Got a Netgear router from Virgin Media? Change your admin password NOW
Wi-Fi cred-baring vuln lets attackers take full control
A Wi-Fi security flaw leaves Virgin Media subscribers' wireless connections vulnerable to takeover by hackers.
The vulnerability, identified by IT consultant Paul Moore, means Virgin Media Superhub router/modem combo devices leak users' passwords every time they reboot. The issue arises because the Netgear-manufactured device initially brings up the wireless network without any form of encryption, allowing it to accidentally leak its Wi-Fi password in the clear to anyone nearby.
"After the seven-second window, the router takes the Wi-Fi card offline, enables encryption and brings the card back up," Moore explains. "That’d be great, if we hadn’t already broadcast the encryption key to everyone nearby.”
That’s akin to reading your password aloud while you change it.
Moore warns that hackers can take advantage of the vulnerability by forcing a device within range to reboot before snaffling the password. He wrote a proof-of-concept script that could automate this task while acting as a worm going from one router to another.
Successful exploitation of the trick, which is far from reliable, would allow miscreants to get up to all sorts of mischief, such as redirecting surfers from genuine websites to fraudulent versions in order to browse the hard drives of victims on the compromised networks. Hackers could even use a compromised connection to access illegal material in someone else's name.
Tricky exploit is easy to thwart
The vulnerability is limited to the Netgear VMDG485 hub, supplied to Virgin Media customers as SuperHub2. The flaw means that, during the short time the device is booting up, it might be possible for someone physically nearby to gain access to its administrative settings web page and Wi-Fi passphrase, which is sent in the clear during the unencrypted window.
Fortunately the attack would be difficult to pull off in practice - and is easily prevented by changing the default password, which Virgin encourages all its customers to do when they are first installed. Virgin is working with Netgear to develop and test a software update to automate the process of making the changes.
It's unclear even approximately when a firmware update is likely to become available. Netgear has yet to respond to El Reg's query on this point.
"Although the damage potential is high, the chances of it actually happening are low," Moore told El Reg. "It can be exploited with just a browser and the right set of circumstances... but the attacker would need an ideal environment – strong signal, minimal load on the router, etc – for an exploit to be successful."
“However, with minimal programming and when coupled with other Wi-Fi exploits, the risk and success rate increases dramatically. If deployed as a virus (spreading over encrypted networks), the user could still be at risk even after the firmware has been patched," he added.
Moore warned Virgin Media of his findings before going public with an advisory, published last week, after learning a firmware fix is unlikely to be available for weeks. Guarding against attack is a simple matter of changing a router’s default password.
"An attacker will still be able to connect when there’s no encryption, but crucially, they won’t be able to grab the encryption key needed to gain access beyond that point," Moore explained.
Virgin Media confirmed the vulnerability while talking down the potential for harm. An official moderator on its forums has promised a firmware fix is in development. The advice (from Jim Meadows, of Virgin Media's Help & Support Forum Team) downplays the risk of potential attack while repeating Moore's recommendation that users would be well advised to change their admin passwords.
The security of our services is of the highest importance and we are working with Netgear to develop and test a software update which will initialise encryption immediately from reboot and this is close to being issued.
We encourage all our customers to change their default passwords when they are installed, if anyone is unsure whether they have made this change, instructions on our website provide an easy guide on how this can be done at any time on our help pages at http://virg.in/sh2pass
If customers are concerned, then we would recommend that after changing the default password, they should also change the WiFi passphrase for additional security.
To confirm, the issue only relates to the Netgear VMDG485 device (SuperHub2) and, although we agree with the person who identified it that this is highly unlikely to happen, we have thanked them for bringing this to our attention.
Superhubs had an early history of flakey firmware updates around the time they were first introduced two years ago. El Reg's security desk trusts these issues have been ironed out.
A Virgin Media spokesperson added:
A potential issue has recently been brought to our attention which, while not affecting the majority of the equipment we supply, could allow someone in physical proximity to a Netgear VMDG485 device to gain access to its administrative settings and WiFi passphrase. To do so is relatively complex and is easily prevented by changing the default password, which we encourage all our customers to do when they are installed. If anyone is unsure whether they have made this change, instructions on our website provide an easy guide on how this can be done at any time. The security of our services is of the highest importance and we have been working with our supplier to develop and test a software update which is close to being issued.