Virgin Media warns 800,000 customers to change their WiFi router passwords

Super Hub 2 routers have weak default passwords that are easy to crack

Virgin Media is advising its 864,000 users of the older Hub 2 router to change their passwords.

The move follows a report by consumer group Which? in which security researchers were able to easily hack routers on which the default password had not been changed.

The Which? researchers tested router's security by targeting a real home that used the Virgin Media Super Hub 2 for its cable broadband. The default password is only eight characters long and consists of lowercase letters only.

"Using publicly available hacking tools that can be found on the web, we were able to crack the router password in just a few days. We were also able to log in to the router's configuration page, since the default password for doing so is shared across all Super Hub 2 devices," the researchers write.

"Following our successful hack of the Virgin router, we were effectively inside the home network and could target other connected devices. In the age of smart devices and the ‘internet of things', this sort of security vulnerability is particularly concerning."

The problem is not unique to Virgin. Media companies buy their routers from third-party manufacturers, and it is here that the issue of week security settings often lies. The Mirai botnet, was used to launch DDoS attacks of devastating power, was made passible by weak security in Chinese-made video cameras.

Virgin's latest model, the Super Hub 3.0 uses much stronger passwords than earlier versions and is not at risk. Using the same tools the Which? researchers estimate it would take would take 262 million years to breach its security.

A Virgin Media spokesperson said: ‘The security of our network and of our customers is of paramount importance to us. We continually upgrade our systems and equipment to ensure that we meet all current industry standards.

‘To the extent that technology allows this to be done, we regularly support our customers through advice, firmware and software updates, and offer them the chance to upgrade to a Hub 3.0 which contains additional security provisions.'

The company has provided guidelines as to how its Hub 2 users should change their passwords.

Earlier this month, in a case that a Virgin Media spokesperson has told Computing is unrelated to the password issue, security researchers were able to reverse engineer the Virgin router's firmware and to gain access by restoring backups of user configurations, such as port forwarding and dynamic DNS.

They were able to do this because the encryption key was found to be identical for all Super Hub 2 routers, meaning that if an attacker could hack one, they could effectively take over every single Virgin Media router of the same type.

Andy Monaghan, a principal security researcher at Context Information Security said at the time: "The Super Hub represents the default home router offering from one of the UK's largest ISPs and is therefore present in millions of UK households, making it a prime target for attackers.

"While ISP-provided routers like this are generally subject to more security testing than a typical off-the-shelf home router, our research shows that a determined attacker can find flaws such as this using inexpensive equipment."

Virgin Media has since deployed a firmware patch to the SuperHub 2 and 2AC affected.