Home
 » ISP News » 
Sponsored

800,000 Virgin Media Customers Suffer Another SuperHub 2 Security Scare

Friday, June 23rd, 2017 (7:43 am) - Score 3,635

A new study conducted by consumer magazine Which?, which examined the security of connected devices in the home, has chastised Virgin Media for setting up their SuperHub v2 (VMDG485) cable broadband routers with a default password that is the same for many of their customers.

Some years ago it was not uncommon for ISPs to send out their bundled broadband routers with the same simple default login and password for the web-based admin interface or WiFi network (e.g. login: “admin” / password: “password” or the password may even be blank), although these days providers should know better and most will distribute their devices using randomised passwords.

Having any easily predictable password is bad because it opens an easy avenue for hackers to access and exploit your home network. Sadly many consumers don’t bother to change the login details when they receive their hardware, which is a basic thing that everybody should do, even if the password has been randomised (randomised passwords are often short and thus easy to brute force hack).

In this case Which? set-up a “smarthome” at the address of a Which? employee, which included a host of popular smart gadgets that can be found in houses across the UK. After that it hired ethical security researchers, SureCloud, to hack it. Alongside targeting the gadgets, SureCloud also ran surveillance on the home owner to gather information that could be used to breach their security and used phishing tactics (i.e. spoof emails and messages designed to trick someone into revealing personal details).

Unsurprisingly the SureCloud team was able to gain access to Virgin Media’s router “in just a few days“, although admittedly you’d expect that sort of result when setting an entire security team against a single home.

A Virgin Media Spokesperson said:

“The security of our network and of our customers is of paramount importance to us. We continually upgrade our systems and equipment to ensure that we meet all current industry standards. To the extent that technology allows this to be done, we regularly support our customers through advice, firmware and software updates and offer them the chance to upgrade to a Hub 3.0 which contains additional security provisions.”

Apparently Virgin Media has now contacted 800,000 of their SuperHub v2 using subscribers and advised them to change their passwords, while others may simply be upgraded to the new Hub 3.0 (SuperHub v3, for those who hate the silly naming convention changes).

Sadly the development follows only a couple of weeks after another security researcher found that hackers could abuse a file backup routine for the SuperHub v2 and v2A configuration, which could then be used to gain admin level access (here).

Not a good month for VM, although they’re by no means the only ISP to have made this mistake and indeed we believe that some smaller providers continue to use the same default password when distributing routers. Similarly some third-party routers purchased at retail will also use a default that remains the same for batches of the same unit. Simple rule.. ALWAYS CHANGE THE PASSWORD.

Leave a Comment
8 Responses
  1. Avatar Tom Bartlett says:

    Is the superhubs admin interface accessible from the WAN?

    If its not and you are dumb enough to get phished then this is probably the least of your problems.

    1. Avatar Optimist says:

      SuperHub firmware can be updated automatically by Virgin Media – how secure is that?

    2. Avatar Steve Jones says:

      All the major ISPs can update the firmware on their bundled modem/routers as far as I’m aware.

  2. Avatar Matt C says:

    Optimist

    So does Google Wifi. Auto update is a good thing as long as it is does correctly with signed firmware (note sure if Virgin’s is signed)

    1. Avatar CarlT says:

      The Superhub, in common with all cable gateways and modems, is updated through standard mechanisms for DOCSIS kit.

      It will be given an RFC 1918 address via DHCP, and will be provided a file to download during registration process.

      In order to compromise firmware an attacker needs to have control over various servers on the VM network, none of which are publicly addressed. A user with direct physical access to a Superhub cannot mess with its firmware without opening the case and attacking the PCB.

  3. Avatar CarlT says:

    This is really weird. If an attacker can attempt to log into the admin console of a Superhub they already have access to the LAN-side of the device. If they have access to the LAN-side of the device the Superhub’s admin console is the least of the user’s concerns.

    1. Avatar PaulM says:

      Also unless ive read this wrong, if these hub 2.0’s have the same default password why did it take a security team “just a few days” to gain access surely that would had been a few seconds??? Sounds like another nothing story from which.

  4. Avatar alan says:

    Appears it is a bruteforce attack on the router rather than any “default” password and knowing the devices came with an 8 letter random code using the letters a-z. Which explains why with several billion possible combinations it took them days. Or basically no different to most ISP supplied gear.

Comments are closed.

Comments RSS Feed

Javascript must be enabled to post (most browsers do this automatically)

Privacy Notice: Please note that news comments are anonymous, which means that we do NOT require you to enter any real personal details to post a message. By clicking to submit a post you agree to storing your comment content, display name, IP, email and / or website details in our database, for as long as the post remains live.

Only the submitted name and comment will be displayed in public, while the rest will be kept private (we will never share this outside of ISPreview, regardless of whether the data is real or fake). This comment system uses submitted IP, email and website address data to spot abuse and spammers. All data is transferred via an encrypted (https secure) session.

NOTE 1: Sometimes your comment might not appear immediately due to site cache (this is cleared every few hours) or it may be caught by automated moderation / anti-spam.

NOTE 2: Comments that break our rules, spam, troll or post via known fake IP/proxy servers may be blocked or removed.
Cheapest Superfast ISPs
  • Onestream £19.99 (*27.99)
    Avg. Speed 45Mbps, Unlimited
    Gift: None
  • TalkTalk £21.00 (*29.95)
    Avg. Speed 38Mbps, Unlimited
    Gift: None
  • NOW TV £22.00 (*40.00)
    Avg. Speed 36Mbps, Unlimited
    Gift: None
  • Vodafone £22.00
    Avg. Speed 35Mbps, Unlimited
    Gift: None
  • Hyperoptic £22.00
    Avg. Speed 50Mbps, Unlimited
    Gift: None
Prices inc. Line Rental | View All
The Top 20 Category Tags
  1. FTTP (2910)
  2. BT (2826)
  3. FTTC (1812)
  4. Building Digital UK (1776)
  5. Politics (1714)
  6. Openreach (1667)
  7. Business (1491)
  8. FTTH (1345)
  9. Mobile Broadband (1281)
  10. Statistics (1276)
  11. 4G (1105)
  12. Fibre Optic (1087)
  13. Wireless Internet (1050)
  14. Ofcom Regulation (1044)
  15. Virgin Media (1035)
  16. EE (729)
  17. Vodafone (708)
  18. TalkTalk (690)
  19. Sky Broadband (686)
  20. 5G (570)
Promotion
Helpful ISP Guides and Tips
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
Sponsored

Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved - Terms , Privacy and Cookie Policy , Links , Website Rules , Contact