nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

back to article
Virgin Media router security flap follows weak password expose

Silver badge
FAIL

Who actually uses the router ?

I thought SOP was to disabled the POS and just use it as a modem with a real grown up router ?

17
5
TRT
Silver badge

Re: Who actually uses the router ?

That's what I do!

6
1

Re: Who actually uses the router ?

I do that with the SuperHub 3 that they forced on me. Can you believe that in router mode, you can't change the lan-side IP address of that thing? Must be the only router on the planet that brain-dead.

12
0
Anonymous Coward

"Super hub 2" rebranded Netgear

The best thing to do is combine it with a real router, such as a Bosch POF 1400 ACE.

14
1
Anonymous Coward

Re: Who actually uses the router ?

I do. The folks from Virgin came and installed the kit, and it appears to work.

Genuinely, can someone tell me what advantage there would be to buying another router, and if so which (for a sensible it's-only-as-an-optional-improvement price)?

At the moment I use WiFi for quite a few items, and have several PCs linked up to it via powerline adapters thru the house. The typical downloads speed on those PCs is 50-60mbps.

The range is not brilliant, so I'd be happy to extend that.

9
9
Anonymous Coward

re: what advantage there would be to buying another router

er ... isn't the article you just commented on reason enough ?

I recall the previous "router" as per another commentard upthread. It had a fixed IP, which clashed with my existing network. HOWEVER, as shipped, it didn't even allow modem mode - it needed to be upgraded OTA to enable it.

First rule of internet is never use your ISPs router. For no other reason than you have no idea what backdoors they out in it.

Generally Virgin have form for crippling kit. Look at the TiVo. I wonder what the US owners make of the pisspoor reputation it has in the UK ???

7
6
TRT
Silver badge

Re: Who actually uses the router ?

I put a Cisco RV-320 on as the first device - so that basically gives me a business class VPN right there, with remote management if I need it and various dynamic DNS registrations for fulfilling that function. There's naturally firewall and proper NAT functions there, as well as the DHCP, and a failover route if I ever feel the need.

Then for the WiFi, I used one of the free-if-you-attend-their-seminars Meraki MR18 access points which I plug into the RV-320 via a POE injector. When the provided license for that ran out after 3 years, I swapped it to an Open MESH access point. I pay for 70 meg, I get 70 meg, even over WiFi when I'm in the flat. Out on the lawns it drops to around 20-30 meg due to the distance. I do get a drop out once or twice a day, but that's the pigging Virgin side. Within the LAN, so back to my DLNA and file server, I get gigabit speeds over copper with absolutely no drop out and full control over QoS. 24/7/365 (barring UK power issues).

The Superhub 2 was an utter PoS. WiFi dropped out, wouldn't bond the 2.4 and 5GHz, there was no control over the QoS, the wired network dropped out regularly even, locked up DHCP every couple of months, requiring a factory reset, can't do dynamic DNS so I could remote in to check it if the flatmate called up because the WiFi had bombed out again...

3
2
Anonymous Coward

Re: Who actually uses the router ?

I assume that if you using just as a modem, then any attacker would have to have access to your network anyway (either through direct connection or wifi on your router) to use this vulnerability?

1
3
Silver badge

Re: re: what advantage there would be to buying another router

"er ... isn't the article you just commented on reason enough ?"

The investigation which found the backup bug thought it to be tightly locked down. The issue here is weak default passwords (because the production line handling stickers can only cope with stickers of such-and-such size and accessibility requirements means the font must be a minimum of such-and-such size).

2
0
Anonymous Coward

Re: re: what advantage there would be to buying another router

Well the article actually said that the other providers were just as bad; so unless you have a particular recommendation in mind, a random purchase is likely to leave you in a similar situation.

3
0
Silver badge

Re: Who actually uses the router ?

"I assume that if you using just as a modem, then any attacker would have to have access to your network anyway (either through direct connection or wifi on your router) to use this vulnerability?"

No, an attacker, at best, will be banging on the door of your router. If it's a decent router with strong credentials, ie much stronger than the VM SuperHub (Other crap ISPs routers are available) then they likely don't have access to either the router or anything on your side of the router.

Even if they do spend time trying to get through your router, the fact you are not using the ISP router with it's weak attack surface means you likely will have a stronger security policy inside your LAN too. They'll most likely not bother and move on to the vast number of people who think their LAN side is secure behind the default ISP router with default credentials.

1
0
Gold badge

Re: re: what advantage there would be to buying another router

"er ... isn't the article you just commented on reason enough ?"

I doubt it, since the problem outlined in the article can be avoided by changing the password. No need to stop using the router. Also, the problem outlined in the articled is not fixed by buying a separate router if you put an equally weak password on the second box.

In short: the router is not the problem here.

5
0

Re: Who actually uses the router ?

I would guess 99% of customers, who take as much interest in the workings of their internet gubbins as they do in their electricity consumer unit. And why not, they are the customer paying for a service. They are not all geeks, still less are they service technicians. The damn thing should just work, properly. If others have an itch they like to scratch that is fine, but it's not most people's cup of tea.

6
0
Silver badge

Re: Who actually uses the router ?

It cant port forward correctly, the wifi is shit, cant change lan ip, cant block lanside ports exiting, cant prioritise traffic, do i really need to go on?

Luckily i had an old dell sonicwall from work ive been using but there are loads of cheap routers out there.

1
0
Bronze badge

Re: Who actually uses the router ?

I use an ASUS router with custom firmware so I can run AB-Solutions that removes all advertising and tracking (via sending their DNS requests to null) for EVERY device on my internal network.

Worth it for that alone.

0
0
Silver badge

Re: Who actually uses the router ?

you can't change the lan-side IP address of that thing

Wow. Just, wow.

(In a previous orkplace, our internal LAN was using 192.168.1.0/24 [not my decision, was in place when I joined and would be a nightmare to change becuase of hardcoded paths in stuff like industrial control equipment]. Then the Sales Director demanded, not unreasonably, that all his staff needed to use VPN from home. Most of them were using BT Home, which defaulted to using (you've guessed it) 192.168.1.0/24 for the LAN. Much hilarity ensued until I managed to get people instructions on how to change their Home Hub to use a different range..)

0
0
Silver badge

Re: Who actually uses the router ?

I assume that if you using just as a modem

No - because you'll need something behind it to act as a router/firewall/DHCP server..

0
0
Silver badge

Re: Who actually uses the router ?

"I thought SOP was to disabled the POS and just use it as a modem with a real grown up router ?"

For 99.99% of the owners, no.

Surely the first thing you do with a car is get the ECU mapped with a grown up config?

1
1
Silver badge

Re: Who actually uses the router ?

Surely the first thing you do with a car is get the ECU mapped with a grown up config?

Assuming that you don't care about manufacturers warranty[1], yes.

[1] And, under some[2] circumstances, invalidating your insurance. Or, if you tell your insurance, raising the rate from "extortionate" to "selling first, second and third born".

[2] s/some/most/g

0
0
Silver badge
Holmes

My default one was 40 characters long, [a-z0-9?#@$%^&*()@!] .... and yet, still memorable ... I changed it to something else, of course ...

VirginMedia, tell me, who lets those flawed loonies design routers ? Fire the entire team, in-ex-cusable, shit, pay up, get some decent staff, YES, they are more expensive, but savings across the board!

4
8
Silver badge
Mushroom

@downvoters

1. Don't care about down-votes, that is why I often troll ;-)

2. WTF ?

8 char a-z is OK ? Must be Microsoft fanboys ... listen, you have no F'ing clue.

I really think Virgin Media need to get their act together and hire competent staff, ANYBODY who signed off, implemented, tested "8 char a-z" as a password have ABSOLUTELY NOTHING to do in IT.

I heard they were looking for Window cleaners in Hull!

6
9

If you don't care about down-voters, why do you care enough to tell us you don't care?

17
0
Silver badge
WTF?

If you don't care about down-voters, why do you care enough to tell us you don't care?

Because I don't, however, this time I was not trolling and, imho, my comment made a hell of a lot of sense! I do not understand the downvotes this time, I just don't understand ... all I was saying is that they need to hire competent staff ... D'Oh! Seriously! WTF?

0
6
Gold badge

Most modern routers have a WPS button whose effects only last for a couple of minutes. Why not say that you can only log in during that window? (You could ignore the rule if the user changes the password to something strong enough.)

This is just a repeat of the perennial problem that passwords short enough for the average Joe to remember are not long enough to keep the average Joe's assets safe. It's going to keep coming around until we learn to stop relying solely on passwords.

0
0

Hans, I'm not sure who the "flawed loonies" are that you refer to. VirginMedia don't employ anyone to design routers. They pay Netgear to rebrand their models and use those. Are you suggesting that VirginMedia fire Netgear?

There is no problem with these routers that does not already exist in most of them in that keeping the default password on any supplied equipment is a ridiculous idea. It's not all that long ago that the default password on all NTL ( who are now VirginMedia) came with a router/modem password which was "changeme".

I changed my passwords and those of my family the day they were installed.

As I read above. The Router is not at fault here and I'd go further and say the company are not at fault either. This is most definitely a user issue.

1
0
Silver badge

If the default password wasnt so constrained then it wouldnt be an issue though.

0
0
Silver badge

1. Don't care about down-votes, that is why I often troll ;-)

Let me introduce you to the concept of cause and effect..

0
0
Anonymous Coward

Where are the instructions?

I haven't seen any instructions about how to do this, and rather vexingly there's no link in the article. Does anyone have the link / some guidance?

Many thanks,

A Virgin (Customer)

5
0

Re: Where are the instructions?

http://192.168.0.1/ gets you to the superhub control panel.

4
1
Silver badge

Re: Where are the instructions?

After you've put it into modem mode, you use 192.168.100.1 for the control panel.

5
0
Silver badge
Trollface

Re: Where are the instructions?

I haven't seen any instructions about how to do this, and rather vexingly there's no link in the article. Does anyone have the link / some guidance?

Many thanks,

A Virgin (Customer)

Don't worry, we've done it for you.

-Random Chinese Hacker Collective

9
0
Thumb Up

Re: Where are the instructions?

Depends on the instructions but the IP address for the Super hub 2 they are on the sticker on the bottom of the router..

For the Super hub 3, they are on the sticker the engineer hands to you, a pull out piece of card between the router and the plastic feet, AND a sticker on the bottom of the router.

They really like to help you.

0
0
Bronze badge

Re: Where are the instructions?

Don't worry, we've done it for you.

-Random Chinese Hacker Collective

And for 0.5bitcoin's we'll tell you what it is.

0
0

Re: Where are the instructions?

https://help.virginmedia.com/system/templates/selfservice/vm/help/customer/locale/en-GB/portal/200300000001000/article/HELP-2395/Changing-your-Virgin-Media-Hub%27s-wireless-password

Also search a bit and you can see where to change the admin password....

0
0
Anonymous Coward

Call me stupid but I'm guessing the issue here is brute forcing the password?

Why not update the firmware to do a few things?

1. Force password change before connecting back to the internet.

2. Add the old 3 failed attempts, 5 min lock out, 4, 10 min lockout and so on.

3. Disable external access to the router by default.

5
0
Silver badge

Upvoted!

3. Disable external access to the router by default.

Actually, disable external access to the couter config completely, add VPN server with a simple wizard. You want to change settings when not at home ? Enable VPN!

1
0
Silver badge

Stunning.

My superhub 2 - dated 2010 - lets me set the password. Four to fifteen characters, letters and numbers only.

Stunning.

Not something I've worried about since the first thing I did when I got it was turn the wireless off, and let my router handle that, but changed it anyway.

Interesting that there appears to be nothing on the Virgin Media site to hint that there might be an issue, and I've had no notification about this. Meh.

2
0
Bronze badge

I can see 6 Virginmedia wireless network from my laptop all starting VM with random numbers after it. perhaps I should fire up my Kali live CD ;)

2
1

If you were to be terribly naughty like that at least you'd find that they tend to grumble when Reaver is waved at them. A horrifying number of others don't.

4
0

This post has been deleted by its author

Silver badge

Super hub 3 is a 12 alpha/numeric/lower/upper wifi password so at 1 billion guesses a second it's going to take a maximum of 150 years from what I understand.

Isn't SH3 based on Puma6? Might take longer as Puma 6 kit connectivity isn't exactly stellar. At least I've not yet heard that VM would've patched it (especially the latency issue).

1
0

This post has been deleted by its author

I did try and tell everyone a few months ago, and I told Virgin Media also.

http://elmarkodotorg.blogspot.com/2016/02/virgin-media-routers-arguably-weak.html

They replied on their forums saying the SuperHub 3.0s were better so basically no problem go away.

1
0

Use your own equipment

End of. If virgin don't allow you to use your own DOCSIS compliant modem? Find a proper isp. Simples.

1
7

Re: Use your own equipment

Not everybody has a full range of ISP options available. Complexes.

6
0

Re: Use your own equipment

The issue isn't anything to do with DOCSIS, this is a firmware issue relating to wireless security, which applies equally to other ISP routers such as Talk Talk's D-Link ADSL router, which has an equally weak default wireless password.

0
0
Anonymous Coward

Re: Use your own equipment

What he's saying is that the normal solution is to DISABLE that function altogether and use a different router. Trouble is, some ISPs MANDATE the use of their router or you can't go online, and if they're the only ISP in town, you're up Crap Creek unless you're willing to MOVE.

0
0

This post has been deleted by its author

Silver badge
Boffin

Shields Up!

See title

0
0
Silver badge
Devil

correct horse battery staple

obligatory xkcd reference

https://www.xkcd.com/936/

1
1

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

The Register - Independent news and views for the tech community. Part of Situation Publishing