Virgin Media O2 router bug could leave users open to attack

Virgin Media Hub 3.0
(Image credit: Virgin Media)

Customers of Virgin Media O2 in the UK may need to up their security protections after the company was accused of still not having fixed a long-standing flaw in some of its routers.

The ISP admitted to ISPreview.co.uk that the issue, which affects its popular Hub 3.0 routers, is still active, affecting some customers who use a VPN to try and keep themselves safe online.

The flaw can apparently allow threat actors to access sensitive information, including a user's IP address, even if they are using a VPN.

Router issue

The issue was first spotted back in October 2019 by security researchers at Fidus, with Virgin Media (as it was known before its merger with O2) acknowledging the issue shortly after. However, the company later asked Fidus to hold back on publicly declaring any information on the issue until Q1 2021. 

Fidus says it contacted Virgin Media for updates several times, but after no reply, declared the flaw, known as CVE-2019-16651, in March 2021. 

In its declaration, Fidus went into more detail on the attack, noting that it was a DNS rebinding attack, which can be utilised to reveal a user’s actual IP address simply by visiting a webpage for a few seconds.

"During our testing, it was possible to unmask the true IP address of users across multiple popular VPN providers – resulting in complete deanonymisation," the company added.

The company did add that the attack did not appear to affect all VPN providers, only those which block access to local IP addresses by default.

In response to an email from TechRadar Pro, Virgin Media O2 said that the issue was fairly niche, and would not affect the vast majority of its customers, most of whom do not use a VPN.

“We are aware of a highly technical issue which, in very particular circumstances, could impact customers using a VPN while accessing a malicious website. A very specific set of circumstances would need to be in place for a customer to be impacted, meaning that the risk to them is very low," a Virgin Media spokesperson told TechRadar Pro.

"We have strong security measures in place to protect our network and keep our customers secure. We are not aware of any customers being affected by this issue and they do not need to take any action.”

Via ISPreview.co.uk

Mike Moore
Deputy Editor, TechRadar Pro

Mike Moore is Deputy Editor at TechRadar Pro. He has worked as a B2B and B2C tech journalist for nearly a decade, including at one of the UK's leading national newspapers and fellow Future title ITProPortal, and when he's not keeping track of all the latest enterprise and workplace trends, can most likely be found watching, following or taking part in some kind of sport.

Read more
A VPN runs on a mobile phone placed on a laptop keyboard
Major new online tunneling vulnerability could put millions of devices at risk
vpn
Ivanti warns another critical security flaw is being attacked
healthcare
Software bug meant NHS information was potentially “vulnerable to hackers”
An illustration of a hand holding a set of keys in front of a laptop, accompanied by a padlock symbol, fingerprint, and key.
Thousands of SonicWall VPN devices are facing worrying security threats
An image of network security icons for a network encircling a digital blue earth.
Industrial networks exposed to attack by faulty Moxa devices
cables going into the back of a broadband router on white background
Netgear urges users to patch major router security issues now
Latest in Security
China
Chinese hackers targeting Juniper Networks routers, so patch now
Google Chrome dark mode
Google updates Chrome extension rules to ban affiliate link injection without user action or benefit
Abstract image of robots working in an office environment including creating blueprint of robot arm, making a phone call, and typing on a keyboard
This worrying botnet targets unsecure TP-Link routers - thousands of devices already hacked
Avast cybersecurity
UK cybersecurity sector could be worth £13bn, research shows
An option to add Ambient Music buttons to the iOS 18.4 Control Center.
Apple fixes dangerous zero-day used in attacks against iPhones and iPads
Trump
Hackers are abusing $TRUMP tokens to lure victims in to new phishing scam
Latest in News
Google Gemini Robotics
Gemini just got physical and you should prepare for a robot revolution
Lilo & Stitch Official Trailer
Stitch crashes into earth and steals our hearts with the first trailer for the live-action Lilo & Stitch
GTA 5
GTA Online publisher Take-Two is gunning for a black market that’s basically heaven for cheaters
Y2K cast looking shocked
Y2K has a streaming release date on Max, so you can witness the technology uprising at home
The Discovery+ homepage
Discovery+ just got a big update to its streaming app that makes it more like Max – here are 5 great new features to try
Two Android phones on a green and blue background showing Google Messages
Struggling with slow Google Messages photo transfers? Google says new update will make 'noticeable difference'