It has been reported that Virgin Media has urged its Virgin Media has told 800,000 customers to change their passwords to protect against being hacked.
An investigation by Which? found that hackers could access the provider’s Super Hub 2 router, allowing access to users’ smart appliances.
It has been argued in the past that Virgin Media password advice is far from ideal- it constrains users to certain characters, whilst making it common/ public knowledge, how the passwords should be structured. IT security experts commented below.
Mark James, Security Specialist at ESET:
“As we embrace more and more IOT and come to expect the ability to connect to anything and everything, no matter where we are, it stands to reason that companies want to make things as easy as possible for the user to embrace quickly and easily. This is where it can fall apart.
Security by design requires effort most of the time; when we get a nice, new shiny device all we want to do is plug it in and expect it to work! When we are presented with instructions to change passwords and even usernames for some, it may seem a little too much effort. But if we want to stay safe, we have to make these changes.
When items are shipped from the manufacturers, they have to use a default username and password to enable anyone to configure it. We must ensure we change that password immediately, and in the best cases we should be forced to change it before we continue.
A good thought process should be along the lines of “any password created by someone else, is a bad password.”
James Romer, Chief Security Architect – EMEA at SecureAuth Corporation:
“Which?’s call for the industry to improve basic security provisions, including requiring customers to create a unique password before use, two-factor authentication, and issuing regular software security updates is not adequate. The way organisations are approaching authentication and securing credentials needs to be rethought for cyber security strategy and investment to have any shot at being successful. Simple two-factor authentication is no longer enough to safeguard against today’s attacks. Pushing forward, organisations are realising they need to adopt a new approach to prevent to misuse of stolen credentials that doesn’t just add an extra step to users authentication process, but instead provides effective protection while providing a good user experience. Modern approaches such as adaptive access control techniques and identity based detection work invisibly to the user but work to protect, detect, and ultimately remediate attacks essentially rendering stolen credentials useless.”
Matthias Maier, Security Evangelist at Splunk:
“Organisations that provide internet connected devices to consumers need to think carefully about how they will overcome the security challenge that will inevitably come with the devices they produce. Suppliers need to think about the responsibility they have for owning the maintenance of a device for its full lifecycle. They need to introduce monitoring for flaws and ensure over-the-air (OTA) updates are available so that their customers are better protected. In this example, individuals are being asked to change their passwords, but human nature tells us that it’s questionable if all of their customers will do it. As a result, it’s likely that vulnerable systems will continue to be available over an extended period of time with hackers inevitably using them for malicious purposes.”
David Emm, Principal Security Researcher at Kaspersky Lab:
“Cybercriminals routinely make use of vulnerabilities, and the case of Virgin Media’s Super Hub 2 router highlights the fact that there are more connected devices than ever before, and therefore, more potential vulnerable devices that can be compromised. There’s no such thing as 100 per cent security, so there’s always a risk that a vulnerability might be found in any device.
If vulnerabilities (the same, or different vulnerabilities) were discovered in other IoT devices, there’s no reason why cybercriminals wouldn’t look to exploit them. The growth of connected devices has been exponential in recent years and people are starting to realise the vast potential of having everyday objects connected to the Internet. However, cybercriminals are too. This is the reason we’re now seeing examples of real world attacks.
The Internet is now woven into the fabric of our lives – literally, in some cases, as connectivity is embedded into everyday objects. Despite the numerous advantages that our everyday, ubiquitous pieces of technology – such as tablets, phones, laptops, cars, smart meters and even children’s toys – provide us, it is precisely this kind of technology that is at increased risk of security breaches. As more and more devices become connected, we’re seeing cybercriminals start to extend their portfolios and exploit vulnerabilities in devices that weren’t previously accessible.
In order to help people protect their lives and loved ones from the risks of vulnerable IoT devices, we advise them to follow several simple rules:
- Make sure that the default username and password are changed; this is the first thing an attacker will try when attempting to compromise your device. Remember that even if it’s a non-smart product, such as a satellite receiver or a network hard drive, the administrative interface might be vulnerable to attack.
- Make sure all your devices are up to date with all the latest security and firmware updates. If it’s not obvious how to check for such updates, you should check with the manufacturer – applying security updates is one of the key things you can do to make it harder for attackers to compromise your device and your home network. This will also tell you if the manufacturer considers it to be an obsolete product.
- Use encryption, even on the files you store in your network storage device. If you do not have access to an encryption tool, you can simply put your files in a password-protected ZIP file – this is not as secure, but it’s still better than not doing anything at all.
- Most home routers and switches have the possibility to set up several different DMZ/VLAN. This means that you can setup your own ‘private’ network for your network devices, which will restrict network access to and from this device.
- If you’re really paranoid you can always monitor the outbound network traffic from these devices to see if there’s anything strange going on, but this does require some technical knowledge.
- Another tip for tech-savvy consumers is to prevent network devices from accessing sites they’re not supposed to access, only allowing them to download updates and nothing else.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.