Virgin Media UK broadband ISP (VMO2) confirmed to ISPreview.co.uk that they have yet to address a long-standing security issue in their HUB 3.0 (ARRIS TG2492) routers, which could be used among other things. for “silently unmask”The real IP address, issued by the ISP, of the users of the virtual private network (VPN).
A Virtual private network (VPN) works much like a network within a network. These services are basically in their own secure, encrypted layer above your primary internet connection, which routes your traffic to the VPN’s own servers and assigns you a different Internet Protocol (IP) address than your ISP.
Suffice it to say, VPNs add extra security to your internet connection, which is especially useful (we’d say essential) when you’re working remotely or traveling on vacation (it’s wise to never trust public Wi-Fi connections. or hotel, etc.). But at the same time, it means putting a lot of trust in the VPN provider itself.
Either way, the one thing a VPN user really wouldn’t like is their actual IP address – assigned by the ISP – to be exposed, which appears to be exactly what the aforementioned exploit in the very used from Virgin Media. HUB 3.0 the router would allow it.
The vulnerability was first discovered by security researchers at Fidus in October 2019, which was recognized by Virgin Media two days later. But in February 2020, the operator asked Fidus to suspend public disclosure until the first quarter of 2021 and the group agreed. Since then, Fidus has made several attempts to obtain a VM update, but none have been possible. Details on the matter were then released in March 2021.
Description of Fidus from CVE-2019-16651
The Fidus R&D team identified a vulnerability in Virgin Media Super Hub 3 routers that allowed the exfiltration of sensitive information remotely, which, among other things, can be used to determine the actual IP address issued by the ISP of users. VPN users. A vulnerability that we were asked not to publish for an entire year.
A DNS binding attack is used to reveal a user’s real IP address by simply visiting a web page for a few seconds. This has been rendered graphically for proof of concept purposes, but it’s important to note that it can be performed silently. During our testing, it was possible to unmask the real IP addresses of users of several popular VPN providers, resulting in complete de-anonymization.
The underlying router model (ARRIS TG2492) and associated models are a series of DOCSIS fiber optic routers known to be used by multiple ISPs around the world, many of which are owned by Liberty Global, which also owns Virgin Media.
In short, such an attack, which involves some DNS binding (i.e. manipulation of domain name resolution), only takes a few seconds and a user’s actual underlying IP address can thus be unmasked by doing something as simple as visiting a URL (website / web page). But building this attack takes a bit more effort, and it’s unclear if anyone is actively deploying it.
We note how the exploit found by Fidus worked with some VPN providers, but not all. For example, a VPN provider that blocks access to local IP addresses by default will prevent this attack, but many of those providers don’t.
Needless to say, Virgin Media’s apparent inability to respond to Fidus’ requests for an update on their progress towards a resolution led us, following a prompt from one of our readers (credits to Wayne), to Chase the operator. Unfortunately, they haven’t fixed it yet, which probably explains their earlier silence.
A Virgin Media spokesperson told ISPreview.co.uk:
“We are aware of a very technical issue which in very specific circumstances could impact customers using a VPN when accessing a malicious website. A very specific set of circumstances would need to be in place for a customer to be impacted, which means the risk to them is very low.
We have strong security measures in place to protect our network and keep our customers safe. We are not aware of any customers affected by this issue and they do not need to take any action. “
The fact that a patch has yet to be produced for HUB 3.0 suggests that it could still impact other cable companies that supply the same device from ARRIS. But in the mind of Virgin Media, only a small portion of their base actually uses a VPN (small is a relative term when you have over 5.5 million customers), although that’s little consolation for those who do.
The severity of it all depends perhaps, at least in part, on how you view the exposure of an IP address provided by an ISP in general. Customers who use the Internet in general on a daily basis will of course expose their IP address when they visit a website. But obviously, if one of your expectations when using a VPN is not to expose the IP address assigned to your ISP, that can be a much bigger problem.
Arguably the biggest concern here is the passage of time and how the issue, despite being reported two years ago, has still not been resolved. Virgin Media informed us that they are working on a technical fix, which could be implemented while avoiding disruption for all of their customers. But there is no indication of how long it will take before it is deployed.