We’d like to remind Forumites to please avoid political debate on the Forum.

This is to keep it a safe and useful space for MoneySaving discussions. Threads that are – or become – political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.

📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!

New Virgin Superhub exploit found

Lum
Lum Posts: 6,460 Forumite
Part of the Furniture 1,000 Posts Photogenic Combo Breaker
in Techie Stuff
http://www.henryhoggard.co.uk/security/hacking-superhubs-for-fun-and-profit-virgin-superhub-csrf-exploit/
I found that the Virgin Superhub ”V2.37.01″ is vulnerable to Cross Site Request Forgery, here users may be under the illusion that as their router is not open to the internet they are safe. However simply by visiting a malicious page, they could have their router’s password changed, remote auth enabled, and any number of ports opened, enabling attackers to control your router.
The page then goes on with the technical details. As exploits go this one is really quite simple. Even I understand how it works, so it's well within the capability of bored script kiddies looking to cause trouble.

I wasn't able to find any word of a fix, but given that it only works if you are logged in to the superhub, e.g. in another tab, then you can avoid this exploit by simply logging out (properly log out, not just close the tab) before doing any actual internet browsing, or by using a different browser to manage your superhub vs actual internet browsing (e.g. use IE to manage the hub and Firefox or Chrome for browsing)

Comments

  • Pikeyp
    Pikeyp Posts: 494 Forumite
    Part of the Furniture 100 Posts
    I wonder if this fixes it?
    I'm happy to announce that we've started to roll out the new R38 firmware for our Super Hub.

    The R38 firmware includes the following updates:
    • Fix for no downstream lock.
    • Fix for some units perpetually upgrading to R37.
    It'll be made available to our users on the following broadband packages on these dates, you'll need to reboot your Super Hub to get the firmware once it's available.

    21st May
    XXL

    29th May
    10, 30Mb, L, M, M+, M20,S, S5, XL, XXL100, XXL120

    30th May
    XL60

    31st May
    L30
    source ... http://community.virginmedia.com/t5/Announcements/Super-Hub-Firmware-R38-Update/td-p/1857642
  • kwikbreaks
    kwikbreaks Posts: 9,187 Forumite
    Pikeyp wrote: »
    I wonder if this fixes it?
    Almost certainly not. VM are not fast in fixing problems - it took over a year to fix a memory leak in the WiFi driver which caused the thing to hang quite frequently. If there was a fix to a security issue I'd expect to see that mentioned
  • Lum
    Lum Posts: 6,460 Forumite
    Part of the Furniture 1,000 Posts Photogenic Combo Breaker
    Given that that rollout started on the 21st and this exploit was discovered on the 26th I'd say it was unlikely. It also doesn't mention that exploit during its list of new features.

    However I'm not prepared to set up a page performing that update for real, to allow people to test their superhubs, due to the chances of getting flak for it.
This discussion has been closed.
Meet your Ambassadors

🚀 Getting Started

Hi new member!

Our Getting Started Guide will help you get the most out of the Forum

Categories

  • All Categories
  • 352.8K Banking & Borrowing
  • 253.8K Reduce Debt & Boost Income
  • 454.7K Spending & Discounts
  • 245.9K Work, Benefits & Business
  • 601.9K Mortgages, Homes & Bills
  • 177.8K Life & Family
  • 259.8K Travel & Transport
  • 1.5M Hobbies & Leisure
  • 16K Discuss & Feedback
  • 37.7K Read-Only Boards

Is this how you want to be seen?

We see you are using a default avatar. It takes only a few seconds to pick a picture.
Update Your Picture