Researchers have discovered a zero-day vulnerability in Virgin Media’s Super Hub 3 routers that allow attackers to see VPN customers’ real IP addresses.
Nearly two years after originally alerting Virgin Media, a British telco, to the weakness, a UK penetration testing business, Fidus Information Security, has disclosed details of the flaw.
Virgin Media and Liberty Global refused to respond to Fidus’ R&D team’s further attempts to reach them after first delaying disclosure for a year at the vendor’s request.
However, Virgin Media told The Daily Swig that it is presently working on a “technical resolution” for what it also termed as an “edge-case issue, potentially impacting only a very small subset of consumers” who use VPNs.
DNS rebinding attacks exposed VPN users’ IP addresses simply by “viewing a [malicious] webpage for a few seconds,” according to a blog post created by Fidus in March and published last week, which explains how the attacks were carried out.
DNS rebinding exploits turn a victim’s browser into a proxy for attacking private networks.
According to Fidus’ R&D team, they were able to de-anonymize devices whose IP addresses had been concealed by most “market-leading VPNs.
Some VPN services, on the other hand, were able to stop the attack because they automatically restrict connections from public IP addresses in the area.
When LAN traffic was switched off, as many people do, those who had been protecting themselves from the attack were suddenly left open to it.
“Because of the vulnerability’s silent nature, the privacy consequences are particularly serious in this circumstance,” Fidus added. “Theoretically, it could be used on any well-known (and hence compromised) webpage to identify VPN users.
“Other, more implausible, scenarios are nation-state or law-enforcement organizations using this to unmask both criminals and those employing a VPN solution for their own safety.”
The risk to Virgin Media customers, on the other hand, is very low, according to a company representative.
Initially, the exploit was only tested on the ARRIS TG2492, but according to Fidus, it’s likely to work on other comparable devices.
According to Fidus, Liberty Global has installed the ARRIS family of DOCSIS fiber routers at a number of its own ISPs around the world.
CommScope, the network infrastructure provider, owns the ARRIS trademark, but Fidus thinks Liberty Global owns the firmware.
Fidus lamented, “They were vague with all the facts that really didn’t help us in any shape or form.” “We requested information on who else it could be passed to, but we never received it.”