Feeds

Got a Netgear router from Virgin Media? Change your admin password NOW

Wi-Fi cred-baring vuln lets attackers take full control

Bridging the IT gap between rising business demands and ageing tools

A Wi-Fi security flaw leaves Virgin Media subscribers' wireless connections vulnerable to takeover by hackers.

The vulnerability, identified by IT consultant Paul Moore, means Virgin Media Superhub router/modem combo devices leak users' passwords every time they reboot. The issue arises because the Netgear-manufactured device initially brings up the wireless network without any form of encryption, allowing it to accidentally leak its Wi-Fi password in the clear to anyone nearby.

"After the seven-second window, the router takes the Wi-Fi card offline, enables encryption and brings the card back up," Moore explains. "That’d be great, if we hadn’t already broadcast the encryption key to everyone nearby.”

Moore added:

That’s akin to reading your password aloud while you change it.

Moore warns that hackers can take advantage of the vulnerability by forcing a device within range to reboot before snaffling the password. He wrote a proof-of-concept script that could automate this task while acting as a worm going from one router to another.

Successful exploitation of the trick, which is far from reliable, would allow miscreants to get up to all sorts of mischief, such as redirecting surfers from genuine websites to fraudulent versions in order to browse the hard drives of victims on the compromised networks. Hackers could even use a compromised connection to access illegal material in someone else's name.

Tricky exploit is easy to thwart

The vulnerability is limited to the Netgear VMDG485 hub, supplied to Virgin Media customers as SuperHub2. The flaw means that, during the short time the device is booting up, it might be possible for someone physically nearby to gain access to its administrative settings web page and Wi-Fi passphrase, which is sent in the clear during the unencrypted window.

Fortunately the attack would be difficult to pull off in practice - and is easily prevented by changing the default password, which Virgin encourages all its customers to do when they are first installed. Virgin is working with Netgear to develop and test a software update to automate the process of making the changes.

It's unclear even approximately when a firmware update is likely to become available. Netgear has yet to respond to El Reg's query on this point.

"Although the damage potential is high, the chances of it actually happening are low," Moore told El Reg. "It can be exploited with just a browser and the right set of circumstances... but the attacker would need an ideal environment – strong signal, minimal load on the router, etc – for an exploit to be successful."

“However, with minimal programming and when coupled with other Wi-Fi exploits, the risk and success rate increases dramatically. If deployed as a virus (spreading over encrypted networks), the user could still be at risk even after the firmware has been patched," he added.

Moore warned Virgin Media of his findings before going public with an advisory, published last week, after learning a firmware fix is unlikely to be available for weeks. Guarding against attack is a simple matter of changing a router’s default password.

"An attacker will still be able to connect when there’s no encryption, but crucially, they won’t be able to grab the encryption key needed to gain access beyond that point," Moore explained.

Virgin Media confirmed the vulnerability while talking down the potential for harm. An official moderator on its forums has promised a firmware fix is in development. The advice (from Jim Meadows, of Virgin Media's Help & Support Forum Team) downplays the risk of potential attack while repeating Moore's recommendation that users would be well advised to change their admin passwords.

The security of our services is of the highest importance and we are working with Netgear to develop and test a software update which will initialise encryption immediately from reboot and this is close to being issued.

We encourage all our customers to change their default passwords when they are installed, if anyone is unsure whether they have made this change, instructions on our website provide an easy guide on how this can be done at any time on our help pages at http://virg.in/sh2pass

If customers are concerned, then we would recommend that after changing the default password, they should also change the WiFi passphrase for additional security.

To confirm, the issue only relates to the Netgear VMDG485 device (SuperHub2) and, although we agree with the person who identified it that this is highly unlikely to happen, we have thanked them for bringing this to our attention.

Superhubs had an early history of flakey firmware updates around the time they were first introduced two years ago. El Reg's security desk trusts these issues have been ironed out.

A Virgin Media spokesperson added:

A potential issue has recently been brought to our attention which, while not affecting the majority of the equipment we supply, could allow someone in physical proximity to a Netgear VMDG485 device to gain access to its administrative settings and WiFi passphrase. To do so is relatively complex and is easily prevented by changing the default password, which we encourage all our customers to do when they are installed. If anyone is unsure whether they have made this change, instructions on our website provide an easy guide on how this can be done at any time. The security of our services is of the highest importance and we have been working with our supplier to develop and test a software update which is close to being issued.

®

The Essential Guide to IT Transformation

More from The Register

next story
Scotland's BIG question: Will independence cost me my broadband?
They can take our lives, but they'll never take our SPECTRUM
Bring back error correction, say Danish 'net boffins
We don't need no steenkin' TCP/IP retransmission and the congestion it causes
Auntie remains MYSTIFIED by that weekend BBC iPlayer and website outage
Still doing 'forensics' on the caching layer – Beeb digi wonk
NBN Co adds apartments to FTTP rollout
Commercial trial locations to go live in September
Samsung Z Tizen OS mobe is post-phoned – this time for good?
Russian launch for Sammy's non-droid knocked back
Telstra to KILL 2G network by end of 2016
GSM now stands for Grave-Seeking-Mobile network
Seeking LTE expert to insert small cells into BT customers' places
Is this the first step to a FON-a-like 4G network?
What FTC lawsuit? T-Mobile US touts 10GB, $100 family-of-4 plan
Folks 'could use that money for more important things' says CEO Legere
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Securing Web Applications Made Simple and Scalable
Learn how automated security testing can provide a simple and scalable way to protect your web applications.