Virgin Media says it has fixed mixed multiple security vulnerabilities in its Super Hub 3.0 home broadband router modem following proof of concept exploits by a researcher at NCC Group.
The vulnerabilities would enable an attacker to remotely monitor traffic on home networks and execute commands on the device.
The flaws were discovered and disclosed to Virgin Media by Balazs Bucsay, managing security consultant at NCC Group.
The research was conducted over several months in 2016/17 and disclosed to Virgin Media in March 2017. Virgin Media confirmed that it patched the vulnerabilities in July 2018.
The exploit relied on leveraging multiple vulnerabilities to remotely authenticate as an administrator on the router without any intervention by the device owner.
Bucsay exploited three static cookies within the firmware’s web service binary, NCC said. This enabled him to bypass the authentication and authorisation functions to get admin privileges.
The exploit could be embedded in web pages and sent to users via spear-phishing emails.
Bucsay’s research into the modem was prompted by receiving one as a home customer of Virgin Media in 2016. Within hours of connecting the device to his network, he had discovered a remote command execution bug. This led to the discovery of further bugs which he was able to chain together into an exploit that enabled him to acquire control of the device remotely without any user interaction.
Commenting on the research, Balazs Bucsay said: "This discovery should alert other internet service providers to the importance of checking and upgrading the security of any third-party hardware they use.
"Vendors often supply the same firmware with small modifications to white label the product for different customers.
"Virgin Media should be praised for taking these vulnerabilities seriously in order to protect their customers, and its vital that other providers follow their lead by upgrading their firmware."
A spokesperson for Virgin Media told SC that the issues have been fixed. "We have seen no evidence that these advanced technical exploits, carried out by NCC as a proof of concept, were used maliciously to impact customers," the company said. Patches have been rolled out automatically to Virgin Media customers so no action is required from them.
Details of Bucsay’s exploit are detailed in the NCC Group blog.