Virgin Media has warned customers: change your router's default credentials or run the risk of being hacked.
While the company says the risk is 'small', it is urging over 800,000 customers with SuperHub 2 routers to change the details to protect themselves after an investigation from consumer advocacy site Which? found that hackers could access to home networks and connected appliances in as little as four days.
Enlisting ethical security researchers SureCloud, Which? found that hackers can easily access the router with freely avaiable tools and, within a couple of days, have full acces to the target network. The reason why it's so easy is because the default password on the SuperHub 2 is made up of eight characters from a standard lowercase A-Z alphabet. By contrast Which? says doing the same on the current model would take over 250 million years.
Virgin Media insists that this isn't an issue specific to just its routers, but rather those of the same age where that length of password was the standard as a default. A spokesman for the company said: “The security of our network and of our customers is of paramount importance to us. We continually upgrade our systems and equipment to ensure that we meet all current industry standards."
While the company should be commended for its swift action in addressing this issue and instrucing its customers towards an easy solution, the question must be asked of why it had to get to this point for the ISP to publicly say what security experts have been shouting about for years.
“Organisations that provide internet connected devices to consumers need to think carefully about how they will overcome the security challenge that will inevitably come with the devices they produce," said Matthias Maier, security evangelist at software vendor Splunk. "Suppliers need to think about the responsibility they have for owning the maintenance of a device for its full lifecycle. They need to introduce monitoring for flaws and ensure over-the-air (OTA) updates are available so that their customers are better protected.
"In this example, individuals are being asked to change their passwords, but human nature tells us that it’s questionable if all of their customers will do it. As a result, it's likely that vulnerable systems will continue to be available over an extended period of time with hackers inevitably using them for malicious purposes.”
Essentially, the issue is that the majority of consumers aren't aware that they should change the default information for their devices – and this goes for smarthome products just as much as it goes for routers.
Say what you like about the quality of Apple products in comparision to similarly priced devices, but one of the best experiences I've had with new purchase security is when I bought an Airport Express a few years ago. Using an app on my Mac, I was able to easily set up the router and, most importantly, set my own security credentials. Until we get to the point where it is the default to create your own security info during setup, users simply won't be aware that they are vulnerable until it's too late.
This is a sentiment that is reflected by Alex Neill, Which? managing director of home products and services: “There are a number of steps people can take to better protect their home, but hackers are growing increasingly more sophisticated. Manufacturers need to ensure that any smart product sold is secure by design.
"There is no denying the huge benefits that smart-home gadgets and devices bring to our daily lives. However, as our investigation clearly shows, consumers should be aware that some of these appliances are vulnerable and offer little or no security."