Virgin Media Customers Urged to Change Passwords

Virgin Media Customers Urged to Change Passwords

Virgin Media customers using the broadband giant’s Super Hub 2 routers have been urged to change their passwords after a Which? investigation revealed they could be cracked in days, allowing attackers to access connected home devices.

There are currently over 860,000 users of these router models in the UK potentially exposed if they are still using the default password printed on the router, the report claimed.

Using publicly available hacking tools the consumer reviews site was able to crack the password in just a few days, given it’s just eight characters long and uses only lowercase A-Z letters.

Doing so also gave the investigators access to the router’s configuration page and the ability to target other connected devices on the home network – which could range from smart baby monitors to home security systems.

Users were urged to replace default passwords with new credentials of at least 12 characters, including a mix of upper and lower-case letters, and numbers.

Those on the Super Hub 3 are apparently not at risk as it includes strong passwords by default.

The news comes just a week after researchers revealed a serious software bug in Netgear-produced Super Hub 2 and Super Hub 2AC models could have allowed hackers to remotely monitor users’ internet traffic.

Trend Micro's Bharat Mistry argued that router and IoT device manufacturers are still treating security as an afterthought as they rush to get products to market as quickly as possible and with easy set-up for the end user.

“The use of default usernames and passwords is a common technique used by most manufacturers to allow basic setup of the device, however it is the exploitation of these parameters that hackers use to compromise a device,” he added.

“If manufacturers took some basic steps such as on activation the consumer of the device is forced to change the username and password that would at least ensure credentials shipped with the product couldn’t be used.”

Source: Information Security Magazine