Unpatched Virgin Media Super Hub uses single encryption key, warn researchers
Virgin Media fixes Super Hub security flaw uncovered by researchers
Virgin Media has rushed out patches to secure its Super Hub routers after researchers found a glaring security flaw that would enable attackers to gain full administrative rights to every Virgin Media Super Hub in the UK.
Researchers at Context Information Security found that, following an investigation in which the box firmware was reversed engineered, they were able to gain access by restoring backups of user configurations, such as port forwarding and dynamic DNS.
The issue was caused because the encryption key is identical for all Super Hubs, meaning that if an attacker could takeover one, they could take over every single Virgin Media router.
At its worst, the access available could allow an intruder to access the entire network and change settings on anything that was attached.
Andy Monaghan, a principal security researcher at Context said: "The Super Hub represents the default home router offering from one of the UK's largest ISPs and is therefore present in millions of UK households, making it a prime target for attackers.
"While ISP-provided routers like this are generally subject to more security testing than a typical off-the-shelf home router, our research shows that a determined attacker can find flaws such as this using inexpensive equipment."
"ISPs will always be at the mercy of their hardware suppliers to some extent," said Jan Mitchell, a senior researcher at Context.
"Recent press coverage of attacks such as the Mirai worm highlights the importance to vendors of carrying out independent security testing of their products to reduce the likelihood of exploitation in production devices. Thankfully, Virgin Media was quick to respond to Context's findings and start the remediation process."
A spokeperson for Virgin Media said, in a statement: "As made clear in Context's blog post, Virgin Media has deployed a firmware patch to our SuperHub 2 and 2AC routers that addresses this issue.
We take the security of our customers very seriously and experts within our organisation often work with trusted third-parties to help keep our customers as secure as possible. We thank Context for their professionalism and cooperation."
So just to confirm, although there was an issue, thanks to Context, Virgin Media has now been able to fix it and as long as you're not stopping your router from updating to the latest software version, you've nothing to worry about.
Virgin Media recently announced it was to make customer's routers into public hotspots, in the same way as BT does with FON.