Virgin Router Password Fuss Shows Lack of Priorities

Normally I am quite keen on security. We should be spending more on it. Devices should be more difficult to hack. People should use better passwords. Blah blah. We all agree about this stuff. But I want to ask you a simple question about priorities, and I hope you accept my apologies because I intend to use raw emotion to make an important point. If given the choice, would you prefer to have your broadband router hacked or to be burned alive? Should you worry more about the risks of your home internet being compromised, or the risk that you will not be able to escape a fire? Right now there are parts of the British media reporting that many people live in accommodation which represents an unacceptable fire risk, as tragically highlighted by the Grenfell Tower fire which is assumed to have killed 79 people. Other parts of the British media compete for attention by saying 800,000 broadband customers should change the password on the routers supplied by Virgin Media. And what exactly is the risk if they do not?

A Which? investigation has found that Virgin Media’s Super Hub 2 router can be hacked in a matter of days if it’s left with the default password that’s printed on the router.

Which? is a brand name used by the Consumers’ Association, a UK charity that advocates for consumers. Their experiments demonstrated that Virgin Media routers may be compromised if somebody spends several days trying to hack them. But they failed to explain why anybody, apart from Which?, would go to the trouble to hack somebody’s router.

Following our successful hack of the Virgin router, we were effectively inside the home network and could target other connected devices. In the age of smart devices and the ‘internet of things’, this sort of security vulnerability is particularly concerning.

Hmmm. It was so ‘concerning’ that they did not specify a single genuine concern. Perhaps other journalists could explain the risks, even if the annoyingly-named Which? cannot. This is the BBC’s effort:

Once an attacker has access to your wi-fi network, they can seek out further vulnerabilities.

Ah ha! ‘Further vulnerabilities’ is the danger, is it? Perhaps a techie site like Gizmodo can give a detailed analysis of why security is so important that everybody ‘needs’ to change their password?

…there is an important lesson here. The default username and password on your router are terrible. You need to change them as quickly as possible when you install the hardware.

So the answer to my previous question is ‘no’. Not even techie sites offered examples of the risks that ordinary people might understand. The most useful risk analysis was provided by the Sun, a low-brow tabloid newspaper:

Virgin Media have assured customers that the threat to their information is small, but advise to air on the side of caution.

So in conclusion, let us all act like panicked chickens even though the threat is small. Meanwhile, the government wants to decrypt communications, Western countries sell powerful spying equipment to oppressive regimes, and IMSI-catchers can be disguised as office printers. But apparently we should be worried about some theoretical hacker who wants to know how many hours your daughter spends playing Candy Crush.

The advice given in response to the Which? study is like telling bicyclists to wear a bright jacket when overtaking on an eight-lane motorway, or warning about the health risks of spreading too much salt over a meal of arsenic, cyanide and ricin. Bicyclists are safer if they can be easily seen, and many people have too much salt in their diet. However, the focus of alarmist antics can be wrong, so the information provided does not help people to sensibly appraise the risks they keep taking. Businesses suffer this same defect, pouring management time into decisions about trivial issues whilst steadfastly ignoring much more serious dangers. I once worked at a telco which employed a health and safety manager who wrote a 20-page report on the risks of running a corporate football tournament. His report stated that spectators are less likely to be injured if players did not kick the ball at them, and that the use of communal showers might lead to the spreading of verrucas. On the other hand, I worked at another telco which only held fire drills on the weekend because that caused less trouble than doing them when employees were working. Both businesses were doing a terrible job, because the exaggeration of a trivial risk can be as wasteful and distracting as the failure to address a serious risk. The two faults can often be found together.

There is risk in business just as there is risk in life, but many people struggle to evaluate those risks. They waste time on nonsense if they get paid to do so. They turn a blind eye to grave dangers when they feel they have nothing to gain by responding to them. These people need professional help, and risk management is best done in a systematic fashion, with a strong sense of priorities. The UK is now rehousing thousands of people because of an historic failure to systematically evaluate risk – or because accurate evaluations have now been set aside in favor of a knee-jerk desire to do something. Meanwhile, a British comms provider is encouraging further exaggeration of the chances that their routers will be compromised. Virgin Media is doing this to compensate for choosing passwords that were short and simple.

The only conclusion I can draw is that risk management decisions can no longer be made by ‘ordinary’ people without any oversight. Risk needs to be assessed by objective professionals with the relevant skills, who are motivated to quantify all risks, and hence to weigh them appropriately. Those risk professionals also need to be supervised to stop them from becoming biased. Responsibility must extend from every individual, through the executive team, and ultimately rest with the board of directors, who should have no reason to be biased when comparing different kinds of risk. Constructing this ordered pyramid of risk management would be my priority if I was tasked to make safer, better, and more sustainable industries. Sadly, those priorities are not widely shared.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.