James Thew - Fotolia

Virgin Media hit by second router security risk in two weeks

Virgin Media has been forced to act on a second security risk warning about its wireless routers in as many weeks

Virgin Media has advised 800,000 customers using its Super Hub 2 router to change their default router passwords after consumer group Which? reported a vulnerability.

Ethical hackers were reportedly able to gain access to passwords, prompting Virgin Media to issue the security advisory. However, Virgin Media said the risk was small, and that the same issue existed with other routers of the same age and was not exclusive to the company’s Super Hub 2 router.

A spokesman said: “We continually upgrade our systems and equipment to ensure we meet all current industry standards. We regularly support our customers through advice and updates, and offer them the chance to upgrade to a Hub 3.0 which contains additional security provisions.”

In mid-June 2017, Virgin Media was forced to issue a software update for its Super Hub 2 and Super Hub 2AC routers made by Netgear after researchers from Context Information Security were able to gain administrative-level access the  reverse engineering software for the devices.

The Which? investigation was carried out by security researchers SureCloud, who tested 15 internet-connected devices and found eight to have security flaws, including the Super Hub 2 router, internet-connected cameras and a child’s toy.

The consumer group has contacted the makers of the affected devices and called on all smart device manufacturers to improve security provisions by requiring users to create a unique password before use, adding two-factor authentication, and issuing regular software updates.

However, James Romer, chief security architect for Europe at SecureAuth, has described these measures alone as inadequate. “The way organisations are approaching authentication and securing credentials needs to be rethought for cyber security strategy and investment to have any shot at being successful,” he said.

Read more about IoT security

According to Romer, simple two-factor authentication is no longer enough to safeguard against today’s attacks.

“Organisations are realising they need to adopt a new approach to prevent to misuse of stolen credentials that doesn’t just add an extra step to users authentication process, but instead provides effective protection while providing a good user experience. 

“Modern approaches such as adaptive access control techniques and identity-based detection work invisibly to the user, but protect, detect, and ultimately remediate attacks essentially rendering stolen credentials useless,” he said.

Supplier responsibility

Matthias Maier, security evangelist at security firm Splunk, said suppliers need to think about the responsibility they have for the maintenance of a device for its full lifecycle.

“They need to introduce monitoring for flaws and ensure over-the-air updates are available so that their customers are better protected,” he said.

Maier said it should not be left to users to change passwords because not all are likely to respond, which means that vulnerable systems will continue to be available to attackers over an extended period of time.

As more and more devices become connected, security firm Kaspersky Lab reports it is seeing cyber criminals start to extend their portfolios and exploit vulnerabilities in devices that were not previously accessible.

David Emm, principal security researcher at Kaspersky Lab recommends reducing the risks associated with internet-connected devices by:

  • Ensuring that default username and password are changed.
  • Ensuring that all devices are up to date with all the latest security and firmware updates.
  • Using encryption or at least a password-protected ZIP file to store data.
  • Setting up a “private” network for devices to restrict network access to and from this device.
  • Monitoring outbound network traffic from devices to see if there is anything strange going on.
  • Allowing devices to download only updates and nothing else.

Read more on Hackers and cybercrime prevention