Menu
Reply
  • 2
  • 0
  • 0
kpnutz954
Joining in
820 Views
Message 251 of 259
Flag for a moderator

Re: Virgin Media WiFi Security

Hi Tim

Thanks, i am aware it is new to the public today, it has been as pointed out with the manufactures since August, think i should have started a new post on this, as was only able to find this post when i first posted it.

Next time i will start a new post rather than tag on to another .

Karl

0 Kudos
Reply
  • 13.66K
  • 720
  • 4.73K
Superuser
Superuser
744 Views
Message 252 of 259
Flag for a moderator

Re: Virgin Media WiFi Security

@kpnutz954 I'll let you off.

I have had a quick read of the abstract, and based on what I can see, it's actually a vulnerability in the WPA2 standard itself, but it's actually used against wireless clients, not routers.  For example, take note of this comment here in the Abstract

Notably, our attack is exceptionally devastating against Android 6.0: it forces the client into using a predictable all-zero encryption key

The initial handshake used to set up the connection is unencrypted.  So the attackers capture the packets they need and modify the packets used in the third part of the handshake.  They then replay these modified packets out and the client picks them up and is tricked into performing the final part of the handshake again.

Note as well that the CVE states that this affects all devices that are implementing the WPA2 standard correctly.  So to defeat this, the patches are actually going to need to modify step 4 of the handshake.  But they need to do that without compromising the WPA2 standard as a whole/

Tim

________________________________________


Only use Helpful answer if your problems been solved.

0 Kudos
Reply
  • 106
  • 10
  • 24
mr_ian
Up to speed
706 Views
Message 253 of 259
Flag for a moderator

Re: Virgin Media WiFi Security

A solution is already available and AFAIK is not so complex.  But will probably take months to get implemented, and is most likely to be implemented very quickly for clients (esp. Windows/OSX/Linux). 

In the meantime don't worry, because it's not a hack that can be implemented via the internet - someone would need to be outside your house and mimic your SH.  Websites using HTTPS would still be secure, and there is no need to change your Wifi password (it is not revealed in the hack)

  • 2
  • 0
  • 0
ajska
Joining in
476 Views
Message 254 of 259
Flag for a moderator

Re: Virgin Media WiFi Security

Not sure if anyone has mentioned this, but your password to log into the hub uses http - so the password is sent in clear text and can be 'sniffed' by a packet analyser. Can't see an obvious method to change this on my hub.

Cheers

AJ

0 Kudos
Reply
  • 17.45K
  • 1.61K
  • 3.01K
Superuser
Superuser
466 Views
Message 255 of 259
Flag for a moderator

Re: Virgin Media WiFi Security


ajska wrote:

Not sure if anyone has mentioned this, but your password to log into the hub uses http - so the password is sent in clear text and can be 'sniffed' by a packet analyser. Can't see an obvious method to change this on my hub.

Cheers

AJ


Certificate authorities won't issue security certificates for router admin page addresses, and you have to be already connected to the home network in order to use the admin password.

**********************************
I work for Virgin Media - but all opinions posted here are my own
0 Kudos
Reply
  • 9.02K
  • 760
  • 1.88K
Superuser
Superuser
458 Views
Message 256 of 259
Flag for a moderator

Re: Virgin Media WiFi Security


ajska wrote:

Not sure if anyone has mentioned this, but your password to log into the hub uses http - so the password is sent in clear text and can be 'sniffed' by a packet analyser. Can't see an obvious method to change this on my hub.

Cheers

AJ


If logging on wirelessly the password would be encrypted using the wireless encryption method  being used and good luck sniffing wired traffic.

0 Kudos
Reply
  • 13.66K
  • 720
  • 4.73K
Superuser
Superuser
453 Views
Message 257 of 259
Flag for a moderator

Re: Virgin Media WiFi Security

To echo what Griffin says you'd be hard-pressed to sniff a wired connection directly to the hub.  Wireless is subject to encryption anyway.

Note:  If you are really that paranoid you could use https://192.168.0.1 instead, but because Arris uses certificates that are not properly signed (because you can't issue certificates for localhost)  Google will throw up a warning that it's insecure - (It's not - although it does only use a 1024bit cipher for the encryption).

Tim

________________________________________


Only use Helpful answer if your problems been solved.

0 Kudos
Reply
  • 2
  • 0
  • 0
ajska
Joining in
443 Views
Message 258 of 259
Flag for a moderator

Re: Virgin Media WiFi Security

yep  but i was thinking more of landlord/HMO situations or where your kids share the wireless connections with their mates - there are ways around this (only administer the hub via a wired connection, as you suggest) , most people may not realise that people could get to see the the password if they're logged into the wireless network.

0 Kudos
Reply
  • 106
  • 10
  • 24
mr_ian
Up to speed
105 Views
Message 259 of 259
Flag for a moderator

Re: Virgin Media WiFi Security

A bit confused.  The wifi password is different to the admin password (or should be!!).  If you don't want to share your wifi password you can use WPS instead.

If you're accessing the admin page via the internet then it is https on port 8443, though as already said there will be no certificate to validate it.

0 Kudos
Reply