Virgin Media broadband users at risk from weak Wi-Fi router security

A study by Which? has highlighted the poor security of some Virgin Media home Wi-Fi routers, leading the ISP to warn 800,000 customers to update their passwords.

Which? was investigating the security of smart home devices when it found that a large number of Virgin Media broadband routers had very insecure default admin passwords of just eight A-Z characters. This made it trivial for SureCloud - the security experts commissioned by Which? - to gain access to the router’s administrator controls.

Getting admin access will grant an attacker total control of your network. Once inside they have free reign to block the internet, intercept data, or even modify the router’s firmware for even more nefarious purposes.

The Virgin Media Super Hub 2 (pictured above) was highlighted as being especially vulnerable, though Virgin admitted that other models of the same age are also affected. As well as changing your password you can also upgrade to the latest Virgin Hub 3 hardware to benefit from improved security, in addition to other features.

How do I change my router password?

To change your admin password you must use the router’s administrator controls. Router admin controls are accessed by navigating to an internal IP address using a web browser. These details will either be provided in the user manual, or printed on a sticker attached to the router itself.

In the case of the Virgin Media Super Hub 2, the default address is http://192.168.0.1, and the default password is found on a sticker.

This problem is not unique to Virgin Media, changing the admin password is something everyone should do. Almost all broadband routers use a simple default password, and often this is identical across every router of the same make or model, which can make a hacker’s job laughably simple.

Note that some routers will only allow you to choose a password, while others may let you modify both the username and password. Since the username is frequently just “admin”, it’s a good idea to update this to something unique as well.

In addition to changing your router admin password, there are some other important security steps everyone should take to protect their home network:

Change the Wi-Fi password

Password protecting Wi-Fi is essential, otherwise neighbours or anyone passing by can jump on your network (and, once connected, could access the admin controls if you’ve not changed the default login). Nowadays any router should be password protected by default, and the Wi-Fi passwords are usually unique to each device, so this at least is not a huge security flaw out of the box. But that default password is probably displayed on a sticker. If you’d prefer not to give Wi-Fi access to anyone who can read, change it to something that’s not printed on the router.

Switch off WPS

Wi-Fi Protected Setup (WPS) is a feature which aims to make Wi-Fi even easier to use by letting WPS compatible devices connect automatically with the press of a button. But WPS is actually a huge security vulnerability as it can allow the Wi-Fi password to be cracked using freely available tools. For this reason, WPS should be disabled.

Disable remote administration

Most home users are not going to need the ability to access their router’s admin controls over the internet. Switch this feature off to prevent outside interference. Your router may also offer the ability to restrict admin access to a wired connection, which means that if anyone wants to mess with your network they’re not only going to need to break your password (which is very strong, right?) but also get inside your home and plug in an ethernet cable.

You’ll find further tips for securing home and business Wi-Fi routers in our guide to Wi-Fi security.