Zero-Day Vulnerability Found in UK Virgin Media RoutersResearchers: Vulnerability Unmasks Users' VPNs; Virgin Media: Risk Is 'Very Low'
Researchers at Fidus Information Security have found a zero-day vulnerability in U.K. broadband and cable TV provider Virgin Media’s Super Hub 3 routers that enables an attacker to unmask IP addresses of Virgin Media VPN users.
The vulnerability allows an attacker to exfiltrate sensitive information remotely and use the data to determine the ISP-issued IP address of Virgin Media VPN users, the researchers say.
The vulnerability, which is being tracked as CVE-2019-16651, was discovered on Virgin Media Super Hub 3 (based on ARRIS TG2492) devices and related models known to be used by multiple ISPs around the world.
"A DNS rebinding attack is utilised to reveal a user’s actual IP address by simply visiting a webpage for a few seconds. This has been made graphical for Proof of Concept purposes, but it is important to note this can be silently executed,” the researchers note.
During testing, the researchers say, it was possible to unmask the true IP address of users across multiple popular VPN providers, resulting in complete de-anonymization.
Finding Held for 1 Year
Fidus, a U.K.-based penetration testing and consultancy firm says U.S.-based Liberty Global, which owns Virgin Media, asked it to hold back from releasing its finding for a year.
The vulnerability was reported to Virgin Media in October 2019 and was acknowledged by the firm two days later. But in February 2020, Virgin Media requested that the researchers not disclose it publicly until the first quarter of 2021, and the group agreed. When Fidus did not receive any feedback from the company after March 15, however, it decided to publish the finding now.
No Action Needed, Virgin Media Says
Speaking to Information Security Media Group, a Virgin Media spokesperson downplayed the finding, saying that the vulnerability was complex to exploit and only a small number of VPN users would be concerned about their IP address being exposed.
The spokesperson tells ISMG that someone would have to jump through a lot of hoops to reveal an individual’s IP address - which the overwhelming majority of people freely share whenever they browse the internet.
“We are aware of a highly technical issue which, in very particular circumstances, could impact customers using a VPN while accessing a malicious website. A very specific set of circumstances would need to be in place for a customer to be impacted, meaning that the risk to them is very low," the spokesperson notes.
Further, the spokesperson says that the firm has strong security measures in place to protect its network and keep its customers secure. Virgin Media also says that it is not aware of any customers being affected by this issue.
The company claims its customers need not take any action. It tells ISMG, "This is an edge-case issue, potentially impacting only a very small subset of customers, and poses no real threat to them. We are working on a technical fix which can be implemented while avoiding disruption for all of our customers."
Researchers tested the exploit with a few VPNs to confirm its validity and while some VPN providers block access to local IP addresses by default, which they claim prevents this attack, many did not.
The researchers also released a video that demonstrates the attack, along with the speed with which the attack can be carried out.
"For PoC purposes, the video has an interactive GUI, but in a real-world scenario, this attack can be launched silently on a completely legitimate-looking webpage without the user’s knowledge," the researchers note.
A Virgin Media spokesperson says this complex issue is an information disclosure issue that could affect a customer using a VPN service. If that customer visits a malicious website, the spokesperson says, they could reveal their IP address despite using a VPN service.
The company claims that a vast majority of its customers do not use a VPN to hide their IP address and freely share their IP address when browsing the internet, which means the vast majority of its customers are not affected by this issue.
The spokesperson adds that customers who use the internet on a daily basis expose their IP address when visiting any websites.
"For the small proportion of customers that use a VPN service, if a third party were to exploit this complex issue, they could, in theory, gain visibility of the customer’s IP address. Other than disclosing this information - something which technically should not happen - we are not aware of any risk to these customers," the spokesperson says.