back to article Virgin Media router security flap follows weak password expose

Virgin Media has urged 800,000 customers to change their passwords to guard against possible hacking attack. The move follows an investigation by consumer mag Which? that discovered hackers could access the UK cableco's Super Hub 2 router, allowing access to IoT devices connected through the same home network. The issue stems …

  1. JimmyPage Silver badge
    FAIL

    Who actually uses the router ?

    I thought SOP was to disabled the POS and just use it as a modem with a real grown up router ?

    1. TRT Silver badge

      Re: Who actually uses the router ?

      That's what I do!

      1. tony72

        Re: Who actually uses the router ?

        I do that with the SuperHub 3 that they forced on me. Can you believe that in router mode, you can't change the lan-side IP address of that thing? Must be the only router on the planet that brain-dead.

        1. CrazyOldCatMan Silver badge

          Re: Who actually uses the router ?

          you can't change the lan-side IP address of that thing

          Wow. Just, wow.

          (In a previous orkplace, our internal LAN was using 192.168.1.0/24 [not my decision, was in place when I joined and would be a nightmare to change becuase of hardcoded paths in stuff like industrial control equipment]. Then the Sales Director demanded, not unreasonably, that all his staff needed to use VPN from home. Most of them were using BT Home, which defaulted to using (you've guessed it) 192.168.1.0/24 for the LAN. Much hilarity ensued until I managed to get people instructions on how to change their Home Hub to use a different range..)

    2. Anonymous Coward
      Anonymous Coward

      "Super hub 2" rebranded Netgear

      The best thing to do is combine it with a real router, such as a Bosch POF 1400 ACE.

    3. Anonymous Coward
      Anonymous Coward

      Re: Who actually uses the router ?

      I do. The folks from Virgin came and installed the kit, and it appears to work.

      Genuinely, can someone tell me what advantage there would be to buying another router, and if so which (for a sensible it's-only-as-an-optional-improvement price)?

      At the moment I use WiFi for quite a few items, and have several PCs linked up to it via powerline adapters thru the house. The typical downloads speed on those PCs is 50-60mbps.

      The range is not brilliant, so I'd be happy to extend that.

      1. Anonymous Coward
        Anonymous Coward

        re: what advantage there would be to buying another router

        er ... isn't the article you just commented on reason enough ?

        I recall the previous "router" as per another commentard upthread. It had a fixed IP, which clashed with my existing network. HOWEVER, as shipped, it didn't even allow modem mode - it needed to be upgraded OTA to enable it.

        First rule of internet is never use your ISPs router. For no other reason than you have no idea what backdoors they out in it.

        Generally Virgin have form for crippling kit. Look at the TiVo. I wonder what the US owners make of the pisspoor reputation it has in the UK ???

        1. Brewster's Angle Grinder Silver badge

          Re: re: what advantage there would be to buying another router

          "er ... isn't the article you just commented on reason enough ?"

          The investigation which found the backup bug thought it to be tightly locked down. The issue here is weak default passwords (because the production line handling stickers can only cope with stickers of such-and-such size and accessibility requirements means the font must be a minimum of such-and-such size).

        2. Anonymous Coward
          Anonymous Coward

          Re: re: what advantage there would be to buying another router

          Well the article actually said that the other providers were just as bad; so unless you have a particular recommendation in mind, a random purchase is likely to leave you in a similar situation.

        3. Ken Hagan Gold badge

          Re: re: what advantage there would be to buying another router

          "er ... isn't the article you just commented on reason enough ?"

          I doubt it, since the problem outlined in the article can be avoided by changing the password. No need to stop using the router. Also, the problem outlined in the articled is not fixed by buying a separate router if you put an equally weak password on the second box.

          In short: the router is not the problem here.

      2. TRT Silver badge

        Re: Who actually uses the router ?

        I put a Cisco RV-320 on as the first device - so that basically gives me a business class VPN right there, with remote management if I need it and various dynamic DNS registrations for fulfilling that function. There's naturally firewall and proper NAT functions there, as well as the DHCP, and a failover route if I ever feel the need.

        Then for the WiFi, I used one of the free-if-you-attend-their-seminars Meraki MR18 access points which I plug into the RV-320 via a POE injector. When the provided license for that ran out after 3 years, I swapped it to an Open MESH access point. I pay for 70 meg, I get 70 meg, even over WiFi when I'm in the flat. Out on the lawns it drops to around 20-30 meg due to the distance. I do get a drop out once or twice a day, but that's the pigging Virgin side. Within the LAN, so back to my DLNA and file server, I get gigabit speeds over copper with absolutely no drop out and full control over QoS. 24/7/365 (barring UK power issues).

        The Superhub 2 was an utter PoS. WiFi dropped out, wouldn't bond the 2.4 and 5GHz, there was no control over the QoS, the wired network dropped out regularly even, locked up DHCP every couple of months, requiring a factory reset, can't do dynamic DNS so I could remote in to check it if the flatmate called up because the WiFi had bombed out again...

      3. William 3 Bronze badge

        Re: Who actually uses the router ?

        I use an ASUS router with custom firmware so I can run AB-Solutions that removes all advertising and tracking (via sending their DNS requests to null) for EVERY device on my internal network.

        Worth it for that alone.

    4. Anonymous Coward
      Anonymous Coward

      Re: Who actually uses the router ?

      I assume that if you using just as a modem, then any attacker would have to have access to your network anyway (either through direct connection or wifi on your router) to use this vulnerability?

      1. John Brown (no body) Silver badge

        Re: Who actually uses the router ?

        "I assume that if you using just as a modem, then any attacker would have to have access to your network anyway (either through direct connection or wifi on your router) to use this vulnerability?"

        No, an attacker, at best, will be banging on the door of your router. If it's a decent router with strong credentials, ie much stronger than the VM SuperHub (Other crap ISPs routers are available) then they likely don't have access to either the router or anything on your side of the router.

        Even if they do spend time trying to get through your router, the fact you are not using the ISP router with it's weak attack surface means you likely will have a stronger security policy inside your LAN too. They'll most likely not bother and move on to the vast number of people who think their LAN side is secure behind the default ISP router with default credentials.

      2. CrazyOldCatMan Silver badge

        Re: Who actually uses the router ?

        I assume that if you using just as a modem

        No - because you'll need something behind it to act as a router/firewall/DHCP server..

    5. pleb

      Re: Who actually uses the router ?

      I would guess 99% of customers, who take as much interest in the workings of their internet gubbins as they do in their electricity consumer unit. And why not, they are the customer paying for a service. They are not all geeks, still less are they service technicians. The damn thing should just work, properly. If others have an itch they like to scratch that is fine, but it's not most people's cup of tea.

      1. Danny 14

        Re: Who actually uses the router ?

        It cant port forward correctly, the wifi is shit, cant change lan ip, cant block lanside ports exiting, cant prioritise traffic, do i really need to go on?

        Luckily i had an old dell sonicwall from work ive been using but there are loads of cheap routers out there.

    6. Anonymous Coward
      Anonymous Coward

      Re: Who actually uses the router ?

      "I thought SOP was to disabled the POS and just use it as a modem with a real grown up router ?"

      For 99.99% of the owners, no.

      Surely the first thing you do with a car is get the ECU mapped with a grown up config?

      1. CrazyOldCatMan Silver badge

        Re: Who actually uses the router ?

        Surely the first thing you do with a car is get the ECU mapped with a grown up config?

        Assuming that you don't care about manufacturers warranty[1], yes.

        [1] And, under some[2] circumstances, invalidating your insurance. Or, if you tell your insurance, raising the rate from "extortionate" to "selling first, second and third born".

        [2] s/some/most/g

  2. Hans 1
    Holmes

    My default one was 40 characters long, [a-z0-9?#@$%^&*()@!] .... and yet, still memorable ... I changed it to something else, of course ...

    VirginMedia, tell me, who lets those flawed loonies design routers ? Fire the entire team, in-ex-cusable, shit, pay up, get some decent staff, YES, they are more expensive, but savings across the board!

    1. Hans 1
      Mushroom

      @downvoters

      1. Don't care about down-votes, that is why I often troll ;-)

      2. WTF ?

      8 char a-z is OK ? Must be Microsoft fanboys ... listen, you have no F'ing clue.

      I really think Virgin Media need to get their act together and hire competent staff, ANYBODY who signed off, implemented, tested "8 char a-z" as a password have ABSOLUTELY NOTHING to do in IT.

      I heard they were looking for Window cleaners in Hull!

      1. handle

        If you don't care about down-voters, why do you care enough to tell us you don't care?

        1. Hans 1
          WTF?

          If you don't care about down-voters, why do you care enough to tell us you don't care?

          Because I don't, however, this time I was not trolling and, imho, my comment made a hell of a lot of sense! I do not understand the downvotes this time, I just don't understand ... all I was saying is that they need to hire competent staff ... D'Oh! Seriously! WTF?

      2. CrazyOldCatMan Silver badge

        1. Don't care about down-votes, that is why I often troll ;-)

        Let me introduce you to the concept of cause and effect..

    2. Ken Hagan Gold badge

      Most modern routers have a WPS button whose effects only last for a couple of minutes. Why not say that you can only log in during that window? (You could ignore the rule if the user changes the password to something strong enough.)

      This is just a repeat of the perennial problem that passwords short enough for the average Joe to remember are not long enough to keep the average Joe's assets safe. It's going to keep coming around until we learn to stop relying solely on passwords.

    3. ZootCadillac

      Hans, I'm not sure who the "flawed loonies" are that you refer to. VirginMedia don't employ anyone to design routers. They pay Netgear to rebrand their models and use those. Are you suggesting that VirginMedia fire Netgear?

      There is no problem with these routers that does not already exist in most of them in that keeping the default password on any supplied equipment is a ridiculous idea. It's not all that long ago that the default password on all NTL ( who are now VirginMedia) came with a router/modem password which was "changeme".

      I changed my passwords and those of my family the day they were installed.

      As I read above. The Router is not at fault here and I'd go further and say the company are not at fault either. This is most definitely a user issue.

      1. Danny 14

        If the default password wasnt so constrained then it wouldnt be an issue though.

  3. Anonymous Coward
    Anonymous Coward

    Where are the instructions?

    I haven't seen any instructions about how to do this, and rather vexingly there's no link in the article. Does anyone have the link / some guidance?

    Many thanks,

    A Virgin (Customer)

    1. davenewman

      Re: Where are the instructions?

      http://192.168.0.1/ gets you to the superhub control panel.

      1. frank ly

        Re: Where are the instructions?

        After you've put it into modem mode, you use 192.168.100.1 for the control panel.

    2. David 132 Silver badge
      Trollface

      Re: Where are the instructions?

      I haven't seen any instructions about how to do this, and rather vexingly there's no link in the article. Does anyone have the link / some guidance?

      Many thanks,

      A Virgin (Customer)

      Don't worry, we've done it for you.

      -Random Chinese Hacker Collective

      1. eldakka

        Re: Where are the instructions?

        Don't worry, we've done it for you.

        -Random Chinese Hacker Collective

        And for 0.5bitcoin's we'll tell you what it is.

    3. Avatar of They
      Thumb Up

      Re: Where are the instructions?

      Depends on the instructions but the IP address for the Super hub 2 they are on the sticker on the bottom of the router..

      For the Super hub 3, they are on the sticker the engineer hands to you, a pull out piece of card between the router and the plastic feet, AND a sticker on the bottom of the router.

      They really like to help you.

    4. Blacklight

      Re: Where are the instructions?

      https://help.virginmedia.com/system/templates/selfservice/vm/help/customer/locale/en-GB/portal/200300000001000/article/HELP-2395/Changing-your-Virgin-Media-Hub%27s-wireless-password

      Also search a bit and you can see where to change the admin password....

  4. Anonymous Coward
    Anonymous Coward

    Call me stupid but I'm guessing the issue here is brute forcing the password?

    Why not update the firmware to do a few things?

    1. Force password change before connecting back to the internet.

    2. Add the old 3 failed attempts, 5 min lock out, 4, 10 min lockout and so on.

    3. Disable external access to the router by default.

    1. Hans 1

      Upvoted!

      3. Disable external access to the router by default.

      Actually, disable external access to the couter config completely, add VPN server with a simple wizard. You want to change settings when not at home ? Enable VPN!

  5. Neil Barnes Silver badge

    Stunning.

    My superhub 2 - dated 2010 - lets me set the password. Four to fifteen characters, letters and numbers only.

    Stunning.

    Not something I've worried about since the first thing I did when I got it was turn the wireless off, and let my router handle that, but changed it anyway.

    Interesting that there appears to be nothing on the Virgin Media site to hint that there might be an issue, and I've had no notification about this. Meh.

  6. mark l 2 Silver badge

    I can see 6 Virginmedia wireless network from my laptop all starting VM with random numbers after it. perhaps I should fire up my Kali live CD ;)

    1. Mr Fuzzy

      If you were to be terribly naughty like that at least you'd find that they tend to grumble when Reaver is waved at them. A horrifying number of others don't.

    2. This post has been deleted by its author

      1. Down not across

        Super hub 3 is a 12 alpha/numeric/lower/upper wifi password so at 1 billion guesses a second it's going to take a maximum of 150 years from what I understand.

        Isn't SH3 based on Puma6? Might take longer as Puma 6 kit connectivity isn't exactly stellar. At least I've not yet heard that VM would've patched it (especially the latency issue).

        1. This post has been deleted by its author

  7. mpentler

    I did try and tell everyone a few months ago, and I told Virgin Media also.

    http://elmarkodotorg.blogspot.com/2016/02/virgin-media-routers-arguably-weak.html

    They replied on their forums saying the SuperHub 3.0s were better so basically no problem go away.

  8. Martin-73 Silver badge

    Use your own equipment

    End of. If virgin don't allow you to use your own DOCSIS compliant modem? Find a proper isp. Simples.

    1. Mr Fuzzy

      Re: Use your own equipment

      Not everybody has a full range of ISP options available. Complexes.

    2. Singe

      Re: Use your own equipment

      The issue isn't anything to do with DOCSIS, this is a firmware issue relating to wireless security, which applies equally to other ISP routers such as Talk Talk's D-Link ADSL router, which has an equally weak default wireless password.

      1. Anonymous Coward
        Anonymous Coward

        Re: Use your own equipment

        What he's saying is that the normal solution is to DISABLE that function altogether and use a different router. Trouble is, some ISPs MANDATE the use of their router or you can't go online, and if they're the only ISP in town, you're up Crap Creek unless you're willing to MOVE.

  9. This post has been deleted by its author

  10. Zog_but_not_the_first
    Boffin

    Shields Up!

    See title

  11. bombastic bob Silver badge
    Devil

    correct horse battery staple

    obligatory xkcd reference

    https://www.xkcd.com/936/

    1. Charles 9

      Re: correct horse battery staple

      But what about people whose memory is SO bad it comes back "donkeyenginepaperclipwrong" instead?

  12. anthonyhegedus Silver badge

    The vermin superhubs don't even work in modem mode all the time. Some of them keep going back to router mode. The other thing about these routers is that the default admin password is 'virgin'.

    1. Singe
      FAIL

      The Superhub default admin password has never been "virgin", that goes as far back as the superhub 1 which is quite a few years old now.

  13. Anonymous Coward
    Anonymous Coward

    One of the companies I worked at, the remote users were supplied with internet access via virgin media so that they could work remotely. After a software update on the routers, the vpn stopped working.

    After I got remote access, via teamviewer, I logged on to the router with the default password and ticked the box to allow vpn connections. All the sales droids asked how I knew their router password, my reply was it was the default one that was listed on the virgin website and perhaps they had better change it.

  14. Ian 55

    Oh is that all the problem is?!

    I thought from some of the other reporting that it was something really serious.

  15. Milton

    Don't be too harsh ...

    ... on the folks who use the ISP-supplied router. It's good that El Reg readership includes people who are not necessarily techies, but who still have curiosity enough to be here.

    And if you think the Virgin Routers are crummy, Sky is even worse. We have both connections to this house (can't afford to be offline) and I use a Draytek router for load balance and redundancy, and while the Virgin hub did at least allow me to set it to Modem-Only mode, the POS that Sky provided won't even let you do that. Bypassing Sky's rubbish was tedious, to say the least.

    (But yes, for those who are wondering: the router supplied by your ISP will work, but it will be cheap, nasty, crippled and probably horribly vulnerable.)

  16. Blacklight
    Mushroom

    Erm....

    I may be wrong (probably am!) but is the other issue resolved?

    i.e the one whereby when the router powers up, for 7 seconds or so, there is no encryption set on the WiFi? o_O

    Thus, if you are quick enough, you can get onto the WLAN - and then (again, if quick enough) - either use the default web admin password to find a WLAN password (even if it's been changed), so you can then reconnect shortly after, or do a quick network probe? Granted that's a tight window of opportunity, but still!

    [EDIT] Ah yes - a powershell to reboot a SuperHub - if you know the password. Assume it's default, and a bit of cross site jiggery-pokery with a form post/social engineering - and away you go, router reboots, WLAN available briefly...[/EDIT]

    Personally, opt for "SACM" (standalone cable modem) mode and use my own WiFi. I'd still be using 802.1x EAP too if the firmware I use was updated to not break RADIUS :( (choice of stick with RADIUS but keep other vulns active, or upgrade and lose RADIUS)

    If you don't have your own router, change the WiFi AND admin passwords - which should be standard OpSec anyway. It wouldn't be that hard for device manufacturers to trap all web traffic when the thing is in "default" mode and force passwords to change, before letting it go fully operational....

    1. Charles 9

      Re: Erm....

      "If you don't have your own router, change the WiFi AND admin passwords - which should be standard OpSec anyway. It wouldn't be that hard for device manufacturers to trap all web traffic when the thing is in "default" mode and force passwords to change, before letting it go fully operational...."

      Unless people are so used to "plug and play" that they plug it in and keep complaining that instead of the Web they get these weird gibberish screens. MUST BE BROKEN! SEND IT BACK!

      It's hard to deal with BOTH security AND stupidity, and recall that consumer-level tech has to deal with LOTS of stupid.

  17. Baldrickk

    Not <i>that</i> bad

    There seems to be a lot of complaining, lets break it down:

    Weak (short) default password - bad - potentially 'easy' to crack

    Solution exists? - yes (change it)

    Weak admin password (changeme) - bad - if you are on the network and it hasn't been changed, you can get admin access

    Solution exists? - yes (change it - it even tells you too!)

    So... standard procedure is to change both.

    What other problems have people complained about?

    Poor wifi? not in my experience, 2 floors away and still getting near max throughput over Wifi - Steam home streaming at 1080p at that range works even better than I expected, odd dropped packet, but nothing really noticable, maybe one 'glitch' every 5 minutes. and running Cat 6 all the way up the stairs did nothing to improve the latency. Network benchmarks show that wireless transfer operates at near max data rates too over the same connection. No problems there for me.

  18. J.G.Harston Silver badge

    The most annoying thing about the Hub 3.0 that Virgin foisted on me is that it's an inch taller than the Hub 2, has a curved stand, and the sockets are on the other side, so I can't mount it neatly in the corner of the cupboard where the 2.0 Hub went.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like