Virgin Media has fixed multiple vulnerabilities in its Super Hub 3.0 broadband modem, after a researcher from global cyber security and risk mitigation expert, NCC Group, proved that they could enable hackers to remotely monitor network traffic and execute commands on the devices.
The firmware security flaws in a third party router, were discovered and disclosed to Virgin Media by Balazs Bucsay, managing security consultant at NCC Group, in 2017.
Bucsay was able to chain vulnerabilities together to create a remote exploit that could be actioned with no authentication from the Super Hub 3.0 owner.
By embedding the exploit in webpages and sending them to users via spear phishing emails, hackers could have controlled and installed backdoors in millions of modems, potentially giving them access to users’ internal home networks.
The vulnerabilities were located in multiple parts of the Super Hub 3.0’s firmware, including different services and additional web-related files.
By taking advantage of three different static cookies within the firmware’s web service binary, Bucsay was able to bypass its authentication and authorisation procedures and access all functionality of the device with administrator privileges.
Commenting on the research, Balazs Bucsay said: “This discovery should alert other internet service providers to the importance of checking and upgrading the security of any third- party hardware they use.
“Vendors often supply the same firmware with small modifications to white label the product for different customers.
“Virgin Media should be praised for taking these vulnerabilities seriously in order to protect their customers, and its vital that other providers follow their lead by upgrading their firmware.”
NCC Group responsibly disclosed the Super Hub vulnerabilities to Virgin Media in March 2017, after carrying out dedicated research to find them during the winter of 2016-2017. After working with NCC Group to fix the reported issues, Virgin Media rolled out a new firmware (version 9.1.116.608) in July 2018.
A detailed description of the research can be found in this blog.
