The same encryption key ! It's about time there were substantial fines on manufacturers for such basic security failures then they may take it a bit more seriously than just paying lip service.
Virgin Media resolves flaw in config backup for Super Hub routers
A recently resolved flaw in Virgin Media wireless home routers gave hackers a means to gain unauthorised administrative-level access to the devices. Security shortcomings in software from the Super Hub 2 and Super Hub 2AC, manufactured by Netgear, were uncovered by researchers from Context Information Security, Jan Mitchell …
COMMENTS
-
-
-
Tuesday 13th June 2017 22:37 GMT illiad
Re: Article Correction
hub, switch, router, modem... No one (even most VM support staff!!!) have no Idea of the difference of these!!! :):) :P
they would call it 'internet thingy' but it's not 'cool' enuff... :/
at least its not called 'cable modem' like most switches / routers are in dixons... :(
-
-
-
Monday 12th June 2017 08:41 GMT frank ly
"Virgin rolled out a patch last month."
How did they do that? I'm sure I have a Hub 2 but I wasn't aware of it. Should I have been? It was some time last month that my internet connection started being slow and flaky. I fixed that by powering the hub down for a minute then turning it back on again.
-
Monday 12th June 2017 09:09 GMT Anonymous Coward
Re: "Virgin rolled out a patch last month."
how do they, etc? Well, they control the hub, which kind of makes me uneasy, but on the other hand, well, it is THEIRS, legally and technically. They issue patches remotely, and the patch is applied on the go. Sadly, it always seems to happen in the daytime, interrupting internet access. Fortunately, the outage lasts rarely longer than several minutes.
-
-
Monday 12th June 2017 11:55 GMT Anonymous Coward
Re: "Virgin rolled out a patch last month."
"Every time I subject myself to their customer service they claim that they can't even see my hub."
Last time I spoke to one of their reps, they said they could... even though I'd powered it down at the time 'cause I didn't believe them (evil of me, I know, but they kept telling me there was no fault yet I wasn't getting a connection to anywhere!).
Yesterday, however, I called (again, no internet connection) and it was all automated, including running tests on the equipment which it reported as taking a very long time... before saying 'its all clear but we'll do something automated anyway, just give it 10 minutes'...
Am guessing another Hub patch went out yesterday...
-
Monday 12th June 2017 17:26 GMT Down not across
Re: "Virgin rolled out a patch last month."
Am guessing another Hub patch went out yesterday...
Hmm..interesting. Mine is still the old original "SuperHub" (ie VMDG480) and strangely enough had reverted to default settings (why of course I run it in "modem mode") over the weekend. No, I wasn't expecting it and hence took a little while to realise that some issues were due to double-NATting.
I do wonder if the update wasn't just for for SH2 and later.
If only VM would allow dumping their crap and let customers source their own DOCSIS modem. Not least because if anything happens to the current one I do not want the buggy Puma 6 based version.
-
-
-
-
Monday 12th June 2017 11:41 GMT Lee D
Re: "Virgin rolled out a patch last month."
Have you never had your hub reboot on you, or do you just not monitor it?
My SamKnows broadband monitoring box often picks up the reboot and so knocks the statistics.
But my Draytek router also just fails-over to whatever else it likes when it happens (e.g. 4G / VDSL).
This is an IT site, yes? And you're just running a plain Superhub and haven't noticed this stuff?
-
-
Monday 12th June 2017 11:59 GMT Snowy
Super hub 1, 2, 2ac and Hub 3.0 firmware [ Edited ]
Post options
on 07-11-2016 13:36 - last edited an hour ago by Community Lead James_W
Super hub 1, 2, 2ac and Hub 3.0 firmware
Updated 7/4/17
Super Hub 1 V2.39.02
Super Hub 2 V1.01.33
Super Hub 2ac V1.01.11
Hub 3.0 V9.1.116V
(We are currently rolling out this firmware to all Hub 3.0 devices over the next month)
Which is 2 months ago but the page itself was updated 1 hour ago.
-
Monday 12th June 2017 15:00 GMT Velv
There is a confirmation on the page that 1.01.33 is the latest version, allegedly released 07/04/17.
My SH2 has this version, but is showing an uptime of 69 days. 7/4 is only 66 days ago, so they must have been rolling it out earlier (or they can load a new firmware without a reboot, which I doubt)
-
-
Monday 12th June 2017 11:25 GMT druck
ISP Provided Crap
While ISP-provided routers like this are generally subject to more security testing than a typical off-the-shelf home router
Really? ISP provided routers are normally the cheapest nastiest piece of crap they can lay their hands on.
On services where you can use your own equipment such as ADSL/VDSL use their router to check the services is up, then put it back in the box and use your own choice of router. I'd say bin it, but if you are unlucky enough to have a line fault, you may need to reconnect it just to get past some hell desk check list entry.
-
-
Tuesday 13th June 2017 05:27 GMT Anonymous Coward
Re: ISP Provided Crap
Which is what I also do, fine and dandy, as far as it goes.
The issue is that you still have to use their 'lowest common denominator' domestic router (in my case, a Superhub 3.0) in modem mode to access their network.
I quite understand why they'd want a reasonably homogeneous interface between customer equipment and theirs, and I don't really want the facility to purchase my own DOCSIS 3.0 modem and plonk it onto their cables, I just wish they'd offer us a choice between their 'all singing and dancing Superwhatevers' and a plain simple old modem, à la the old ambit ones, something along the lines of a SB6141.
-
-
Monday 12th June 2017 12:26 GMT inmypjs
Am I missing something?
You need access to the router's administrative control panel to down/up load theses encrypted configuration files which means you already have access to all available settings to 'pawn' the device.
A router I use also encrypts its configuration files and would rather they were plain text so I could inspect and compare them.
I really don't see any security issue or how they fixed it. If the file is encrypted with something router specific then you can't upload it to a replacement router which is half the point of the feature isn't it?
-
-
-
Monday 12th June 2017 18:05 GMT Down not across
Re: Virgin
Shame indeed. VM used to dish out just cable modem's. I suppose it would cost them more to have cable modem option along the "SuperHub". Their compromise is the "modem mode". Which took a while to arrive in the first place and I refused to replace the old Ambit until they had SH firmware with "modem mode".
<pedant>"modem mode" in quotes as that is what VM calls it. Bridge mode would be bit more accurate</pedant>
Really I'd like to have the option to just dump their kit and be able choose my own DOCSIS 3 modem but I do understand why VM won't allow that.
-
Monday 12th June 2017 13:01 GMT patrickstar
Uh, this is essentially a non-issue.
Basically they are complaining that having admin access to the box lets you pwn it. What are they gonna do next - post an advisory about how you can ssh into a Linux box and wreak havoc if you have the root password/key?
I guess their argument is that you aren't supposed to be able to break a shell on the underlying system from just having access to the web interface. Well, plenty of Linux based systems let you do that by design - are they next in line for "horrible security vulnerability found, panic!" ?
If anything, being able to break a shell on the box if you have proper credentials should be considered a feature, not a bug.
-
-
Tuesday 13th June 2017 09:05 GMT Tomato Krill
I (obviously) thought this but one barrel-scraping thought:
If you keep your (encrypted) backup on a share which doesn't require admin privileges, it'd be possible to replace it and either wait for a restore to be necessary or (needing physical access here) reset the router, prompting the owner to restore with you poisoned config backup?