Yup this was bought up within the past month I believe by a user here
Myself and a couple other users tested and confirmed this too
***** If you think my answer has helped - please provide me with a Kudos rating and mark as Helpful Answer!! I do not work for Virgin Media - all opinions expressed are of my own and all answers are provided from my own and past experiences. Office 365, Dynamics CRM and Cloud Computing Jedi
Assuming it's not being used in the wild already, a firmware fix followed by a full reset should resolve it.
If someone's dropped a RAT on a target PC, they're going to need professional advice to ensure it's safe, post firmware upgrade.
I'm really shocked at Netgear - I've dealt with them for years and never had anything like this.
As you correctly stated, since we can't for obvious reasons explore the concept further in public I can only ask a series of generalised questions without providing any supportive theory as I would normally attempt to do:
Do you submit the concept presents a greater risk due to:
1. The basic Netgeare firmware/EOS and/or the VM configuration applied to it?
2. It's not therefore also seen in other vendor CM/Hubs?
3. The risk is statistically limited to those not employing layered security concepts even using SHub in default Router mode? (e.g. double nat'ing in that scenario)
Just genuinely interested as I don't see anything specifically unique in your published concept that isn't already available in the public domain?. No - I'm not denigrating your post, nor inferring/accusing you of plagiarism and I do add my personal genuine thanks fwiw to you for taking the time/effort and social commitment to publish the "risk" here.
Regards Tony "Life is a Binary Inspired Turing Computed Hologram"(don't PM or @Mention me - in case ignoring you offends)
"1. The basic Netgeare firmware/EOS and/or the VM configuration applied to it?"
Could be one, the other or a mixture of the two. If I had to put money on it however, I'd bet it's Netgear at fault here. I can't see a need for Virgin to alter the core functionality, so that's highly unlikely.
Having said that, the UI is almost certainly proprietary. The way it handles sessions, passwords & basic functionality is really poor. For example, embedding the admin & WiFi keys in the DOM; it's just asking for trouble. It also shows the UI creds are stored insecurely too.
"2. It's not therefore also seen in other vendor CM/Hubs?"
I can say with absolute certainty that Virgin/Netgear aren't the only firm affected by this.
"3. The risk is statistically limited to those not employing layered security concepts even using SHub in default Router mode? (e.g. double nat'ing in that scenario)"
Agreed with one caveat... the majority of Virgin customers don't understand security, let alone the structure of it. Point is, they shouldn't be expected to.
Of course, it's possible to configure your internal network such that this exploit will not work (or rather its of no benefit)... but the article is intended for use by your average home user. They're not interested in the technical aspects, payload delivery etc...
Forgot to mention...
We both know this isn't unique or limited to just VM; it's a concept the infosec community have discussed for years. This is low hanging fruit material... which begs the question, why are we still discussing it?
There have been a number of comments on Twitter/Reddit etc with regards the actual, tangible risk here... so let me put some of them to bed.
"Nobody is going to sit outside your house waiting for your router to reboot"
I have a feeling they're picturing an "enemy of the state", man in a van-type scenario, which is pretty laughable.
If someone wants to target you specifically, this exploit is the least of your worries. Sure, they *could* park outside and login but in reality, that's highly unlikely.
"This is a moot point, WPA2 can be broken quite easily anyway"
I still can't quite get my head around this. Any encryption can be broken given enough time & resources, but that doesn't negate the need for it. A burglar isn't going to smash your door in if you leave it unlocked... they typically look for low hanging fruit; easy targets. This, by any measure, is easy.
"He hasn't told us how he rebooted the device, that's suspicious!"
This isn't a step-by-step guide on how to break into a network. The intention is to raise awareness with users to help avoid the risks (however minimal), not exacerbate them.
"The engineer that fitted my SuperHub told me to leave the default password alone"
This was a reddit comment, so I've absolutely no proof that it's genuine. It does however, raise some serious questions...
1. Should the firmware be modified such that it won't function until the default password has been changed?
2. If we're expecting users to choose a secure UI password, why does the device store it in plain text? It should be using cryptographic hashing & key stretching at the very least.
3. Are engineers/installers doing enough to explain to customers what's expected of them / should "I will change the default password on my device" be on the Service checklist, removing liability from VM?
4. Why are the default WPA keys so weak (all lower case, short etc)
As mentioned earlier on in this thread, the security of our services is of the highest importance and we are working with Netgear to develop and test a software update which will initialise encryption immediately from reboot and this is close to being issued.
We encourage all our customers to change their default passwords when they are installed, if anyone is unsure whether they have made this change, instructions on our website provide an easy guide on how this can be done at any time on our help pages at http://virg.in/sh2pass
If customers are concerned, then we would recommend that after changing the default password, they should also change the WiFi passphrase for additional security.
To confirm, the issue only relates to the Netgear VMDG485 device (SuperHub2) and, although we agree with the person who identified it that this is highly unlikely to happen; we have thanked them for bringing this to our attention.
Write it! Want a platform for your tech blog? Ask me how