Who actually uses the router ?
I thought SOP was to disabled the POS and just use it as a modem with a real grown up router ?
Virgin Media has urged 800,000 customers to change their passwords to guard against possible hacking attack. The move follows an investigation by consumer mag Which? that discovered hackers could access the UK cableco's Super Hub 2 router, allowing access to IoT devices connected through the same home network. The issue stems …
you can't change the lan-side IP address of that thing
Wow. Just, wow.
(In a previous orkplace, our internal LAN was using 192.168.1.0/24 [not my decision, was in place when I joined and would be a nightmare to change becuase of hardcoded paths in stuff like industrial control equipment]. Then the Sales Director demanded, not unreasonably, that all his staff needed to use VPN from home. Most of them were using BT Home, which defaulted to using (you've guessed it) 192.168.1.0/24 for the LAN. Much hilarity ensued until I managed to get people instructions on how to change their Home Hub to use a different range..)
I do. The folks from Virgin came and installed the kit, and it appears to work.
Genuinely, can someone tell me what advantage there would be to buying another router, and if so which (for a sensible it's-only-as-an-optional-improvement price)?
At the moment I use WiFi for quite a few items, and have several PCs linked up to it via powerline adapters thru the house. The typical downloads speed on those PCs is 50-60mbps.
The range is not brilliant, so I'd be happy to extend that.
er ... isn't the article you just commented on reason enough ?
I recall the previous "router" as per another commentard upthread. It had a fixed IP, which clashed with my existing network. HOWEVER, as shipped, it didn't even allow modem mode - it needed to be upgraded OTA to enable it.
First rule of internet is never use your ISPs router. For no other reason than you have no idea what backdoors they out in it.
Generally Virgin have form for crippling kit. Look at the TiVo. I wonder what the US owners make of the pisspoor reputation it has in the UK ???
"er ... isn't the article you just commented on reason enough ?"
The investigation which found the backup bug thought it to be tightly locked down. The issue here is weak default passwords (because the production line handling stickers can only cope with stickers of such-and-such size and accessibility requirements means the font must be a minimum of such-and-such size).
"er ... isn't the article you just commented on reason enough ?"
I doubt it, since the problem outlined in the article can be avoided by changing the password. No need to stop using the router. Also, the problem outlined in the articled is not fixed by buying a separate router if you put an equally weak password on the second box.
In short: the router is not the problem here.
I put a Cisco RV-320 on as the first device - so that basically gives me a business class VPN right there, with remote management if I need it and various dynamic DNS registrations for fulfilling that function. There's naturally firewall and proper NAT functions there, as well as the DHCP, and a failover route if I ever feel the need.
Then for the WiFi, I used one of the free-if-you-attend-their-seminars Meraki MR18 access points which I plug into the RV-320 via a POE injector. When the provided license for that ran out after 3 years, I swapped it to an Open MESH access point. I pay for 70 meg, I get 70 meg, even over WiFi when I'm in the flat. Out on the lawns it drops to around 20-30 meg due to the distance. I do get a drop out once or twice a day, but that's the pigging Virgin side. Within the LAN, so back to my DLNA and file server, I get gigabit speeds over copper with absolutely no drop out and full control over QoS. 24/7/365 (barring UK power issues).
The Superhub 2 was an utter PoS. WiFi dropped out, wouldn't bond the 2.4 and 5GHz, there was no control over the QoS, the wired network dropped out regularly even, locked up DHCP every couple of months, requiring a factory reset, can't do dynamic DNS so I could remote in to check it if the flatmate called up because the WiFi had bombed out again...
"I assume that if you using just as a modem, then any attacker would have to have access to your network anyway (either through direct connection or wifi on your router) to use this vulnerability?"
No, an attacker, at best, will be banging on the door of your router. If it's a decent router with strong credentials, ie much stronger than the VM SuperHub (Other crap ISPs routers are available) then they likely don't have access to either the router or anything on your side of the router.
Even if they do spend time trying to get through your router, the fact you are not using the ISP router with it's weak attack surface means you likely will have a stronger security policy inside your LAN too. They'll most likely not bother and move on to the vast number of people who think their LAN side is secure behind the default ISP router with default credentials.
I would guess 99% of customers, who take as much interest in the workings of their internet gubbins as they do in their electricity consumer unit. And why not, they are the customer paying for a service. They are not all geeks, still less are they service technicians. The damn thing should just work, properly. If others have an itch they like to scratch that is fine, but it's not most people's cup of tea.
It cant port forward correctly, the wifi is shit, cant change lan ip, cant block lanside ports exiting, cant prioritise traffic, do i really need to go on?
Luckily i had an old dell sonicwall from work ive been using but there are loads of cheap routers out there.
Surely the first thing you do with a car is get the ECU mapped with a grown up config?
Assuming that you don't care about manufacturers warranty[1], yes.
[1] And, under some[2] circumstances, invalidating your insurance. Or, if you tell your insurance, raising the rate from "extortionate" to "selling first, second and third born".
[2] s/some/most/g
My default one was 40 characters long, [a-z0-9?#@$%^&*()@!] .... and yet, still memorable ... I changed it to something else, of course ...
VirginMedia, tell me, who lets those flawed loonies design routers ? Fire the entire team, in-ex-cusable, shit, pay up, get some decent staff, YES, they are more expensive, but savings across the board!
@downvoters
1. Don't care about down-votes, that is why I often troll ;-)
2. WTF ?
8 char a-z is OK ? Must be Microsoft fanboys ... listen, you have no F'ing clue.
I really think Virgin Media need to get their act together and hire competent staff, ANYBODY who signed off, implemented, tested "8 char a-z" as a password have ABSOLUTELY NOTHING to do in IT.
I heard they were looking for Window cleaners in Hull!
If you don't care about down-voters, why do you care enough to tell us you don't care?
Because I don't, however, this time I was not trolling and, imho, my comment made a hell of a lot of sense! I do not understand the downvotes this time, I just don't understand ... all I was saying is that they need to hire competent staff ... D'Oh! Seriously! WTF?
Most modern routers have a WPS button whose effects only last for a couple of minutes. Why not say that you can only log in during that window? (You could ignore the rule if the user changes the password to something strong enough.)
This is just a repeat of the perennial problem that passwords short enough for the average Joe to remember are not long enough to keep the average Joe's assets safe. It's going to keep coming around until we learn to stop relying solely on passwords.
Hans, I'm not sure who the "flawed loonies" are that you refer to. VirginMedia don't employ anyone to design routers. They pay Netgear to rebrand their models and use those. Are you suggesting that VirginMedia fire Netgear?
There is no problem with these routers that does not already exist in most of them in that keeping the default password on any supplied equipment is a ridiculous idea. It's not all that long ago that the default password on all NTL ( who are now VirginMedia) came with a router/modem password which was "changeme".
I changed my passwords and those of my family the day they were installed.
As I read above. The Router is not at fault here and I'd go further and say the company are not at fault either. This is most definitely a user issue.
Depends on the instructions but the IP address for the Super hub 2 they are on the sticker on the bottom of the router..
For the Super hub 3, they are on the sticker the engineer hands to you, a pull out piece of card between the router and the plastic feet, AND a sticker on the bottom of the router.
They really like to help you.
Call me stupid but I'm guessing the issue here is brute forcing the password?
Why not update the firmware to do a few things?
1. Force password change before connecting back to the internet.
2. Add the old 3 failed attempts, 5 min lock out, 4, 10 min lockout and so on.
3. Disable external access to the router by default.
My superhub 2 - dated 2010 - lets me set the password. Four to fifteen characters, letters and numbers only.
Stunning.
Not something I've worried about since the first thing I did when I got it was turn the wireless off, and let my router handle that, but changed it anyway.
Interesting that there appears to be nothing on the Virgin Media site to hint that there might be an issue, and I've had no notification about this. Meh.
This post has been deleted by its author
Super hub 3 is a 12 alpha/numeric/lower/upper wifi password so at 1 billion guesses a second it's going to take a maximum of 150 years from what I understand.
Isn't SH3 based on Puma6? Might take longer as Puma 6 kit connectivity isn't exactly stellar. At least I've not yet heard that VM would've patched it (especially the latency issue).
This post has been deleted by its author
What he's saying is that the normal solution is to DISABLE that function altogether and use a different router. Trouble is, some ISPs MANDATE the use of their router or you can't go online, and if they're the only ISP in town, you're up Crap Creek unless you're willing to MOVE.
This post has been deleted by its author