It has been reported that Virgin Media has urged its Virgin Media has told 800,000 customers to change their passwords to protect against being hacked.
An investigation by Which? found that hackers could access the provider’s Super Hub 2 router, allowing access to users’ smart appliances.
It has been argued in the past that Virgin Media password advice is far from ideal- it constrains users to certain characters, whilst making it common/ public knowledge, how the passwords should be structured. IT security experts commented below.
Mark James, Security Specialist at ESET:
Security by design requires effort most of the time; when we get a nice, new shiny device all we want to do is plug it in and expect it to work! When we are presented with instructions to change passwords and even usernames for some, it may seem a little too much effort. But if we want to stay safe, we have to make these changes.
When items are shipped from the manufacturers, they have to use a default username and password to enable anyone to configure it. We must ensure we change that password immediately, and in the best cases we should be forced to change it before we continue.
A good thought process should be along the lines of “any password created by someone else, is a bad password.”
James Romer, Chief Security Architect – EMEA at SecureAuth Corporation:
Matthias Maier, Security Evangelist at Splunk:
David Emm, Principal Security Researcher at Kaspersky Lab:
If vulnerabilities (the same, or different vulnerabilities) were discovered in other IoT devices, there’s no reason why cybercriminals wouldn’t look to exploit them. The growth of connected devices has been exponential in recent years and people are starting to realise the vast potential of having everyday objects connected to the Internet. However, cybercriminals are too. This is the reason we’re now seeing examples of real world attacks.
The Internet is now woven into the fabric of our lives – literally, in some cases, as connectivity is embedded into everyday objects. Despite the numerous advantages that our everyday, ubiquitous pieces of technology – such as tablets, phones, laptops, cars, smart meters and even children’s toys – provide us, it is precisely this kind of technology that is at increased risk of security breaches. As more and more devices become connected, we’re seeing cybercriminals start to extend their portfolios and exploit vulnerabilities in devices that weren’t previously accessible.
In order to help people protect their lives and loved ones from the risks of vulnerable IoT devices, we advise them to follow several simple rules:
- Make sure that the default username and password are changed; this is the first thing an attacker will try when attempting to compromise your device. Remember that even if it’s a non-smart product, such as a satellite receiver or a network hard drive, the administrative interface might be vulnerable to attack.
- Make sure all your devices are up to date with all the latest security and firmware updates. If it’s not obvious how to check for such updates, you should check with the manufacturer – applying security updates is one of the key things you can do to make it harder for attackers to compromise your device and your home network. This will also tell you if the manufacturer considers it to be an obsolete product.
- Use encryption, even on the files you store in your network storage device. If you do not have access to an encryption tool, you can simply put your files in a password-protected ZIP file – this is not as secure, but it’s still better than not doing anything at all.
- Most home routers and switches have the possibility to set up several different DMZ/VLAN. This means that you can setup your own ‘private’ network for your network devices, which will restrict network access to and from this device.
- If you’re really paranoid you can always monitor the outbound network traffic from these devices to see if there’s anything strange going on, but this does require some technical knowledge.
- Another tip for tech-savvy consumers is to prevent network devices from accessing sites they’re not supposed to access, only allowing them to download updates and nothing else.