June 23, 2017

Virgin Media issues important Super Hub security advice:

 Sofa Bear  said today (June 23rd):

The security of our network and of our customers is of paramount importance to us.  We continually upgrade our systems and equipment to ensure that we meet all current industry standards.

The strongest passwords have a mixture of character types and are more than 12 characters in length. Those that are less than eight characters and not mixed are at a higher risk of being hacked. "Password" is not a good password, but "yZ8_tr*3B!td2?" is.
While our Hub 3.0 already contains additional security provisions, if you have an older Superhub you need to make sure you use a bespoke password that uses uppercase and lowercase letters, numbers and symbols, and keep it longer than 12 characters.

These steps will show you how to change your password if you use a Superhub 1, 2 or 2ac.

1. Connect your computer to the Super Hub using an Ethernet cable
2. Access the settings page by entering the web address shown on the Super Hub sticker. For a guide on how to do this, please see Configure Advanced Settings on your Virgin Media Hub.
3. Click Wireless Network Settings
4. If it isn't chosen already, set the Security Mode drop-down menu to WPA Auto, and then enter your desired new passphrase into the Passphrase box. When choosing your new passphrase we recommend at least twelve characters with a mix of upper case, lower case and numbers. It should be unique: not something you use for anything else
Wireless-Network400%20arrow-passphrase.jpg
5.Click Save Settings, and then close the administration interface. All computers and devices that were wirelessly connected to the Super Hub will now be disconnected, because they will still be configured with the old WiFi network security key
6.Restart your computers and devices and try to reconnect to the Super Hub, and you should be prompted for the new passphrase. If you have difficulty in reconnecting to the WiFi network, follow our setup guides and remember to use your new passphrase:
Connecting a Windows device to your wireless network
Connecting an Apple Mac to your wireless network
Note: if you ever forget your new passphrase, you can set it back to the default by Resetting your Virgin Media Hub (this will also reset all other changes you have made to the Super Hub's settings)
7.Once all computers and devices are reconnected to the WiFi network, you can disconnect the Ethernet cable from the computer

All sound advice, but it sounds like the media's scaremongering again. This is posted by superuser Ravenstar68 on VM's Community Boards:
First off I read the BBC News Story and then decided to look for the which? articles that prompted it.
http://www.which.co.uk/news/2017/06/virgin-urges-super-hub-2-password-change/#?intcmp=HP.hero.small....http://www.which.co.uk/news/2017/06/could-your-smart-home-be-hacked/
So lets look at the reality.
1. Which? employed a dedicated company to hack the network in question.
2. It took them days to crack the default wifi passphrase
3. Most hackers are opportunists who won't take that much time and effort on a home connection.
4. Virgin set the default hub login password as changeme (change me) in addition when users log into the hub they are normally told to change this as well via a nag screen.
Virgin actually ran a story in the news section yesterday.
https://community.virginmedia.com/t5/News/Make-your-network-extra-safe/ba-p/3456004
Which includes advice on how to change passwords on older routers.
It should be noted that when the SH2ac came out Virgin introduced a requirement that if the password was the default, that users were required to enter the WPS Pin which was unique to each hub. So hackers couldn't breach the hub itself even of they gained access to the wifi network.
I do consider the headlines to be scaremongering, which is why I did my homework before posting.
Also note that 800,000 is the estimated number of SH2's on the network. Out of those:
Some users will automatically change the default SSID and passphrase as soon as they get the device.
Others can and do put the hub into modem mode and use their own router.
So while the general message is going out, the number of those at risk is lower than the quoted figure.

3 comments:

Scott McCarthy said...

To be blunt, anyone who doesn't change the default password on their router (regardless of their ISP) deserves what they get.

Danny Brooks said...

Agree

Danny Brooks said...

Am I missing something here but don't every router have its own different wifi channel name (ssid) and password it's only the log in that's default (admin,changeme)