General : Virgin Media urges password change over hacking risk

[BenMcr]

If you're prepared to pay for it, true. But there is no need to change unless there is another reason to do so.

The SuperHub 2 has the same WPA2 security in it as the Hub 3.0 does.

The difference is the default password on the Hub 3.0 is longer and has more character variation than the SuperHub 2 does by default.

So if you update your wireless password to twelve characters with mix of upper case, lower case and numbers, then it'll be just as secure.

[JPAC]

Quote "We regularly support our customers through advice and updates and offer them the chance to upgrade to a Hub 3.0 which contains additional security provisions."

So...how much from a SH2 to SH3?

[BenMcr]

The offer to upgrade to the Hub 3.0 is part of speed and bundle changes e.g. when you go to VIVID 300 you'll get a Hub 3.0.

There is zero need to swap from a SuperHub 2 to a Hub 3.0 if your services don't need it.

[JPAC]

Perhaps you should tell VM PR that instead of everyone with a SH2 calling for a free SH3.

I'll risk it with a SH2 then.

[Osem]

Quote:

Originally Posted by BenMcr

This is talking about the default passwords printed on the bottom - mainly the wireless one, but it's also sense to update the admin one at the same time.

Details about how to change the Wireless password on all Virgin Media's Hubs are here:
https://help.virginmedia.com/system/...eless-password

And on the forum here http://community.virginmedia.com/t5/...e/ba-p/3456004

And here is how to change the admin page password:
https://help.virginmedia.com/system/...-page-password

What's missing from the BBC report is that it still took Which days to discover the default password:
http://www.which.co.uk/news/2017/06/...ssword-change/

TVM Ben.

I'm not panicking but the story reminded me about these passwords and I'm pretty sure we didn't change the default password.

Can I just ask what relevance, if any, the network name (i.e. what shows up our device in the available networks list) has in this. We didn't change that either, it's just the VM generated one (beginning VM...) which appeared during set up. Do we need to change that also or doesn't that matter?

[BenMcr]

The wireless name doesn't really matter.

You can change if you wish, but it's amazing how many people put personal info into the name e.g. 'BenMcr family' or something that's actually more identifiable that leaving it as is

[Osem]

Quote:

Originally Posted by BenMcr

The wireless name doesn't really matter.

You can change if you wish, but it's amazing how many people put personal info into the name e.g. 'BenMcr family' or something that's actually more identifiable that leaving it as is

Yes I'd noticed that looking at the other home networks which show up on the list here. Some a really very obvious, one I saw a while back actually included the street address.

[Ken W]

Quote:

Originally Posted by BenMcr

The wireless name doesn't really matter.

You can change if you wish, but it's amazing how many people put personal info into the name e.g. 'BenMcr family' or something that's actually more identifiable that leaving it as is

A person in my road has their house number and road name, how crazy is that?

[Gunslinger]

Not sure I understand how/why this should be an issue.
Presumably the default WiFi password printed on the bottom of the modem/router must be unique to each device - otherwise we would all be connecting to our neighbours' networks all the time. So how does that come to have been compromised?
The settings password is another thing, as the default is obviously common to all devices and the user is invited to change it - as I did at the time.

[Ken W]

Quote:

Originally Posted by Gunslinger

Not sure I understand how/why this should be an issue.
Presumably the default WiFi password printed on the bottom of the modem/router must be unique to each device - otherwise we would all be connecting to our neighbours' networks all the time. So how does that come to have been compromised?
The settings password is another thing, as the default is obviously common to all devices and the user is invited to change it - as I did at the time.

The default is changeme or admin and many don't change it.

[iadom]

Gunslinger is referring to the wifi password, not the router password Ken.

Even though that is unique, at a basic eight letters from 24, all lower case it is not very secure.

[Ken W]

Quote:

Originally Posted by iadom

Gunslinger is referring to the wifi password, not the router password Ken.

Even though that is unique, at a basic eight letters from 24, all lower case it is not very secure.

Opps, but if some one got into your router they could then make changes to your wifi password or any other settings.

[RobboEdin]

Quote:

Originally Posted by Ken W

Opps, but if some one got into your router they could then make changes to your wifi password or any other settings.

... So they have to get past your wifi password first to access the Superhub settings or break into your property with a laptop to connect via Ethernet?

[JPAC]

Quote:

Originally Posted by Ken W

A person in my road has their house number and road name, how crazy is that?

That's nothing, VM told my neighbour that their password had to be at least 8 characters long and include at least one capital.

She chose, "MickeyMinniePlutoHueyLouieDeweyDonaldGoofyLon don" jk

[Springy]

The thing we need to see are the details on what the hack is.

The fact that it takes a few days (i think i read 4 days somewhere) to crack the password seems like a brute force attack, which does make it better as it isn't a flaw like a remote code execution.

So I just looked at my default wifi password on my superhub 2 it is "anyasdwe" (which is a lie as the 5 last characters is different just incase it can be used against me).

It looks like virgin is using an 8 character only lower alpha password. This gives 8^26 combination and according to a http://calc.opensecurityresearch.com cracking a WPA Key will take over 2 years to crack. This is different to a "few days"

Now look at the password I put above, it begins with "any". If Virgin has on all superhub 2 employed a password that has fixed characters somewhere in the password or a predefined set of defaults, this will reduce the complexity of the wifi password. So instead of guessing 8 characters, you might only need to guess 5 characters with the first 3 characters already known from a predefined list that virgin always use. This greatly reduces the time to crack. For example, 5 character password all lower case take just over an hour to break in.

I would like to know from other superhub 2 users if the first three characters of their default password is "any". That will be interesting...

Alternatively, the password could be derived based on the SSID . So maybe there is something in the SSID that could be seeding the password, which again means that a secret is known which greatly reduces the amount of tries it take to crack the password.

But yeah, if you haven't done so already, make sure your wifi password is not the default!