800,000 Virgin Media customer urged to change their router passwords

Virgin Media, a leading provider of internet, TV, and phone services in Britain, is urging customers to reset the passwords on their routers.

The advice comes after a Which? investigation, which raised concerns that the Virgin Super Hub 2 routers had a relatively weak eight character default password made up of lowercase letters from ‘a’ to ‘z’.

To put their concerns to the test, Which? employed the services of an ethical hacking firm which found it was able to crack into the routers in less than four days:

“Using publicly available hacking tools that can be found on the web, we were able to crack the router password in just a few days. We were also able to log in to the router’s configuration page, since the default password for doing so is shared across all Super Hub 2 devices.”

“As with all home routers, the Virgin Super Hub 2 is a gateway to your home network. Hack this, and you can potentially have access to other devices inside the home.”

The fear is that once a hacker has successfully broken into a vulnerable Virgin router, they could then target other ‘smart’ IoT devices connected to the home network.

Virgin Media is upgrading its customers to the more secure Super Hub 3.0 (which has, by default, a stronger 12-character password, using a mixture of upper and lower case alphabetical and numeric characters) but there are believed to be approximately 864,000 Super Hub 2 routers still in customers’ homes.

A Virgin Media spokesperson was keen to reassure customers that they took security seriously:

“The security of our network and of our customers is of paramount importance to us. We continually upgrade our systems and equipment to ensure that we meet all current industry standards. We regularly support our customers through advice and updates and offer them the chance to upgrade to a Hub 3.0 which contains additional security provisions.”

It’s worth bearing in mind that problems like this do not just exist in Virgin Media’s hardware, but are also likely to be present in routers supplied by other companies as well. Everyone would be wise to ensure that they when they install new internet-connected devices one of the first things they do is change the default password used to access the system, choosing a long, complicated, unique, and hard-to-crack alternative.

The world appears to be accelerating rapidly towards a future where every gadget imaginable has to be ‘smart’ and ‘connected’ with often little though to how well they are protected from security threats, or how easily they can be updated if vulnerabilities are found. Weak, easy-to-crack default passwords in routers only make the problem worse.

Virgin Media has published instructions on its website about how customers can change their Super Hub 2 passwords.

2 comments

  • By Matthew Parkes - Reply

    As you say Graham, users need to get into the habit of choosing a long and strong password/encryption key for their network and router admin credentials and change them at point of set up. It doesn’t really matter whether users have a Super Hub 2 or 3 or whatever else, even if there are other security features built into newer models, if default passwords and credentials are used it is potentially game over. The sad thing is passwords aside usernames aren’t always changeable as with SKY TV’s fibre and Sky Q routers.

  • By Jim - Reply

    Rather puzzled that Virgin are publishing instructions to its customers. Don’t any of its staff use Virgin?

  • Add Comment

    Your email address will not be published. Required fields are marked *