also encrypts its configuration files and would rather they were plain text so I could inspect and compare them.

    I really don't see any security issue or how they fixed it. If the file is encrypted with something router specific then you can't upload it to a replacement router which is half the point of the feature isn't it?

    1. Richard 12 Silver badge

      Re: Am I missing something?

      Aside from that, does that mean it's now impossible for me to backup the config and restore it to the replacement SuperHub next time it fails?

      If so, it's not a backup!

    2. William 3 Bronze badge

      Re: Am I missing something?

      The same as when people say "never write down your password".

      I'm sorry, but if someone is in my house looking for my passwords without my authorisation or knowledge then I have bigger security concerns than someone wanting to tweet under my username.

  9. eJ2095

    Virgin

    Shame they can not sort out there over subsribed network.

    On the plus side mines sat in modem mode.. Shame they dont do a small box version for people who use there own routers :0 (DD-WRT)

    1. Duffaboy

      Re: Virgin

      No, Shame they can't sort of their charges to customers

    2. wyatt

      Re: Virgin

      I agree! Have asked them this a number of times, would be especially pertinent for business connections.

    3. Down not across Silver badge

      Re: Virgin

      Shame indeed. VM used to dish out just cable modem's. I suppose it would cost them more to have cable modem option along the "SuperHub". Their compromise is the "modem mode". Which took a while to arrive in the first place and I refused to replace the old Ambit until they had SH firmware with "modem mode".

      <pedant>"modem mode" in quotes as that is what VM calls it. Bridge mode would be bit more accurate</pedant>

      Really I'd like to have the option to just dump their kit and be able choose my own DOCSIS 3 modem but I do understand why VM won't allow that.

  10. patrickstar

    Uh, this is essentially a non-issue.

    Basically they are complaining that having admin access to the box lets you pwn it. What are they gonna do next - post an advisory about how you can ssh into a Linux box and wreak havoc if you have the root password/key?

    I guess their argument is that you aren't supposed to be able to break a shell on the underlying system from just having access to the web interface. Well, plenty of Linux based systems let you do that by design - are they next in line for "horrible security vulnerability found, panic!" ?

    If anything, being able to break a shell on the box if you have proper credentials should be considered a feature, not a bug.

  11. jeffdyer

    "This meant that an attacker with access to the administrative interface of a user's hub could download a configuration file, add additional instructions to enable remote access and restore the file to the hub."

    Errr, if they had administrative access already ......

    1. Richard 12 Silver badge

      It would be a vulnerability if you can do it without logging into the admin interface, or if all the routers ship with the same default password of "changeme".

      That'd be rather stupid though.

      I wonder whether they did both?

    2. Tomato Krill

      I (obviously) thought this but one barrel-scraping thought:

      If you keep your (encrypted) backup on a share which doesn't require admin privileges, it'd be possible to replace it and either wait for a restore to be necessary or (needing physical access here) reset the router, prompting the owner to restore with you poisoned config backup?

      1. patrickstar

        Well, just like if you backup /etc/{passwd,shadow} to an unprotected share and later restore them...

  12. Anonymous Coward
    Anonymous Coward

    Hey thats great, they stopped administrators from magling there backup configs to give them more device access.

    How about next patch they do something usefull like fixing L2TP pass through

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019