UK Internet Service provider Virgin Media has failed to fix a vulnerability in their HUB 3.0 routers which has huge implications for VPN users.
As most readers will already know, one of the key reasons for connecting to a VPN is the online privacy it can afford you. One of the primary features that any half-decent VPN can offer you is to hide your real IP Address from the websites you visit and other internet users.
Unfortunately, this particular vulnerability can be used to ‘silently unmask' the IP Address of any VPN user who is connecting via a Virgin Media HUB 3.0 router.
What Fidus Found
According to reports, the vulnerability was first discovered by online security researchers at Fidus. They found that they were able to remotely access sensitive information including the IP Address issued by Virgin Media to all users of this particular router, even when connected to a VPN.
The researchers could use a DNS rebinding attack to reveal a user's actual IP address by simply visiting a webpage for a few seconds.
They found that the trick worked for users who were connected to numerous different popular VPN services. They did not name which VPN services they tested to reach this conclusion, but in screenshots posted in their report, Private Internet Access can clearly be seen.
However, they are not the only provider affected, nor is it an issue of their doing.
The attack itself is straightforward to do, but constructing it is a more complicated task and Fidus were clear that they do not know whether any hackers were actively exploiting this particular vulnerability.
Virgin Media's repeated failings
Perhaps the biggest concern from this revelation is the utter failure of Virgin Media to address the issue.
This vulnerability was first flagged to them by Fidus back in October 2019, almost two years ago. It was acknowledged at the time by Virgin Media but then in February 2020, they asked Fidus to hold back on making any public disclosures about the vulnerability until the first quarter of 2021.
Fidus agreed to this but since then they have failed to get any further communications from Virgin Media. They repeatedly approached Virgin Media for updates but none were forthcoming and eventually, they published details of the vulnerability in March this year.
If that wasn't bad enough, ISPReview, which first published this story, claims that even now, almost two years after the vulnerability was first flagged, it has not been patched by Virgin Media. They suggest this could be because the issue also affects other ISPs around the world that use the same advice.
They said Virgin Media told them they were working on a technical fix, but there was no information supplied about why it was taking so long and no indication given about when that fix might be implemented.
Are you affected?
If you are a Virgin Media customer in the UK, you are probably now panicking about whether you are affected or not.
It is therefore important to reassure readers that the chances are that you are not. This is one of several routers Virgin Media customers are issued with and, sadly, it is only a small proportion of Virgin Media customers who actually use a VPN.
If you are one that does, the model number of the affected router is ARRIS TG2492.
If that is your router, the next consideration is whether or not your VPN provider is one that is affected. Providers that were tested by Fidus have not been named but we can say for certain that not all providers are affected.
If your VPN provider blocks access to local IP addresses by default, you should be safe. If you are not sure about this, it is worth checking with the customer service team of your chosen VPN provider.
While the best VPNs typically do this, not all do, so there will be some that are potentially vulnerable.
What to do if you are affected?
Our best advice to them would be either to switch to a VPN provider that can keep your IP Address safe or request a new router from Virgin Media that does not have this vulnerability.
While Virgin Media has insisted that users “do not need to take any action”, given the evidence of this issue and their failure to tackle it, such a request would be a perfectly reasonable one.
If neither of these approaches works, we would suggest you perhaps switch to a different Internet Service Provider that takes the online privacy and security of its customers a little more seriously than Virgin Media appears to do.