insights

Security advisory: relish 4G hub VH510

April 1, 2020

Affected products

This affects both business and home customers.

  • Product Name: Verve Connect VH510.
  • Hardware Version: L0AM095A.
  • Firmware Version: < V1.0.1.6L0516 (newer version may also be affected).

All of these devices have a default SSID of “Relish_Home_XXXXXX”.

Risk

Small Business Entities: HIGH

Home Users: HIGH

Summary

The Verve Connect 4G hub provided by Relish (now known as Three Broadband) contains multiple vulnerabilities, which when combined may allow an attacker to take over the device.

  • An undocumented super admin account exists, which uses a default password for both business and home customer devices. This is contrary to industry best practice, including the Code of Practice for consumer IoT security.

  • Other security vulnerabilities in the management web interface.

The attacker must be on the same network, or trick a user who is on the network to click a link.

Remediation

The Verve Connect hub may no longer be maintained or supported, yet there are many companies and home users that still use this device. It’s important that you follow the instructions below to help keep safe and prevent attackers compromising your network.

  1. Change the default super admin password within the management portal.
    • For business customers the username is: UKBadmin
    • For home customers the username is: admin
    • Admin passwords can be found by logging into the management portal using the standard credentials provided by Relish and navigate to Admin > Backup/Restore.
  2. Disable or block access to the web management portal. This can be achieved by using a separate network appliance such as a switch or a hardware based firewall solution.
  3. Disable direct wireless connectivity to the device and set up a separate hardware access point if needed.

Disclosure timeline

  • 30/05/2019 — 6point6 contacted Three customer support for a security contact.
  • 26/06/2019 — Received a response from Three Broadband with an appropriate Point of Contact.
  • 29/06/2019 — 6point6 sent email with full disclosure report (no confirmation whether this was received).
  • 02/08/2019 — 6point6 sent email to request confirmation of receipt of the document, no response received.
  • 18/09/2019 — 6point6 sent email asking for any updates, no response received.
  • 18/09/2019 — 6point6 sent email asking for any updates, no response received.
  • 14/10/2019 — 6point6 sent email sent to Three’s Information Security email address.
  • 15/10/2019 — Received a response from Three stating this will be escalated internally.
  • 28/10/2019 — Received a response from Three confirming the vulnerability disclosure and that they’re still awaiting a response from the product vendor.
  • 22/11/2019 — 6point6 sent an email asking for updates. No response received.
  • 25/11/2019 — Received a response from Three stating there are no updates but there should be something available shortly.
  • 13/01/2020 — 6point6 sent email to Three asking for any updates. No response received.
  • 05/02/2020 — 6point6 sent email to Three asking for any updates. No response received.
  • 26/02/2020 — 6point6 sent email to Three asking for any updates and that we are ready to publish an article on our findings, as well as a security advisory. No response received.

Get in touch if you’d like to chat to us.

Cyber Lab