Feeds

Got a Netgear router from Virgin Media? Change your admin password NOW

Wi-Fi cred-baring vuln lets attackers take full control

Intelligent flash storage arrays

A Wi-Fi security flaw leaves Virgin Media subscribers' wireless connections vulnerable to takeover by hackers.

The vulnerability, identified by IT consultant Paul Moore, means Virgin Media Superhub router/modem combo devices leak users' passwords every time they reboot. The issue arises because the Netgear-manufactured device initially brings up the wireless network without any form of encryption, allowing it to accidentally leak its Wi-Fi password in the clear to anyone nearby.

"After the seven-second window, the router takes the Wi-Fi card offline, enables encryption and brings the card back up," Moore explains. "That’d be great, if we hadn’t already broadcast the encryption key to everyone nearby.”

Moore added:

That’s akin to reading your password aloud while you change it.

Moore warns that hackers can take advantage of the vulnerability by forcing a device within range to reboot before snaffling the password. He wrote a proof-of-concept script that could automate this task while acting as a worm going from one router to another.

Successful exploitation of the trick, which is far from reliable, would allow miscreants to get up to all sorts of mischief, such as redirecting surfers from genuine websites to fraudulent versions in order to browse the hard drives of victims on the compromised networks. Hackers could even use a compromised connection to access illegal material in someone else's name.

Tricky exploit is easy to thwart

The vulnerability is limited to the Netgear VMDG485 hub, supplied to Virgin Media customers as SuperHub2. The flaw means that, during the short time the device is booting up, it might be possible for someone physically nearby to gain access to its administrative settings web page and Wi-Fi passphrase, which is sent in the clear during the unencrypted window.

Fortunately the attack would be difficult to pull off in practice - and is easily prevented by changing the default password, which Virgin encourages all its customers to do when they are first installed. Virgin is working with Netgear to develop and test a software update to automate the process of making the changes.

It's unclear even approximately when a firmware update is likely to become available. Netgear has yet to respond to El Reg's query on this point.

"Although the damage potential is high, the chances of it actually happening are low," Moore told El Reg. "It can be exploited with just a browser and the right set of circumstances... but the attacker would need an ideal environment – strong signal, minimal load on the router, etc – for an exploit to be successful."

“However, with minimal programming and when coupled with other Wi-Fi exploits, the risk and success rate increases dramatically. If deployed as a virus (spreading over encrypted networks), the user could still be at risk even after the firmware has been patched," he added.

Moore warned Virgin Media of his findings before going public with an advisory, published last week, after learning a firmware fix is unlikely to be available for weeks. Guarding against attack is a simple matter of changing a router’s default password.

"An attacker will still be able to connect when there’s no encryption, but crucially, they won’t be able to grab the encryption key needed to gain access beyond that point," Moore explained.

Virgin Media confirmed the vulnerability while talking down the potential for harm. An official moderator on its forums has promised a firmware fix is in development. The advice (from Jim Meadows, of Virgin Media's Help & Support Forum Team) downplays the risk of potential attack while repeating Moore's recommendation that users would be well advised to change their admin passwords.

The security of our services is of the highest importance and we are working with Netgear to develop and test a software update which will initialise encryption immediately from reboot and this is close to being issued.

We encourage all our customers to change their default passwords when they are installed, if anyone is unsure whether they have made this change, instructions on our website provide an easy guide on how this can be done at any time on our help pages at http://virg.in/sh2pass

If customers are concerned, then we would recommend that after changing the default password, they should also change the WiFi passphrase for additional security.

To confirm, the issue only relates to the Netgear VMDG485 device (SuperHub2) and, although we agree with the person who identified it that this is highly unlikely to happen, we have thanked them for bringing this to our attention.

Superhubs had an early history of flakey firmware updates around the time they were first introduced two years ago. El Reg's security desk trusts these issues have been ironed out.

A Virgin Media spokesperson added:

A potential issue has recently been brought to our attention which, while not affecting the majority of the equipment we supply, could allow someone in physical proximity to a Netgear VMDG485 device to gain access to its administrative settings and WiFi passphrase. To do so is relatively complex and is easily prevented by changing the default password, which we encourage all our customers to do when they are installed. If anyone is unsure whether they have made this change, instructions on our website provide an easy guide on how this can be done at any time. The security of our services is of the highest importance and we have been working with our supplier to develop and test a software update which is close to being issued.

®

Secure remote control for conventional and virtual desktops

More from The Register

next story
Same old iPad? NO. The new 'soft SIMs' are BIG NEWS
AppleSIM 'ware to allow quick switch of carriers
Arab States make play for greater government control of the internet
Nerds told to get lost in last-minute power grab bid at UN meeting
Brits: Google, can you scrape 60k pages from web, pleeease
Hey, c'mon Choc Factory, it's our 'right to be forgotten'
Of COURSE Stephen Elop's to blame for Nokia woes, says author
'Google did have some unique propositions for Nokia'
It's even GRIMMER up North after MEGA SKY BROADBAND OUTAGE
By 'eck! Eccles cake production thrown into jeopardy
Mobile coverage on trains really is pants
You thought it was just *insert your provider here*, but now we have numbers
Don't mess with Texas ('cos it's getting Google Fiber and you're not)
A bit late, but company says 1Gbps Austin network almost ready to compete with AT&T
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.