800,000 Virgin Media customers exposed to threat of hack


Virgin Media has been hit with a heavy body blow after an investigation by Which has revealed 800,000 of its Smart Hub 2 customers are at risk of being hacked.

The company has contacted all relevant customers advising them to change the default password supplied with the hub, which seems to be the root of the issue. Using publicly available hacking tools, the Which team targeted a real home which uses the Virgin Media Smart Hub 2 router, and it didn’t take long to crack with this simplistic set of tools. Only a matter of days in fact.

While it might cause a few blushed cheeks, we’d suggest the Virgin Media team should be getting the drinks in for Which. Yes, it uncovered a flaw in the matrix, but it is certainly better Which found the vulnerability than someone with more nefarious means.

“Using publicly available hacking tools that can be found on the web, we were able to crack the router password in just a few days,” the Which team said. “We were also able to log in to the router’s configuration page, since the default password for doing so is shared across all Super Hub 2 devices.”

Herein lies what should be one of the major concerns of the connected era. If everything is online, everything is at risk. The Smart Hub 2 router a potential access point to a customer’s home network, and therefore potential access to all other devices which are plugged into that network. It is one of the main problems with removing silos and bringing everything into the digital world. It creates an increasingly large perimeter to protect and a horde of gluttony to be feasted on once security features have been penetrated.

Virgin Media has seemingly responded relatively quickly, but has also played down the panic, highlighting the number of Smart Hub 2 devices is falling day-by-day as customers upgrade. The Smart Hub 3.0 uses more complex passwords, made of 12 characters as opposed to 8, with also a mix of upper and lower cases, as well as numbers. While it only took a matter of days to crack the password on Smart Hub 2, Which says it would take 262 million days to crack the latest version, due to the number of permutations.

This will certainly be a bit more comforting for customers but it does raise a couple of interesting questions. As consumers, are we aware of the new and old threats which are present in the digital economy? Or do we actually take them seriously?

“Passwords such as ‘123456’ and ‘Password1’ are commonly used across the internet,” said Jean-Frederic Karcher, Head of Security at Maintel. “And indeed, passwords are often the most valuable treasure for attackers, given people reuse passwords between accounts. It’s become increasingly apparent that the guidance security specialists give to change their passwords regularly isn’t effective.

“Instead, we need to acknowledge the failure of passwords. Passwords alone are no longer good enough for the Internet of today. There are now numerous password enforcement solutions available on the market, including next generation authentication technologies, which are able to authenticate identities in a way that is both stronger than passwords and also easier for people to use.”

And secondly, despite PR soundbites, are providers taking security seriously enough? Is the pace of change, combined with the threat of competition, brushing security concerns aside? Are we blindly walking into a dangerous alley in the pursuit of glimmering technology?

“Organisations that provide internet connected devices to consumers need to think carefully about how they will overcome the security challenge that will inevitably come with the devices they produce,” said Matthias Maier, Security Evangelist at Splunk.

“Suppliers need to think about the responsibility they have for owning the maintenance of a device for its full lifecycle. They need to introduce monitoring for flaws and ensure over-the-air (OTA) updates are available so that their customers are better protected.

“In this example, individuals are being asked to change their passwords, but human nature tells us that it’s questionable if all of their customers will do it. As a result, it’s likely that vulnerable systems will continue to be available over an extended period of time with hackers inevitably using them for malicious purposes”

UPDATE 23/06/2017 17:00: Virgin Media gave us the following comment:

“The security of our network and of our customers is of paramount importance to us.  We continually upgrade our systems and equipment to ensure that we meet all current industry standards.  To the extent that technology allows this to be done, we regularly support our customers through advice and updates.”

  • BIG 5G Event

  • Smart Home Summit

One comment

  1. Avatar Richard Coltham 23/06/2017 @ 1:50 pm

    Let’s be brutally honest here, EVERYTHING is at risk of being hacked. To think it’s not is naïve in the extreme.

    The crux of this article though, is not that the devices were insecure, it’s that it would ONLY have taken up to 2 days of someone sitting in a van outside your house to crack your router….as opposed to 262 million days on the Smart Hub 3.

    Is this an acceptable risk..? Yes probably.
    Can you yourself do something about it..? Yeah, change your password to something stronger.
    Is the newer Hub 100% secure..? No, definitely not. The US Government could probably crack it in a blink of an eye given the right tools.
    Are the US government likely to park out side your house in the UK..? No.

    The biggest risk I see with any IOT device is the wetware – people using simple passwords, or not ever bothering to change standard factory issued ones. Who didn’t do this for routers in 1995…let alone 2017..?

    Bottom line: anything can be hacked. The time it takes to do so is the major limiting risk factor involved.

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.