cancel
Showing results for 
Search instead for 
Did you mean: 

HUB 3.0 VPN Vulnerability

Amilya
Tuning in

Hi there.

I've been working from home recently and have to log into a works computer system using their supplied VPN service. The work is quite sensitive and recently I was contacted as I am using Virgin Media. I have been told I must no longer log in using my current connection due to my Hub having a potentially severe vulnerability and that I should contact Virgin for a resolution. They didn't say what the vulnerability was other than to do with VPN.

When I queried it further I was given the following link to visit:

https://www.ispreview.co.uk/index.php/2021/09/virgin-media-o2-uk-still-suffers-router-bug-that-expos...

Any help is greatly appreciated as well as a swift resolution.

Thank you.

16 REPLIES 16

用心棒
Very Insightful Person
Very Insightful Person

Issue has been flagged to the forum team; be aware it can take them a few hours / days to respond.

I'm a Very Insightful Person, I'm here to share knowledge, I don't work for Virgin Media. Learn more
Have I helped? Click Mark as Helpful Answer or use Kudos to say thanks

Alex_RM
Forum Team
Forum Team

Hi Amilya,

 

Thanks for posting, and sorry to hear you have some concerns regarding your connection. 

 

I've been able to locate your details using your forum information and the hub specifications are what we'd expect.

 

Can I ask who advised you there was an issue?

 

Alex_Rm

Hi Alex thanks for getting back to me.

It was the IT department from the people I work for. I can't divulge much else. When I am working the devices connection go through a VPN. If you care to look through the article I posted you will see there is a severe bug. A quick google search for 'hub 3 vpn vulnerability' also lists multiple articles about this and that it has not been fixed.

A quote from the top of the article at ispreview shows this "Broadband ISP Virgin Media UK (VMO2) has confirmed to ISPreview.co.uk that they’ve yet to fix a long-running security issue in their HUB 3.0 routers (ARRIS TG2492), which among other things could be used to “silently unmask” the actual, ISP issued, IP address of Virtual Private Network (VPN) users." then proceeds to give more details.

This is not at all a good thing for me in any way shape or form unfortunately! =(

@Amilya for what it’s worth, in my opinion your work’s IT people are either being massively over cautious or simply don’t understand what this vulnerability is or assessed the potential risk.

All that a VPN does is to connect two networks together (ie your home network and your company’s network) through an encrypted tunnel across the internet. This has two major features, the first is that all traffic (data) going across this tunnel is encrypted in such a way that even if it were being intercepted (and as it is the public internet, you would have no way of knowing if it was), then the data are unreadable - well at least in theory, and if the VPN has been setup properly. Secondly your public IP address (ie where you seem to be connecting to the internet from) now appears to the whatever the address of the other end of the tunnel is, rather than your ‘real’ home address.

The bug in the VM router means that in certain circumstances, the router can be made to reveal what your real home address is - now this might be a problem if you are trying to avoid the authorities from knowing where and who you actually are. Think about some countries where access to, say, twitter is blocked but you might be able to get around this via a VPN, the authorities might be able to track where you really are connecting from and take action.

However the actual data you are sending over the VPN are still fully encrypted and not readable - if your work IT are worried that somehow, this bug means that some unauthorised person could potentially be reading all the traffic, then that simply isn’t the case.

So unless you happen to be working for the military or the security services (in which case I’d be astonished that they would let you work from home using a domestic internet connection anyway), there really is no reason to think that your connection is any less secure than one from BT or Sky.

Which brings me back to thinking, at least from the information you have provided, that your IT department have simply misunderstood what this vulnerability is or possibly they are trying to reduce their workload by not having to support some VPN connections😉

In terms of fixing it, realistically it’s not going to happen, at least anytime soon - the fact that there are so many other bugs in the hub firmware which haven’t been addressed and that this really isn’t going to impact many customers at all, doesn’t inspire much confidence that VM will be looking to tackle this as a priority.

If you can’t convince your It department otherwise then I can’t see any solution other than change internet providers or stop working from home. I believe that if your company requires or encourages working from home, then it would be reasonable to expect them to foot the bill for changing providers.

John

goslow
Alessandro Volta

@Amilya wrote:

Hi Alex thanks for getting back to me.

<snip>

This is not at all a good thing for me in any way shape or form unfortunately! =(


If VM have been aware of this for 2 years, and have not acted, then it seems likely that any fixes will be entirely on VM's own leisurely timescale, if they fix it at all.

Comments in the linked articles and elsewhere suggest that having the VM hub in modem mode, and using your own router, removes the problem. If that is correct, then you should find out from your company IT department what third party router will work with the company VPN and the VM hub in modem mode and be acceptable to them from a security POV.

If any extra hardware is required for you to do your work securely, then it is something that you employer should be providing for you at their expense since they are the ones who have alerted you to the problem. It shouldn't be up to you as an individual staff member to resolve your company's IT security issues while WFH.

Well to be honest, if I'm paying for Virgin to supply equipment then I don't think it is unreasonable to expect it to work correctly and be as secure as possible. I can understand that bugs can be discovered after but knowing for 2 years and not do anything about is appalling, it should not be up to me to make an additional purchase for a new router in order to 'fix' a bug that should have been corrected long ago. If they cannot be fixed, then an alternative model should be made available.

-tony-
Alessandro Volta

there is the option of a hub4 however i am not sure VM will swap out a new hub for the reasone given - whether the same bug exists in that i have no idea and i doubt VM will confirm either way even if they do - you are paying for a domestic connection with no bells and whistles - if you choose to use a VPN then i suggest thats up to you

you are actually paying for the BB service - the hub belongs to VM and is issued foc or part of the service - you dont own it

in my mind you have choices

1 -tell your IT dept  it is wrong as outlined in the informative post above

2 - use whatever hub you have from VM in modem mode and add a 3rd party router approved by your IT dept - the cost of that is up to you or your employer

3 - change isp - whether any other supplied hub is better or worst i have no idea - if you do change isp then i would go to one that your IT dept is happy with - you have all the usual choices as well as VM business

if you do decide to change isp and you are still in contract then there may be early termination fees - VM will not reduce or cancel those for the problem you think you are having i would suggest

____________________

Tony.
Sacked VIP

goslow
Alessandro Volta

@Amilya wrote:

Well to be honest, if I'm paying for Virgin to supply equipment then I don't think it is unreasonable to expect it to work correctly and be as secure as possible. I can understand that bugs can be discovered after but knowing for 2 years and not do anything about is appalling, it should not be up to me to make an additional purchase for a new router in order to 'fix' a bug that should have been corrected long ago. If they cannot be fixed, then an alternative model should be made available.


You are paying VM for a residential connection and the VM hub is a domestic grade piece of equipment only designed for basic use at home. VM acknowledge a certain amount of WFH in its T&Cs but expressly states they accept 'no liability for any business losses you may suffer'.

There are many aspects where VM could improve security on their residential service to match current security standards such as password structure/format on user accounts, known default passwords on older superhubs, lack of two factor authentication for its services etc. VM have chosen not to change any of these things, despite them being known about for a long time.

If, as you have described, your work is highly sensitive and confidential, then the onus is on the company you work for to make sure you can operate in a secure way within the confines of your VM residential service by providing you with a router which has adequate security (if that is actually the solution). If they are allowing you to carry on WFH on sensitive material when they have identified a potential risk to the security of your work because of a perceived security flaw in your home internet connection, then that would be a very questionable decision on the part of your employer.

That is a poor excuse to be honest. Giving shoddy equipment to customers and saying that its okay to have lax security because its just 'residential use' is appalling.