Feeds

Got a Netgear router from Virgin Media? Change your admin password NOW

Wi-Fi cred-baring vuln lets attackers take full control

Next gen security for virtualised datacentres

A Wi-Fi security flaw leaves Virgin Media subscribers' wireless connections vulnerable to takeover by hackers.

The vulnerability, identified by IT consultant Paul Moore, means Virgin Media Superhub router/modem combo devices leak users' passwords every time they reboot. The issue arises because the Netgear-manufactured device initially brings up the wireless network without any form of encryption, allowing it to accidentally leak its Wi-Fi password in the clear to anyone nearby.

"After the seven-second window, the router takes the Wi-Fi card offline, enables encryption and brings the card back up," Moore explains. "That’d be great, if we hadn’t already broadcast the encryption key to everyone nearby.”

Moore added:

That’s akin to reading your password aloud while you change it.

Moore warns that hackers can take advantage of the vulnerability by forcing a device within range to reboot before snaffling the password. He wrote a proof-of-concept script that could automate this task while acting as a worm going from one router to another.

Successful exploitation of the trick, which is far from reliable, would allow miscreants to get up to all sorts of mischief, such as redirecting surfers from genuine websites to fraudulent versions in order to browse the hard drives of victims on the compromised networks. Hackers could even use a compromised connection to access illegal material in someone else's name.

Tricky exploit is easy to thwart

The vulnerability is limited to the Netgear VMDG485 hub, supplied to Virgin Media customers as SuperHub2. The flaw means that, during the short time the device is booting up, it might be possible for someone physically nearby to gain access to its administrative settings web page and Wi-Fi passphrase, which is sent in the clear during the unencrypted window.

Fortunately the attack would be difficult to pull off in practice - and is easily prevented by changing the default password, which Virgin encourages all its customers to do when they are first installed. Virgin is working with Netgear to develop and test a software update to automate the process of making the changes.

It's unclear even approximately when a firmware update is likely to become available. Netgear has yet to respond to El Reg's query on this point.

"Although the damage potential is high, the chances of it actually happening are low," Moore told El Reg. "It can be exploited with just a browser and the right set of circumstances... but the attacker would need an ideal environment – strong signal, minimal load on the router, etc – for an exploit to be successful."

“However, with minimal programming and when coupled with other Wi-Fi exploits, the risk and success rate increases dramatically. If deployed as a virus (spreading over encrypted networks), the user could still be at risk even after the firmware has been patched," he added.

Moore warned Virgin Media of his findings before going public with an advisory, published last week, after learning a firmware fix is unlikely to be available for weeks. Guarding against attack is a simple matter of changing a router’s default password.

"An attacker will still be able to connect when there’s no encryption, but crucially, they won’t be able to grab the encryption key needed to gain access beyond that point," Moore explained.

Virgin Media confirmed the vulnerability while talking down the potential for harm. An official moderator on its forums has promised a firmware fix is in development. The advice (from Jim Meadows, of Virgin Media's Help & Support Forum Team) downplays the risk of potential attack while repeating Moore's recommendation that users would be well advised to change their admin passwords.

The security of our services is of the highest importance and we are working with Netgear to develop and test a software update which will initialise encryption immediately from reboot and this is close to being issued.

We encourage all our customers to change their default passwords when they are installed, if anyone is unsure whether they have made this change, instructions on our website provide an easy guide on how this can be done at any time on our help pages at http://virg.in/sh2pass

If customers are concerned, then we would recommend that after changing the default password, they should also change the WiFi passphrase for additional security.

To confirm, the issue only relates to the Netgear VMDG485 device (SuperHub2) and, although we agree with the person who identified it that this is highly unlikely to happen, we have thanked them for bringing this to our attention.

Superhubs had an early history of flakey firmware updates around the time they were first introduced two years ago. El Reg's security desk trusts these issues have been ironed out.

A Virgin Media spokesperson added:

A potential issue has recently been brought to our attention which, while not affecting the majority of the equipment we supply, could allow someone in physical proximity to a Netgear VMDG485 device to gain access to its administrative settings and WiFi passphrase. To do so is relatively complex and is easily prevented by changing the default password, which we encourage all our customers to do when they are installed. If anyone is unsure whether they have made this change, instructions on our website provide an easy guide on how this can be done at any time. The security of our services is of the highest importance and we have been working with our supplier to develop and test a software update which is close to being issued.

®

Next gen security for virtualised datacentres

More from The Register

next story
UK fuzz want PINCODES on ALL mobile phones
Met Police calls for mandatory passwords on all new mobes
Don't call it throttling: Ericsson 'priority' tech gives users their own slice of spectrum
Actually it's a nifty trick - at least you'll pay for what you get
Three floats Jolla in Hong Kong: Says Sailfish is '3rd option'
Network throws hat into ring with Linux-powered handsets
Fifteen zero days found in hacker router comp romp
Four routers rooted in SOHOpelessly Broken challenge
Netflix swallows yet another bitter pill, inks peering deal with TWC
Net neutrality crusader once again pays up for priority access
New Sprint CEO says he will lower axe on staff – but prices come first
'Very disruptive' new rates to be revealed next week
US TV stations bowl sueball directly at FCC's spectrum mega-sale
Broadcasters upset about coverage and cost as they shift up and down the dials
Tech city types developing 'Google Glass for the blind' app
An app and service where other people 'see' for you
Canadian ISP Shaw falls over with 'routing' sickness
How sure are you of cloud computing now?
UK mobile coverage is BETTER than EVER, networks tell Ofcom
Regulator swallows this line and parrots it back out at us. What are they playing at?
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 10 endpoint backup mistakes
Avoid the ten endpoint backup mistakes to ensure that your critical corporate data is protected and end user productivity is improved.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Rethinking backup and recovery in the modern data center
Combining intelligence, operational analytics, and automation to enable efficient, data-driven IT organizations using the HP ABR approach.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.