Virgin Media urges password change over hacking risk
 

Virgin Media urges password change over hacking risk

http://www.bbc.co.uk/news/uk-40371373

Re: Virgin Media urges password change over hacking risk
 

Is this the wifi password or the router login password?

Re: Virgin Media urges password change over hacking risk
 

Them seem to think they fixed the flaws last week ??
https://www.uswitch.com/broadband/ne...security_flaw/

Need to make their minds up, is it secure or not?

Re: Virgin Media urges password change over hacking risk
 

it would be sensible to change both from the default

Re: Virgin Media urges password change over hacking risk
 

It's a good idea to change your password anyway, as if the hackers have the config of the router, they will have your old password.

Re: Virgin Media urges password change over hacking risk
 

Did change my router login password from the default as soon as I got this hub a while back.

Re: Virgin Media urges password change over hacking risk
 

l gather this flaw does not affect the SH3?.

Re: Virgin Media urges password change over hacking risk
 

Done, another password to forget though (!)

The BBC report is rubbish - 'Virgin Media has told 800,000 customers' - they haven't told me - found out via BBC News....

Re: Virgin Media urges password change over hacking risk
 

May need to check my daughters hub for router login, was the router login password default 'password' or 'changeme' ?

Re: Virgin Media urges password change over hacking risk
 

Me neither, no letters or emails or anything. This is the first I have heard about it. I am not stupid enough though to lave the default passwords in place, the very first thing I did when I got my shub was change the password and put it in modem mode

Re: Virgin Media urges password change over hacking risk
 

yes i'm in modem mode, begs the question, is this an issue if you are in Modem mode ? best to change it anyway i guess.

Re: Virgin Media urges password change over hacking risk
 

I don't so because in order to get to the device on your network they still need to go through your proper router.

Re: Virgin Media urges password change over hacking risk
 

We have one of these but I don't remember any of the set up so how do I check? Could someone post some clear simple information as to what users need to do and how to do it please? I have just checked an we are still using a code which is stamped on the bottom of the SH when we need to access wi-fi. Is this what needs to be changed, something else or both? Cheers as always. :tu:

Re: Virgin Media urges password change over hacking risk
 

This is talking about the default passwords printed on the bottom - mainly the wireless one, but it's also sense to update the admin one at the same time.

Details about how to change the Wireless password on all Virgin Media's Hubs are here:
https://help.virginmedia.com/system/...eless-password

And on the forum here http://community.virginmedia.com/t5/...e/ba-p/3456004

And here is how to change the admin page password:
https://help.virginmedia.com/system/...-page-password

What's missing from the BBC report is that it still took Which days to discover the default password:
http://www.which.co.uk/news/2017/06/...ssword-change/

Re: Virgin Media urges password change over hacking risk
 

This seems to suggest you can have an SH3 just for asking, true/false?

Re: Virgin Media urges password change over hacking risk
 

If you're prepared to pay for it, true. But there is no need to change unless there is another reason to do so.

The SuperHub 2 has the same WPA2 security in it as the Hub 3.0 does.

The difference is the default password on the Hub 3.0 is longer and has more character variation than the SuperHub 2 does by default.

So if you update your wireless password to twelve characters with mix of upper case, lower case and numbers, then it'll be just as secure.

Re: Virgin Media urges password change over hacking risk
 

Quote "We regularly support our customers through advice and updates and offer them the chance to upgrade to a Hub 3.0 which contains additional security provisions."

So...how much from a SH2 to SH3?

Re: Virgin Media urges password change over hacking risk
 

The offer to upgrade to the Hub 3.0 is part of speed and bundle changes e.g. when you go to VIVID 300 you'll get a Hub 3.0.

There is zero need to swap from a SuperHub 2 to a Hub 3.0 if your services don't need it.

Re: Virgin Media urges password change over hacking risk
 

Perhaps you should tell VM PR that instead of everyone with a SH2 calling for a free SH3.

I'll risk it with a SH2 then. ;)

Re: Virgin Media urges password change over hacking risk
 

TVM Ben. :tu:

I'm not panicking but the story reminded me about these passwords and I'm pretty sure we didn't change the default password.

Can I just ask what relevance, if any, the network name (i.e. what shows up our device in the available networks list) has in this. We didn't change that either, it's just the VM generated one (beginning VM...) which appeared during set up. Do we need to change that also or doesn't that matter?

Re: Virgin Media urges password change over hacking risk
 

The wireless name doesn't really matter.

You can change if you wish, but it's amazing how many people put personal info into the name e.g. 'BenMcr family' or something that's actually more identifiable that leaving it as is

Re: Virgin Media urges password change over hacking risk
 

Yes I'd noticed that looking at the other home networks which show up on the list here. Some a really very obvious, one I saw a while back actually included the street address.

Re: Virgin Media urges password change over hacking risk
 

A person in my road has their house number and road name, how crazy is that?

Re: Virgin Media urges password change over hacking risk
 

Not sure I understand how/why this should be an issue.
Presumably the default WiFi password printed on the bottom of the modem/router must be unique to each device - otherwise we would all be connecting to our neighbours' networks all the time. So how does that come to have been compromised?
The settings password is another thing, as the default is obviously common to all devices and the user is invited to change it - as I did at the time.

Re: Virgin Media urges password change over hacking risk
 

The default is changeme or admin and many don't change it.

Re: Virgin Media urges password change over hacking risk
 

Gunslinger is referring to the wifi password, not the router password Ken.

Even though that is unique, at a basic eight letters from 24, all lower case it is not very secure.

Re: Virgin Media urges password change over hacking risk
 

Opps, but if some one got into your router they could then make changes to your wifi password or any other settings.

Re: Virgin Media urges password change over hacking risk
 

... So they have to get past your wifi password first to access the Superhub settings or break into your property with a laptop to connect via Ethernet?

Re: Virgin Media urges password change over hacking risk
 

That's nothing, VM told my neighbour that their password had to be at least 8 characters long and include at least one capital.

She chose, "MickeyMinniePlutoHueyLouieDeweyDonaldGoofyLon don" :) jk

Re: Virgin Media urges password change over hacking risk
 

The thing we need to see are the details on what the hack is.

The fact that it takes a few days (i think i read 4 days somewhere) to crack the password seems like a brute force attack, which does make it better as it isn't a flaw like a remote code execution.

So I just looked at my default wifi password on my superhub 2 it is "anyasdwe" (which is a lie as the 5 last characters is different just incase it can be used against me).

It looks like virgin is using an 8 character only lower alpha password. This gives 8^26 combination and according to a http://calc.opensecurityresearch.com cracking a WPA Key will take over 2 years to crack. This is different to a "few days"

Now look at the password I put above, it begins with "any". If Virgin has on all superhub 2 employed a password that has fixed characters somewhere in the password or a predefined set of defaults, this will reduce the complexity of the wifi password. So instead of guessing 8 characters, you might only need to guess 5 characters with the first 3 characters already known from a predefined list that virgin always use. This greatly reduces the time to crack. For example, 5 character password all lower case take just over an hour to break in.

I would like to know from other superhub 2 users if the first three characters of their default password is "any". That will be interesting...

Alternatively, the password could be derived based on the SSID . So maybe there is something in the SSID that could be seeding the password, which again means that a secret is known which greatly reduces the amount of tries it take to crack the password.

But yeah, if you haven't done so already, make sure your wifi password is not the default!

Re: Virgin Media urges password change over hacking risk
 

I read that they only use 24 of the possible 26 letters which reduces the time to crack by a considerable margin. Mine didn't have 'any' in it anywhere. :)

I can also confirm that my daughters wifi password has no similarity to mine whatsoever.

Re: Virgin Media urges password change over hacking risk
 

I changed that one on the day I got it - it does rather invite that!
It's the WiFi password I'm not really sure about, OK so it's only 8 L/C characters, but is it a realistic risk that there are people going around with devices to crack into peoples' WiFi? Mine barely reaches all the rooms in the house, let alone out in the street. And it would be a pain to have to go around changing phones, NOW TV box, printer etc etc, not to mention occasional visitors I've given it to.

Re: Virgin Media urges password change over hacking risk
 

What is there to gain from finding out my Wi-Fi password?

Re: Virgin Media urges password change over hacking risk
 

Seeing as VM are now allowing any other VM customer to use your WiFi it does become a bit irrelevant. Opt for modem mode and use your router instead of VMs insecure equipment, faster speeds too.

Re: Virgin Media urges password change over hacking risk
 

...and that's the sort of ill-informed rubbish that gets rumours going. Get your facts straight before writing such piffle.

Re: Virgin Media urges password change over hacking risk
 

Depends where you live and who lives around you. People could use your connection to download all sorts of illegal stuff or commit other crimes, for which you might get the blame because your IP address would be all over it.

However to do that they have to be in signal range of the router. To break your password, possibly for many hours. To be honest, the signal from my Superhub is pretty iffy at the other end of the house, let alone out in the street or in neighbouring properties, so maybe the risk is not so great?

Re: Virgin Media urges password change over hacking risk
 

Basically allows an attacker into your network. Once in they could do quite a lot of things. For example the recent WannaCry could be exploited inside the network by just hitting the SMB server of an effected device.

Basically it allows an attacker to see what you have connected on your network, scan for any device with known exploits and do something with it. Especially with the rise of insecure IoT device.

Re: Virgin Media urges password change over hacking risk
 

Probably force.

Re: Virgin Media urges password change over hacking risk
 

they could do a man in the middle attack which means they can funnel all your traffic through them

one thing they could do redirecting online banking sites to trick you to give up your information

years ago I used to take over my brother's Facebook account and write stupid messages on his wall

and if you are thinking there is no master hacker living near you
the hacking tools i used was basically a numbered list (press 1 to hack and press 2 to evil laugh)

only thing stopping them is your Wi-Fi password

Re: Virgin Media urges password change over hacking risk
 

Don't forget, it's case sensitive, so it's more like 48 letters + numbers. 58 vs 62 possible characters isn't quite a big difference.

Having said that, password length will always trump complexity. While I agree the default passwords on routers are possibly not terribly secure, they should be changed regardless.

If you change it to a password that's 15+ characters long, even purely lower case will be more secure than a "complex" 8 character password.

To give an example, if you have an 8 character password to which any of the 8 characters can be one of 100 possible values (26 lowercase + 26 uppercase + 10 numeric + a bunch of symbols, punctuation, spaces, etc.), you'd get 10,000,000,000,000,000 possibilities.

Whereas if you have a 15 character long password of just lower case letters, it's 1,677,259,342,285,725,925,376 possible combinations. Length really does trump complexity.

10,000,000,000,000,000
vs
1,677,259,342,285,725,925,376

Use a passphrase of uppercase and lowercase letters with some punctuation thrown in and nothing will ever brute force it, even with dictionary attacks.

Re: Virgin Media urges password change over hacking risk
 

I was talking about the original wifi password on the bottom of the router, that uses uses a combination of only 24 lower case letters. ;)

Re: Virgin Media urges password change over hacking risk
 

simply put for those who are not mathematically inclined you are looking at a different of 1x10^16 and 1x10^21. There is difference of 5 orders of magnitude which is huge.

Re: Virgin Media urges password change over hacking risk
 

With the right tools an 8 letter lower (or upper ) case password can be cracked in less than a day.
Using a string of Disney names as posted above would be even quicker.

---------- Post added at 10:40 ---------- Previous post was at 10:33 ----------

Depends on how many gpu 's you have working on it and the time you want to spend.

Hashtopussy is a dangerous tool in the wrong hands.

Re: Virgin Media urges password change over hacking risk
 

With enough computing power you can brute force nearly anything, no matter how long and complex it is. The key is not to be the low-hanging fruit.

Also note I'm not advocating purely lower-case passwords, that was just an extreme example to show how much better length is than complexity. I stand by a passphrase is the best form of "password".

Re: Virgin Media urges password change over hacking risk
 

I know you weren't advocating all lower case but phrases are a no no too. Google Sagitta brutalis. The community I'm involved with have 4 of these and another 64 pc's with at least 2 gpu's. Doesn't take long. Before you ask we do not do it for nefarious reasons.

Re: Virgin Media urges password change over hacking risk
 

Sounds like a bond villain.

Re: Virgin Media urges password change over hacking risk
 

FYI; jk means just kidding, it was a joke. So long as the password is changed from the VM default and at least 12 characters, not a word(s) in the dictionary, it should be fine.
===
Reputation; JPAC is just really nice;
Etymology: Middle English: nice "foolish, stupid," from early French nice (same meaning), from Latin nescius "ignorant,"
Seems about right. ;)

Re: Virgin Media urges password change over hacking risk
 

Even a cluster that size will struggle to brute for a decent long passphrase. 15 characters? Sure, probably in hours, but when you get to the likes of 30+ characters then it becomes an issue even at that scale.

That's only really achievable with a passphrase. To be clear, the most secure password is completely random string of characters, with symbols, letters, numbers (and ideally even unprintable characters :P) however I would argue that this is not the best password. You have to be able to remember a password, or you'll end up writing it down*. That's what I mean when I say "Best" - something that is the correct trade-off between "memorable" and "secure". A pass-phrase with some substitutions is by far the best compromise there.

* Please note that I strongly advocate the use of a password manager for your day-to-day passwords.

Re: Virgin Media urges password change over hacking risk
 

That's the thing, you understand that but when people say a passphrase is the best it actually isn't unless you actually use substitutions. Without the subs it just becomes a simple dictionary attack and that will be quicker than brute forcing a random string even if your phrase uses the maximum amount of characters.

You also have to be careful what subs you use. e.g. subbing a 4 for the letter A etc is useless the mask and rule set used in the attack will soon find that. Symbols (AKA special characters) and the odd number thrown in is the way to go as far as a passphrase is concerned.

---------- Post added at 12:43 ---------- Previous post was at 12:39 ----------

I don't think you realise what a "Man in the middle" actually is. It is a means to get your wifi password as well as getting everything passing through their connection which will record everything.

Man in the middle is a way of fooling you into thinking you are connecting to your network when you are in fact connecrting to another one entirely. If done correctly you wouldn't even know.

Re: Virgin Media urges password change over hacking risk
 

I think we're basically saying the same thing, we're just debating the terminology more than anything at this rate.

Re: Virgin Media urges password change over hacking risk
 

Looks like it!:D

Re: Virgin Media urges password change over hacking risk
 

Brilliant news, as most will change the passwords to something easier to crack :P

There are some good pre-generated dictionaries made especially for cracking certain ISP's WPA2 passwords due to knowing their makeup, meaning many can be cracked in 20 minutes or so.


This is probably known and part of the reason for the actual password request, with the news article just prompting it a bit sooner.


The actual recent hack of the Superhub via a modified settings backup was more interesting.

---------- Post added at 13:20 ---------- Previous post was at 13:11 ----------

You can't be a man in the middle as such when it comes to getting the Wifi password. It is done by passively sniffing what it sent between the client and router because it is sent out for anyone to read, rather than someone being in the middle of the client and router..


Maybe injecting some packets pretending to be the client de-authenticating to force it to send the encrypted password more times so you have more data to use for cracking is used, but thats not MITM either.


Once you are in you can use a device on the network to MITM via arp poisoning locally or maybe setting a routers DNS to one under your own control, so you can force every website to go through your own rogue server by replying to every DNS request with the rogue server IP, which in turn does the listening before forwarding traffic.

Re: Virgin Media urges password change over hacking risk
 

Seriously???

I won't post the source for obvious reasons.

and

and

Finally
https://en.wikipedia.org/wiki/Evil_t...less_networks)

Re: Virgin Media urges password change over hacking risk
 

EvilTwin networks have their uses but are a different kind of attack, but generally you don't use them to get a WPA2 password to crack. These days you may use a rogue access point as a way of social engineering someone to enter their router password, via the captive portal and asking for router password via a web page, like Pwnstar can do. The tools mentioned like aircrack, reaver/pixie are the same you would use on a computer rather than an AP. When they are used, no matter where, they are still not MITM attacks. Once connected to the rogue AP, then the SSL strip and such are the MITM attacks.

Even with MAC spoofing and all the other tricks, there are limitations and advances mean not all devices are fooled by rogue ap's now. Getting a client to send to a cloned MAC of a network it has connected before can be difficult. But my original post was getting the right terminology for each attack based on the thread being about WPA2 passwords. Throwing a web page on open network asking for the router password like pwnstar does is hit and miss and I would call social engineering rather than a MITM. . Throwing packets on a wifi frequency to capture IVS or WPA handshakes to crack is different, and certainly not MITM.


#IlovemyPineapple

Re: Virgin Media urges password change over hacking risk
 

You are correct to a point. Reaver, bully and pixiedust are dead in the water as ISP's have to a great extent protected against those forms of attack. Pixiedust was phenomenal in the way it did it, that took only minutes to crack the password. A community Dev just to get the router manufacturers to fill the wide open hole in security.

I'm busy for the next couple of weeks but when I have time I'll tell my neighbour I'm going to test his security and see if he falls for an EvilTwin or MITM attack. He won't mind me doing it but I won't tell him what I'm doing until afterwards. I hope he doesn't have a panic attack!!!

Re: Virgin Media urges password change over hacking risk
 

Wifiphisher is more up to date than pwnstar but does a similar job. Might be worth you looking at.

Yeah loved the flaw that Pixiedust used to increase the crack speed. Pixie/Reaver can still work with the right timeouts between attempts but slow compared to forcing clients to reconnect and capturing the handshake to crack.

Thanks to power saving modes on computers and laptops, you rarely see them active on a wifi network unless the person is a heavy user. More likely to find smart tv's, android/apple phones and tablets , maybe apple tv and some gaming consoles. Still rare to find many IOT devices checking random networks, allegedly...

Netdiscover is a nice tool to monitor a network to show when devices come online/join the network. Uses ARP packets as it's method.

People should really use these tools to check the security of their own networks, especially if you live in flats or a high density area.

Nethunter on a few select mobile phones is good too, although best hooked up to an alfa wifi adapter via OTG Y cable and power block. Same can be done with a Pi but Nethunter has a nice front end for the phone :)

Re: Virgin Media urges password change over hacking risk
 

I know all about those tools you mention but I didn't want to put temptation in the way of users here. That's why I deliberately haven't posted source links.

We are on the same wavelength so you should understand where I'm coming from.

One thing to mention for the rest viewing this discussion.

SKY routers - Yes there is an algorithm that determines the default password.

VM - There is no algorithm known as yet (there has to be one) but there are large lists of default passwords available.

Bottom line, change the default password!

Re: Virgin Media urges password change over hacking risk
 

Down at my daughters going to try and change her router settings. Does the router have to be connected via ethernet cable to change settings. I have an SH2 but hers is an SH1. Using my iPad brings up a slightly different login screen to the one I get at home.The login page on her router asks for 'settings' password and WPS PIN. entering the eight letter 'pass phrase' and the eight number WPS pin doesn't allow access?

Re: Virgin Media urges password change over hacking risk
 

The settings password is not the wireless passphrase. If it's asking for the WPS PIN as well then it's still the default settings password - 'changeme'

Re: Virgin Media urges password change over hacking risk
 

Thanks Ben, I did eventually work it out have reset both passwords. :cool: