Virgin Super Hub 2 security bug – act now to close the hole

If you’re a customer of UK ISP Virgin Media and connect with the Super Hub 2 or Super Hub 2ac you’ll be pleased to know the company patched a significant security flaw during May.

Helpfully, Virgin’s automatic updating via the TR-069 remote management protocol means this issue should already be fixed for everyone bar the tiny number who might not have turned their routers on for many weeks.

Unfortunately, Naked Security has also learned that many of these routers – still used by the majority of Virgin’s five million subscribers – have a known and more fundamental problem that requires immediate user intervention to fix.

Before we get to that, let’s give a quick recap on the latest security flaw, which was discovered by researchers working for UK security consultancy, Context Information Security.

The problem relates to the way the router’s software design implements the creation of a configuration backup, something a user would do to reinstate specific settings quickly should a reset become necessary.

It turns out that while this file is encrypted the key is embedded in the binary. One might might expect that but, ridiculously, the key is the same for every configuration on every router which means that anyone figuring out how to crack it (as did the researchers) will have access to every router using the same firmware.

It doesn’t matter whether the user has created a backup file or not – it is the mere ability for an attacker to create a backup that matters. Once they have done that they could simply overwrite the router’s configuration with their own.

An obvious objection is that to do any of this they’d need remote access to the router’s configuration interface. There are a number of difficult ways this might be achieved but it transpires there is a simpler alternative that involves no hacking at all: simply enter the router’s default user name and password.

Incredibly, the Super Hub 2 (from 2013) and Super Hub 2ac (2015) shipped with weak default credentials which will remain weak unless users changed them. Some will have done this but large numbers won’t.

The only additional security on the Super Hub 2ac is that it asks for the WPS (Wi-Fi Protected Setup) PIN. This makes things harder but would still be open to a brute force attack given the limited size of the string.

Which is the bigger problem: the configuration backup flaw or the weak credentials? Arguably, the latter.

There are other issues too. As already noted, updating is done automatically, which means the user base doesn’t have to do anything to receive a security patch. Apparently, Context Information Security told Virgin Media of the flaw in October 2016 but the company didn’t finish updating the routers until last month.

The delay is caused by Virgin having to assess the flaw before passing it back to the router maker (in this case Netgear) for a patch. This would then be passed back to Virgin which would still have to roll it out across millions of routers in a gradual way.

Said Context’s principal researcher, Andy Monaghan:

While ISP-provided routers like this are generally subject to more security testing than a typical off-the-shelf home router, our research shows that a determined attacker can find flaws such as this using inexpensive equipment.

Updated Super Hub 2 users should now be running v1.01.33 while for Super Hub 2ac it should be v2.01.11 (v1.01.14 for Wi-Fi sharing areas). Virgin users running the 2016 Super Hub 3 (made by Arris) are not affected by the flaw. That product also institutes strong default credentials. Version numbers can be found in the main status pane while the update time will be noted in log files.

The message is simple: if you own one of these routers check that you have set a strong password and user name combination. Let’s not make life too easy for the hackers.