Virgin Media is advising 800,000 of its customers to change their router passwords over the fear that attackers could easily hack their devices.
On 23 June 2017, consumer choice advocacy organization Which? published the results of an investigation it conducted to analyze the security of connected devices in the home. It set up wireless cameras, a smart padlock, a Bluetooth-enabled children’s toy, and Virgin Media’s Super Hub 2.0 router, among other connected products. It then set ethical hackers from SureCloud loose on the mock smart home.
The security researchers found at least one vulnerability in eight out of the 15 devices included in the investigation. They found Virgin Media’s router came pre-programmed with a simple password, for example. SureCloud ultimately exploited this security weakness to gain access to the router within a matter of days.
In response, Virgin Media told 800,000 users of its Super Hub 2.0 router to update their passwords if they are still using their device’s default credentials. It’s also released a statement about what it’s doing to protect customers. As quoted by Which?:
“The security of our network and of our customers is of paramount importance to us. We continually upgrade our systems and equipment to ensure that we meet all current industry standards. To the extent that technology allows this to be done, we regularly support our customers through advice, firmware and software updates and offer them the chance to upgrade to a Hub 3.0 which contains additional security provisions.”
As part of their hacking efforts, SureCloud’s researchers found a couple of other devices that suffered from security issues. A web camera analyzed by the team operated over the web without a password, for instance, which allowed attackers to easily seize control of the device and use it to spy on unsuspecting users. Additionally, the researchers found they could exploit a flaw to issue their own voice messages over Bluetooth to the children’s toy.
Which? has received commends from several vendors of the products it included in its investigation. It has yet to hear from the makers of the web camera and children’s toy, however.
To be fair, the issue affecting Virgin Media’s Super Hub 2.0 isn’t unique to their router. Weak default credentials come with many Internet of Things products. In fact, malware like Mirai exploit this shortcoming to enslave vulnerable devices, build botnets of hundreds of thousands of products, and leverage these resources to perpetrate distributed denial-of-service (DDoS) attacks on the scale of what befell Dyn back in October 2016.
Owners of the Super Hub 2.0 should change their passwords, but so to should all users who are still using a default password on ANY web-connected device. When they do change those credentials, they should follow this advice on how to create a strong password.
For more information about the investigation conducted by Which?, watch this video.