Virgin Media router security flap follows weak password expose
You're not using the password from the sticker, are you?
Virgin Media has urged 800,000 customers to change their passwords to guard against possible hacking attack.
The move follows an investigation by consumer mag Which? that discovered hackers could access the UK cableco's Super Hub 2 router, allowing access to IoT devices connected through the same home network. The issue stems from shortcomings in the default password Virgin Media prints on its routers than a recently discovered security vulnerability in routers it supplies.
Virgin Media stickered default router password is constrained to certain characters, lowering password entropy in the process and making it easier for hackers to mount successful brute force attacks.
"It appears to be that the default Wi-fi PSK is too short. 8 char a-z. Not exactly a new story though," Pen Test Partners' Ken Munro told El Reg. "[It] seems unfair for Which to finger just Virgin, as most ISPs have had weak default PSKs at some point," he added.
Virgin Media pointed El Reg towards a customer forum post on the issue, adding: "I can reassure you the threat to our security is minimal".
David Emm, principal security researcher, Kaspersky Lab, said: "Cybercriminals routinely make use of vulnerabilities, and the case of Virgin Media’s Super Hub 2 router highlights the fact that there are more connected devices than ever before, and therefore, more potential vulnerable devices that can be compromised."
The issue highlights wider concerns about consumer router security, which has been a problem for years - long before the rise of the infamous Mirai botnet late last year prompted more ISPs to sit up and finally take notice. Mirai spread thanks to a mixture of open ports and weak default passwords. In some cases, simply changing passwords wasn't enough and a firmware update would be needed.
Matthias Maier, security evangelist at Splunk, said: "Organisations that provide internet connected devices to consumers need to think carefully about how they will overcome the security challenge that will inevitably come with the devices they produce. Suppliers need to think about the responsibility they have for owning the maintenance of a device for its full lifecycle. They need to introduce monitoring for flaws and ensure over-the-air (OTA) updates are available so that their customers are better protected." ®