800,000 Virgin Media Customers Suffer Another SuperHub 2 Security Scare

A new study conducted by consumer magazine Which?, which examined the security of connected devices in the home, has chastised Virgin Media for setting up their SuperHub v2 (VMDG485) cable broadband routers with a default password that is the same for many of their customers.

Some years ago it was not uncommon for ISPs to send out their bundled broadband routers with the same simple default login and password for the web-based admin interface or WiFi network (e.g. login: “admin” / password: “password” or the password may even be blank), although these days providers should know better and most will distribute their devices using randomised passwords.

Having any easily predictable password is bad because it opens an easy avenue for hackers to access and exploit your home network. Sadly many consumers don’t bother to change the login details when they receive their hardware, which is a basic thing that everybody should do, even if the password has been randomised (randomised passwords are often short and thus easy to brute force hack).

In this case Which? set-up a “smarthome” at the address of a Which? employee, which included a host of popular smart gadgets that can be found in houses across the UK. After that it hired ethical security researchers, SureCloud, to hack it. Alongside targeting the gadgets, SureCloud also ran surveillance on the home owner to gather information that could be used to breach their security and used phishing tactics (i.e. spoof emails and messages designed to trick someone into revealing personal details).

Unsurprisingly the SureCloud team was able to gain access to Virgin Media’s router “in just a few days“, although admittedly you’d expect that sort of result when setting an entire security team against a single home.

A Virgin Media Spokesperson said:

“The security of our network and of our customers is of paramount importance to us. We continually upgrade our systems and equipment to ensure that we meet all current industry standards. To the extent that technology allows this to be done, we regularly support our customers through advice, firmware and software updates and offer them the chance to upgrade to a Hub 3.0 which contains additional security provisions.”

Apparently Virgin Media has now contacted 800,000 of their SuperHub v2 using subscribers and advised them to change their passwords, while others may simply be upgraded to the new Hub 3.0 (SuperHub v3, for those who hate the silly naming convention changes).

Sadly the development follows only a couple of weeks after another security researcher found that hackers could abuse a file backup routine for the SuperHub v2 and v2A configuration, which could then be used to gain admin level access (here).

Not a good month for VM, although they’re by no means the only ISP to have made this mistake and indeed we believe that some smaller providers continue to use the same default password when distributing routers. Similarly some third-party routers purchased at retail will also use a default that remains the same for batches of the same unit. Simple rule.. ALWAYS CHANGE THE PASSWORD.