Feeds

Got a Netgear router from Virgin Media? Change your admin password NOW

Wi-Fi cred-baring vuln lets attackers take full control

Business security measures using SSL

A Wi-Fi security flaw leaves Virgin Media subscribers' wireless connections vulnerable to takeover by hackers.

The vulnerability, identified by IT consultant Paul Moore, means Virgin Media Superhub router/modem combo devices leak users' passwords every time they reboot. The issue arises because the Netgear-manufactured device initially brings up the wireless network without any form of encryption, allowing it to accidentally leak its Wi-Fi password in the clear to anyone nearby.

"After the seven-second window, the router takes the Wi-Fi card offline, enables encryption and brings the card back up," Moore explains. "That’d be great, if we hadn’t already broadcast the encryption key to everyone nearby.”

Moore added:

That’s akin to reading your password aloud while you change it.

Moore warns that hackers can take advantage of the vulnerability by forcing a device within range to reboot before snaffling the password. He wrote a proof-of-concept script that could automate this task while acting as a worm going from one router to another.

Successful exploitation of the trick, which is far from reliable, would allow miscreants to get up to all sorts of mischief, such as redirecting surfers from genuine websites to fraudulent versions in order to browse the hard drives of victims on the compromised networks. Hackers could even use a compromised connection to access illegal material in someone else's name.

Tricky exploit is easy to thwart

The vulnerability is limited to the Netgear VMDG485 hub, supplied to Virgin Media customers as SuperHub2. The flaw means that, during the short time the device is booting up, it might be possible for someone physically nearby to gain access to its administrative settings web page and Wi-Fi passphrase, which is sent in the clear during the unencrypted window.

Fortunately the attack would be difficult to pull off in practice - and is easily prevented by changing the default password, which Virgin encourages all its customers to do when they are first installed. Virgin is working with Netgear to develop and test a software update to automate the process of making the changes.

It's unclear even approximately when a firmware update is likely to become available. Netgear has yet to respond to El Reg's query on this point.

"Although the damage potential is high, the chances of it actually happening are low," Moore told El Reg. "It can be exploited with just a browser and the right set of circumstances... but the attacker would need an ideal environment – strong signal, minimal load on the router, etc – for an exploit to be successful."

“However, with minimal programming and when coupled with other Wi-Fi exploits, the risk and success rate increases dramatically. If deployed as a virus (spreading over encrypted networks), the user could still be at risk even after the firmware has been patched," he added.

Moore warned Virgin Media of his findings before going public with an advisory, published last week, after learning a firmware fix is unlikely to be available for weeks. Guarding against attack is a simple matter of changing a router’s default password.

"An attacker will still be able to connect when there’s no encryption, but crucially, they won’t be able to grab the encryption key needed to gain access beyond that point," Moore explained.

Virgin Media confirmed the vulnerability while talking down the potential for harm. An official moderator on its forums has promised a firmware fix is in development. The advice (from Jim Meadows, of Virgin Media's Help & Support Forum Team) downplays the risk of potential attack while repeating Moore's recommendation that users would be well advised to change their admin passwords.

The security of our services is of the highest importance and we are working with Netgear to develop and test a software update which will initialise encryption immediately from reboot and this is close to being issued.

We encourage all our customers to change their default passwords when they are installed, if anyone is unsure whether they have made this change, instructions on our website provide an easy guide on how this can be done at any time on our help pages at http://virg.in/sh2pass

If customers are concerned, then we would recommend that after changing the default password, they should also change the WiFi passphrase for additional security.

To confirm, the issue only relates to the Netgear VMDG485 device (SuperHub2) and, although we agree with the person who identified it that this is highly unlikely to happen, we have thanked them for bringing this to our attention.

Superhubs had an early history of flakey firmware updates around the time they were first introduced two years ago. El Reg's security desk trusts these issues have been ironed out.

A Virgin Media spokesperson added:

A potential issue has recently been brought to our attention which, while not affecting the majority of the equipment we supply, could allow someone in physical proximity to a Netgear VMDG485 device to gain access to its administrative settings and WiFi passphrase. To do so is relatively complex and is easily prevented by changing the default password, which we encourage all our customers to do when they are installed. If anyone is unsure whether they have made this change, instructions on our website provide an easy guide on how this can be done at any time. The security of our services is of the highest importance and we have been working with our supplier to develop and test a software update which is close to being issued.

®

Protecting against web application threats using SSL

More from The Register

next story
Brit telcos warn Scots that voting Yes could lead to HEFTY bills
BT and Co: Independence vote likely to mean 'increased costs'
Phones 4u slips into administration after EE cuts ties with Brit mobe retailer
More than 5,500 jobs could be axed if rescue mission fails
New 'Cosmos' browser surfs the net by TXT alone
No data plan? No WiFi? No worries ... except sluggish download speed
Radio hams can encrypt, in emergencies, says Ofcom
Consultation promises new spectrum and hints at relaxed licence conditions
Blockbuster book lays out the first 20 years of the Smartphone Wars
Symbian's David Wood bares all. Not for the faint hearted
Bonking with Apple has POUNDED mobe operators' wallets
... into submission. Weve squeals, ditches payment plans
This flashlight app requires: Your contacts list, identity, access to your camera...
Who us, dodgy? Vast majority of mobile apps fail privacy test
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.