Last week, security researcher Paul Moore reported that a vulnerability in Virgin Media’s Super Hub and Super Hub 2 routers (produced by Netgear) could be exploited to hijack the devices. Virgin Media representatives say they’re working with Netgear on addressing the issue.
Moore has found that when these routers are started, there’s a 7 second window in which Wi-Fi is enabled, but encryption is not. An attacker can use this window to gain access to the encryption key.
A hacker needs the password to the user interface in order to obtain the information. However, there is a default password that people rarely change, so the task is not difficult.
Moore has also found a way to force the reboot of the device, so an attacker would not have to wait around for the target to restart the router.
In a response to a discussion on this topic on the Virgin Media forum, Jim Meadows, a member of the Help and Support Forum team, provided the following statement:
“The security of our services is of the highest importance and we are working with Netgear to develop and test a software update which will initialise encryption immediately from reboot and this is close to being issued.
We encourage all our customers to change their default passwords when they are installed, if anyone is unsure whether they have made this change, instructions on our website provide an easy guide on how this can be done at any time on our help pages at http://virg.in/sh2pass
If customers are concerned, then we would recommend that after changing the default password, they should also change the WiFi passphrase for additional security.”
So Virgin Media agrees with Moore’s recommendations. On the other hand, in his statement, Meadows downplays the seriousness of the security hole.
“To confirm, the issue only relates to the Netgear VMDG485 device (SuperHub2) and, although we agree with the person who identified it that this is highly unlikely to happen; we have thanked them for bringing this to our attention,” he noted.
In a statement provided to The Register, Virgin Media representatives reiterate the recommendations and advise users to change their default passwords. They’ve also promised a permanent fix for the issue, but it’s uncertain when it will be rolled out.
“The security of our services is of the highest importance and we have been working with our supplier to develop and test a software update which is close to being issued,” they noted.