Which? uses cookies to improve our sites and by continuing you agree to our cookies policy.

Virgin urges Super Hub 2 password change

Which? research finds router could be hacked if default password isn't changed

A Which? investigation has found that Virgin Media’s Super Hub 2 router can be hacked in a matter of days if it’s left with the default password that’s printed on the router. In response to our research, Virgin is advising all Super Hub 2 users to change their password to improve their network security.

In our hacking investigation, we targeted a real home that used the Virgin Media Super Hub 2 router for its cable broadband. The user had remained on the relatively weak default password – only eight characters long, using just lowercase letters from an A-Z alphabet, with two letters removed.

Using publicly available hacking tools that can be found on the web, we were able to crack the router password in just a few days. We were also able to log in to the router’s configuration page, since the default password for doing so is shared across all Super Hub 2 devices.

How to create strong passwords – learn to create a secure code

Network hack

As with all home routers, the Virgin Super Hub 2 is a gateway to your home network. Hack this, and you can potentially have access to other devices inside the home.

Following our successful hack of the Virgin router, we were effectively inside the home network and could target other connected devices. In the age of smart devices and the ‘internet of things’, this sort of security vulnerability is particularly concerning.

The good news is that since we made Virgin Media aware of the vulnerability, the company has been quick to respond. Its newer Super Hub 3.0 is far more secure (see more below), and Virgin Media is upgrading customers to this device. But in the meantime, it’s also advising Super Hub 2 owners to change their passwords.

Virgin Media responds

Virgin Media told us that there are approximately 864,000 Super Hub 2 routers in customer homes, although those numbers are falling as more customers are upgraded to the Hub 3.0.

The Super Hub 3.0 uses much stronger passwords than its predecessor. These are, by default, 12 characters long, with a mix of cases and numbers. This has significantly improved security, as confirmed by our own tests. While it took mere days for us to crack the Super Hub 2 password, using the same approach it would take 262m years to breach the Hub 3.

A Virgin Media spokesperson said: ‘The security of our network and of our customers is of paramount importance to us. We continually upgrade our systems and equipment to ensure that we meet all current industry standards.

‘To the extent that technology allows this to be done, we regularly support our customers through advice, firmware and software updates, and offer them the chance to upgrade to a Hub 3.0 which contains additional security provisions.’

If you have a Super Hub 2 in your home, don’t panic. The chances of you being hacked are still, thankfully, very low. However, in response to our findings, Virgin Media has said it will urge customers with a Super Hub 2 to change their default network and router passwords.

Make sure your new password has at least 12 characters, and includes a mix of upper and lower case letters, plus numbers. Find out how to set a new password below.

How to change your Virgin Media Super Hub 2 password

1. Connect your computer to the Super Hub with an ethernet cable.

2. Enter the web address on the Super Hub sticker to access the settings page. Click on ‘Wireless Network Settings’.

3. Enter your new password into the box marked ‘passphrase’.

4. Restart all devices connected to the Super Hub and enter the new wi-fi password to get back online. You can also now disconnect your computer from the Hub.

Find out more about how to configure advanced settings and change your Super Hub’s wireless password.

The settings page also offers additional security features, such as seeing what devices are currently connected to your wi-fi, and the ability to block your wi-fi name from being displayed to anyone snooping in.

Back to top