Who actually uses the router ?
I thought SOP was to disabled the POS and just use it as a modem with a real grown up router ?
Virgin Media has urged 800,000 customers to change their passwords to guard against possible hacking attack. The move follows an investigation by consumer mag Which? that discovered hackers could access the UK cableco's Super Hub 2 router, allowing access to IoT devices connected through the same home network. The issue stems …
you can't change the lan-side IP address of that thing
Wow. Just, wow.
(In a previous orkplace, our internal LAN was using 192.168.1.0/24 [not my decision, was in place when I joined and would be a nightmare to change becuase of hardcoded paths in stuff like industrial control equipment]. Then the Sales Director demanded, not unreasonably, that all his staff needed to use VPN from home. Most of them were using BT Home, which defaulted to using (you've guessed it) 192.168.1.0/24 for the LAN. Much hilarity ensued until I managed to get people instructions on how to change their Home Hub to use a different range..)
I do. The folks from Virgin came and installed the kit, and it appears to work.
Genuinely, can someone tell me what advantage there would be to buying another router, and if so which (for a sensible it's-only-as-an-optional-improvement price)?
At the moment I use WiFi for quite a few items, and have several PCs linked up to it via powerline adapters thru the house. The typical downloads speed on those PCs is 50-60mbps.
The range is not brilliant, so I'd be happy to extend that.
er ... isn't the article you just commented on reason enough ?
I recall the previous "router" as per another commentard upthread. It had a fixed IP, which clashed with my existing network. HOWEVER, as shipped, it didn't even allow modem mode - it needed to be upgraded OTA to enable it.
First rule of internet is never use your ISPs router. For no other reason than you have no idea what backdoors they out in it.
Generally Virgin have form for crippling kit. Look at the TiVo. I wonder what the US owners make of the pisspoor reputation it has in the UK ???
"er ... isn't the article you just commented on reason enough ?"
The investigation which found the backup bug thought it to be tightly locked down. The issue here is weak default passwords (because the production line handling stickers can only cope with stickers of such-and-such size and accessibility requirements means the font must be a minimum of such-and-such size).
"er ... isn't the article you just commented on reason enough ?"
I doubt it, since the problem outlined in the article can be avoided by changing the password. No need to stop using the router. Also, the problem outlined in the articled is not fixed by buying a separate router if you put an equally weak password on the second box.
In short: the router is not the problem here.
I put a Cisco RV-320 on as the first device - so that basically gives me a business class VPN right there, with remote management if I need it and various dynamic DNS registrations for fulfilling that function. There's naturally firewall and proper NAT functions there, as well as the DHCP, and a failover route if I ever feel the need.
Then for the WiFi, I used one of the free-if-you-attend-their-seminars Meraki MR18 access points which I plug into the RV-320 via a POE injector. When the provided license for that ran out after 3 years, I swapped it to an Open MESH access point. I pay for 70 meg, I get 70 meg, even over WiFi when I'm in the flat. Out on the lawns it drops to around 20-30 meg due to the distance. I do get a drop out once or twice a day, but that's the pigging Virgin side. Within the LAN, so back to my DLNA and file server, I get gigabit speeds over copper with absolutely no drop out and full control over QoS. 24/7/365 (barring UK power issues).
The Superhub 2 was an utter PoS. WiFi dropped out, wouldn't bond the 2.4 and 5GHz, there was no control over the QoS, the wired network dropped out regularly even, locked up DHCP every couple of months, requiring a factory reset, can't do dynamic DNS so I could remote in to check it if the flatmate called up because the WiFi had bombed out again...
"I assume that if you using just as a modem, then any attacker would have to have access to your network anyway (either through direct connection or wifi on your router) to use this vulnerability?"
No, an attacker, at best, will be banging on the door of your router. If it's a decent router with strong credentials, ie much stronger than the VM SuperHub (Other crap ISPs routers are available) then they likely don't have access to either the router or anything on your side of the router.
Even if they do spend time trying to get through your router, the fact you are not using the ISP router with it's weak attack surface means you likely will have a stronger security policy inside your LAN too. They'll most likely not bother and move on to the vast number of people who think their LAN side is secure behind the default ISP router with default credentials.
I would guess 99% of customers, who take as much interest in the workings of their internet gubbins as they do in their electricity consumer unit. And why not, they are the customer paying for a service. They are not all geeks, still less are they service technicians. The damn thing should just work, properly. If others have an itch they like to scratch that is fine, but it's not most people's cup of tea.
It cant port forward correctly, the wifi is shit, cant change lan ip, cant block lanside ports exiting, cant prioritise traffic, do i really need to go on?
Luckily i had an old dell sonicwall from work ive been using but there are loads of cheap routers out there.
Surely the first thing you do with a car is get the ECU mapped with a grown up config?
Assuming that you don't care about manufacturers warranty[1], yes.
[1] And, under some[2] circumstances, invalidating your insurance. Or, if you tell your insurance, raising the rate from "extortionate" to "selling first, second and third born".
[2] s/some/most/g
My default one was 40 characters long, [a-z0-9?#@$%^&*()@!] .... and yet, still memorable ... I changed it to something else, of course ...
VirginMedia, tell me, who lets those flawed loonies design routers ? Fire the entire team, in-ex-cusable, shit, pay up, get some decent staff, YES, they are more expensive, but savings across the board!
@downvoters
1. Don't care about down-votes, that is why I often troll ;-)
2. WTF ?
8 char a-z is OK ? Must be Microsoft fanboys ... listen, you have no F'ing clue.
I really think Virgin Media need to get their act together and hire competent staff, ANYBODY who signed off, implemented, tested "8 char a-z" as a password have ABSOLUTELY NOTHING to do in IT.
I heard they were looking for Window cleaners in Hull!
If you don't care about down-voters, why do you care enough to tell us you don't care?
Because I don't, however, this time I was not trolling and, imho, my comment made a hell of a lot of sense! I do not understand the downvotes this time, I just don't understand ... all I was saying is that they need to hire competent staff ... D'Oh! Seriously! WTF?
Most modern routers have a WPS button whose effects only last for a couple of minutes. Why not say that you can only log in during that window? (You could ignore the rule if the user changes the password to something strong enough.)
This is just a repeat of the perennial problem that passwords short enough for the average Joe to remember are not long enough to keep the average Joe's assets safe. It's going to keep coming around until we learn to stop relying solely on passwords.
Hans, I'm not sure who the "flawed loonies" are that you refer to. VirginMedia don't employ anyone to design routers. They pay Netgear to rebrand their models and use those. Are you suggesting that VirginMedia fire Netgear?
There is no problem with these routers that does not already exist in most of them in that keeping the default password on any supplied equipment is a ridiculous idea. It's not all that long ago that the default password on all NTL ( who are now VirginMedia) came with a router/modem password which was "changeme".
I changed my passwords and those of my family the day they were installed.
As I read above. The Router is not at fault here and I'd go further and say the company are not at fault either. This is most definitely a user issue.
Depends on the instructions but the IP address for the Super hub 2 they are on the sticker on the bottom of the router..
For the Super hub 3, they are on the sticker the engineer hands to you, a pull out piece of card between the router and the plastic feet, AND a sticker on the bottom of the router.
They really like to help you.
Call me stupid but I'm guessing the issue here is brute forcing the password?
Why not update the firmware to do a few things?
1. Force password change before connecting back to the internet.
2. Add the old 3 failed attempts, 5 min lock out, 4, 10 min lockout and so on.
3. Disable external access to the router by default.
My superhub 2 - dated 2010 - lets me set the password. Four to fifteen characters, letters and numbers only.
Stunning.
Not something I've worried about since the first thing I did when I got it was turn the wireless off, and let my router handle that, but changed it anyway.
Interesting that there appears to be nothing on the Virgin Media site to hint that there might be an issue, and I've had no notification about this. Meh.
This post has been deleted by its author
Super hub 3 is a 12 alpha/numeric/lower/upper wifi password so at 1 billion guesses a second it's going to take a maximum of 150 years from what I understand.
Isn't SH3 based on Puma6? Might take longer as Puma 6 kit connectivity isn't exactly stellar. At least I've not yet heard that VM would've patched it (especially the latency issue).
This post has been deleted by its author
What he's saying is that the normal solution is to DISABLE that function altogether and use a different router. Trouble is, some ISPs MANDATE the use of their router or you can't go online, and if they're the only ISP in town, you're up Crap Creek unless you're willing to MOVE.
This post has been deleted by its author
One of the companies I worked at, the remote users were supplied with internet access via virgin media so that they could work remotely. After a software update on the routers, the vpn stopped working.
After I got remote access, via teamviewer, I logged on to the router with the default password and ticked the box to allow vpn connections. All the sales droids asked how I knew their router password, my reply was it was the default one that was listed on the virgin website and perhaps they had better change it.
... on the folks who use the ISP-supplied router. It's good that El Reg readership includes people who are not necessarily techies, but who still have curiosity enough to be here.
And if you think the Virgin Routers are crummy, Sky is even worse. We have both connections to this house (can't afford to be offline) and I use a Draytek router for load balance and redundancy, and while the Virgin hub did at least allow me to set it to Modem-Only mode, the POS that Sky provided won't even let you do that. Bypassing Sky's rubbish was tedious, to say the least.
(But yes, for those who are wondering: the router supplied by your ISP will work, but it will be cheap, nasty, crippled and probably horribly vulnerable.)
I may be wrong (probably am!) but is the other issue resolved?
i.e the one whereby when the router powers up, for 7 seconds or so, there is no encryption set on the WiFi? o_O
Thus, if you are quick enough, you can get onto the WLAN - and then (again, if quick enough) - either use the default web admin password to find a WLAN password (even if it's been changed), so you can then reconnect shortly after, or do a quick network probe? Granted that's a tight window of opportunity, but still!
[EDIT] Ah yes - a powershell to reboot a SuperHub - if you know the password. Assume it's default, and a bit of cross site jiggery-pokery with a form post/social engineering - and away you go, router reboots, WLAN available briefly...[/EDIT]
Personally, opt for "SACM" (standalone cable modem) mode and use my own WiFi. I'd still be using 802.1x EAP too if the firmware I use was updated to not break RADIUS :( (choice of stick with RADIUS but keep other vulns active, or upgrade and lose RADIUS)
If you don't have your own router, change the WiFi AND admin passwords - which should be standard OpSec anyway. It wouldn't be that hard for device manufacturers to trap all web traffic when the thing is in "default" mode and force passwords to change, before letting it go fully operational....
"If you don't have your own router, change the WiFi AND admin passwords - which should be standard OpSec anyway. It wouldn't be that hard for device manufacturers to trap all web traffic when the thing is in "default" mode and force passwords to change, before letting it go fully operational...."
Unless people are so used to "plug and play" that they plug it in and keep complaining that instead of the Web they get these weird gibberish screens. MUST BE BROKEN! SEND IT BACK!
It's hard to deal with BOTH security AND stupidity, and recall that consumer-level tech has to deal with LOTS of stupid.
There seems to be a lot of complaining, lets break it down:
Weak (short) default password - bad - potentially 'easy' to crack
Solution exists? - yes (change it)
Weak admin password (changeme) - bad - if you are on the network and it hasn't been changed, you can get admin access
Solution exists? - yes (change it - it even tells you too!)
So... standard procedure is to change both.
What other problems have people complained about?
Poor wifi? not in my experience, 2 floors away and still getting near max throughput over Wifi - Steam home streaming at 1080p at that range works even better than I expected, odd dropped packet, but nothing really noticable, maybe one 'glitch' every 5 minutes. and running Cat 6 all the way up the stairs did nothing to improve the latency. Network benchmarks show that wireless transfer operates at near max data rates too over the same connection. No problems there for me.