How to enhance your WiFi security

Protecting your WiFi is so important given the amount we do online these days. We’ve got some great advice to help protect your own and your families’ use of your WiFi network.



How do I secure my WiFi network?

The most common way to protect a WiFi network is to enable the WiFi router's built-in encryption options. Encryption means that the WiFi signal is scrambled so that unauthorised computers and devices are unable to understand the data being transmitted across your WiFi network. The computers and devices you want to be able to access your network are set up so that they can unscramble the WiFi signal – meaning that you can connect to the WiFi network without any problems.

There are several ways to encrypt your router’s signal – WPA2, WPA and WEP. We recommend using WPA2, and this is enabled by default on all Virgin Media Hubs.

WPA2 works on the latest WiFi equipment and operating systems but both WPA and WPA2, combined with a unique passphrase, make it almost impossible for anyone unauthorised to gain access to your WiFi network.

Most WiFi routers, and all Virgin Media Hubs, have a unique WiFi passphrase, to ensure that only you and those you give the passphrase can access your WiFi network.

To improve your security, we recommend you change this to a passphrase only you know. When choosing your new passphrase we recommend at least twelve characters with a mix of upper case, lower case and numbers. It should be unique: not something you use for anything else.

For more information on changing your Hub's WiFi passphrase, see changing your Virgin Media Hub's wireless password

Every WiFi router has a name, or Service Set Identifier (SSID), and this is what you and other users will see when scanning for available WiFi networks. The list of names shown is all the networks your computer or device is able to 'see'.

Every Virgin Media Hub is preconfigured with its own SSID (often found on the underside of the unit), but this can be changed manually after the WiFi router has been set up. If you use the Super Hub – the default SSID is 'virginmediaxxxxxxx', where each 'x' represents a digit. The default SSID for the Super Hub 2 / Super Hub 2ac is VMxxxxxxxx2G or VMxxxxxxxx5G. The default SSID for the Hub 3.0 is VMxxxxxxx.

One way of protecting your WiFi network is to stop the transmission of your SSID. This makes your WiFi network invisible to neighbours and other people might be within its reach. You should be able to connect more people to your network, but they’ll only be able to access it they know the SSID.

Stopping the broadcast of your SSID doesn’t guarantee that your WiFi network is secure, and isn’t a substitute for using a strong encryption method (see above). But it can provide an extra layer of protection. A hacker with WiFi ‘snooping’ software could still pick up on the signal being broadcast by your WiFi router. To disable the broadcast of your WiFi router's SSID, you need to access your WiFi router's administration interface. The details you’ll need are printed on the underside of your router or on the side of the Hub.

For more details on how to disable the broadcast of the SSID see our hide network name help guide.

Most WiFi Hubs have a default username and password that can be used to access a set of administration screens that control the behaviour and operation of the router.

To reduce the chances of anyone other than you accessing this administration interface and changing the router's settings, you’ll need to change the default password.

To set the password for your WiFi router's administration interface, you first need to access the interface using the default username and password, which should be printed on the base of your WiFi router or on the side of the Hub.

For more information on changing your Hub's settings page password, see Changing your Virgin Media Hub's settings page password

This is an advanced security option that allows computers and other devices to connect to a WiFi network – but only if they have an authorised MAC address. This is a series of letters and numbers used to identify network devices. MAC addresses are usually written in pairs, with colons (or sometimes hyphens) as separators. For example, a MAC address could look like this:

04:1F:64:EF:A9:4D

or

04-1F-64-EF-A9-4D

WiFi routers can be instructed to allow connections only from a list of MAC addresses that you supply. To use this method, you need to gather together a list of all the MAC addresses of the computers and devices you wish to authorise on your WiFi network, and enter the details into your WiFi router's administration interface.

To find out how to do this on your Virgin Media Hub, check Setting up MAC filtering on your Virgin Media Hub.

To find out the MAC address of a Windows XP (or later) machine, follow these steps:

  1. Type cmd and click OK.

  2. Type ipconfig /all and press Enter.

  3. Details of each installed adapter will be displayed. Look in the Physical Address section of your WiFi adapter for the MAC address, written in the style above.

To find out the MAC address of a Mac OS X machine, follow these steps:

  1. Go to Mac HD > Applications > Utilities.

  2. Double-click Network Utility.

  3. Choose the network interface that relates to your WiFi connection – if you're using built-in WiFi technology, the option is likely to be labelled AirPort (en1).

  4. Look at the Hardware Address for the MAC address, written in the style above.

To find out the MAC addresses of other WiFi-capable devices, consult the documentation that came with those devices. Some of these devices may have their MAC addresses printed on the case.

As with other security methods, it’s still possible for a hacker to gain access to MAC address-based access control. Nevertheless, each security feature you add protects your WiFi network a little bit more.

Using a firewall helps control the types of data that are permitted to enter and leave your computer and WiFi network. Computers and networks that aren’t protected by firewalls are far less secure than those that are.

A VPN is a virtual private network, that gives you more online privacy and creates an intercept between hackers and your data. What it does is masks your IP address, so your online actions are not traceable.

Every router has software called firmware inside, that sets the security standards for your network. It’s always worth making sure you’ve got your firmware up to date, so that any bugs are fixed, and you’ve got the latest patches. This will keep viruses and hackers away.


What are Virgin Media's encryption options?

The most common way to protect a WiFi network is to enable the WiFi router's built-in encryption options. Encryption means that the WiFi signal is scrambled so that unauthorised computers and devices are unable to understand the data being transmitted across your WiFi network. The computers and devices you wish to authorise are set up so that they can descramble the WiFi signal and hence connect to and use the WiFi network.

(Wi-Fi Protected Access) WiFi networks secured with WPA encryption require the use of a network security key or 'passphrase' (password), made up of letters and numbers. Computers and other devices must use this passphrase in order to connect to the WiFi network.

As the owner of the WiFi network, you may choose your own passphrase when you set up the WiFi network. The more complex and lengthy your passphrase is, the less likely it is that someone unauthorised will be able to access your WiFi network.

When choosing your passphrase we recommend at least twelve characters with a mix of upper case, lower case and numbers. It should be unique: not something you use for anything else.

To use WPA on Windows, you need to use Windows XP Service Pack 2 or later.

WPA2 is an improved version of WPA, and is used by all recent connected devices, including our Broadband kit. Where possible you should always ensure that you’re using WPA2.

If some of your equipment is WPA-compatible and some is WPA2-compatible, your Hub can be set up to allow connections from both types of equipment. This support for WPA/WPA2 is sometimes called 'Dual Mode' or 'Mixed Mode'.

To get the best possible performance through a wireless 'N' or 'AC' connection, you need to use WPA2. If you use an external USB WiFi adapter, it must be plugged in to a USB 2.0 or higher port in order to ensure the best possible performance.

To use WPA2 on Windows, you need to use Windows Vista or later.

(Wired Equivalent Privacy) WEP is much less secure than WPA. We do not recommend the use of WEP, although it is better than not using any WiFi encryption method at all.

WEP requires the use of a 'key' (another term for a password), but it is relatively easy for a hacker to find out what this key is and hence gain access to your network.

Whenever you can, make sure to use WPA or WPA2 instead of WEP.

Note: The Super Hub 2ac and Hub 3 do not support WEP connections.


Broadband security alerts explained

The Virgin Media Internet Security team issue automated communications to customers via letter and email when they have received intelligence to suggest there is vulnerability on the customer’s home network that can be exploited by a remote attacker.

Advice on how to resolve each vulnerability we send communications about are listed on our security hub.

The threat posed to a customer, ourselves as an ISP and 3rd parties vary depending on the vulnerability. Most issues allow for a malicious 3rd party to exploit the vulnerability on the customer’s network to either steal personal information or to use the network to amplify malicious traffic – such as participating in a Denial of Service attack on other Internet users.

If these issues are not resolved immediately, then any personal information on devices using the vulnerable home network could be at risk and in cases where the vulnerability could be used to amplify malicious traffic, it could cause significant issues with Broadband performance and stability as the connection is essentially being flooded with traffic.

In most cases it is down to a misconfiguration on a firewall being used on the home network. If you’re unfamiliar with the concept of a firewall, think of it as a version of airport customs but for your home network – it will only let certain types of wanted traffic to pass in and out.

Unless you have a specific setup configured, your devices will be using the built-in firewall on our Hub 3 or Super Hub routers to filter out any unwanted traffic from entering or leaving your network.

The most common cause behind these vulnerabilities is a port forwarding or port filtering rule that has been setup in the router’s firewall to allow traffic over the vulnerable port(s) from passing to the outside world. Another common cause is a device has been placed in the firewall’s DMZ, this essentially allows the device in question to bypass all firewall settings – any services running on that device that aren’t designed to be exposed beyond your home network will cause a vulnerability.

It is possible, but in most cases no. The majority of the vulnerabilities we issue communications regarding are likely to be caused by a misconfiguration on a firewall/router or a computer running on a home network.

Home network protection

Every communication we issue about a vulnerability will list steps that can be taken to resolve the issue. In most cases the steps require you to login to the Hub 3's or Super Hub’s configuration pages and remove any unneeded port forwarding or filtering rules as well as removing devices from the DMZ.

The DMZ standards for Demilitarised Zone, it’s a feature in most router firewalls, including the Virgin Media Hub 3's and Super Hubs. It allows for any devices placed in the DMZ to bypass all firewall settings. This should only be used in very specific circumstances, such as when a customer wishes to use a device that has its own software firewall configured. If there is a device in the DMZ that is using a service that should not be exposed to the Internet, or it has a flaw in a service it uses – then it can be misused by malicious third parties to commit abuse.

Will resolving these issues stop internet services from working?

No, making changes in the firewall based on the advice we have listed at our security hub will not stop any services from working.

Most of the vulnerabilities we issue communications about are relating to services that are only designed to run on a local network – in other words, they shouldn’t be exposed to the Internet, only the devices running on your home network.


Virgin Media's Blocked Internet Ports

In order to protect our customers and our network, a number of ports on the Virgin Media network are blocked.

Ports on the Internet are like virtual doors that data can pass through. All internet traffic passes through ports to get to and from systems and services across the Internet.

When a certain port is known to be subject to security vulnerabilities, we sometimes block that port on our network.

These ports are blocked at network-level. Traffic over these ports within your home network will continue to operate as normal, but will be inaccessible to devices outside your network.

Blocked ports TCP & UDP ports 135, 137, 138, 139 – Used by the NetBIOS service

NetBIOS services allow file sharing over a local network. When exposed to the Internet, it can be exploited to carry out malicious activities such as Distributed Denial of Service (DDoS) attacks or to gain unauthorised access to systems on a local network.

TCP & UDP port 445 – Used by the SMB protocol

Port 445 is vulnerable to a number of attacks which target vulnerabilities in systems running file-sharing services. This port is used by various malware strains to gain entry to a network, namely the WannaCry and Nimda malware variants.

In most cases no, you will only encounter a problem if you need to access a service that you run on your home network via one of the ports that are blocked on our network.

If this doesn’t sound familiar then you’re very unlikely to be affected, as it is generally only specific to advanced home networks that have been manually configured.

The ports blocked on our network are used by services that are generally not designed for use on the Internet. They can be used on a local network but should not be exposed to the wider Internet.

Using Samba as a file-sharing service for accessing or transferring files to and from devices outside of your local network is unsecure, as there is a risk of your data being intercepted by third parties.

Alongside this, there are a number of known vulnerabilities with services that use port 445 - these can be exploited by third parties to gain unauthorised access to a device.

We recommend using an alternate file-transfer protocol such as the widely used SFTP (SSH File Transfer Protocol).

If you’ve configured a server on your network to run on a port number you’ve chosen yourself, and the port is listed in the Blocked Ports list above, then you will need to reconfigure your system to run on a port that isn’t on the block list shown above. We also recommend you choose a port number that is not used by a widely used service, as this may cause issues with your server’s connectivity. A list of ports and the services they’re used by is available at Wikipedia’s List of TCP and UDP port numbers page.


Why does Virgin Media block certain websites?

Sometimes we’re required to block content, meaning you can’t access certain websites or servers using our broadband service. Blocking access is something that we only do when absolutely necessary.

The Internet Watch Foundation (IWF) is an independent body funded by the European Union and internet service providers such as Virgin Media. Their confidential hotline lets internet users report criminal online content such as child sexual abuse images. Then working with law enforcement, their mission is to eliminate the source of this content. The IWF also works with its internet service provider members (including Virgin Media) to remove access to it.

Working with the IWF not only protects children across the world, but also protects customers from accessing such content.

For more information on the work that IWF do, visit their site.

The use of the internet has changed dramatically over the last few years. Superfast broadband services mean more and more of us are enjoying catch up TV, listening to music or shopping online. Our network can deliver all of these services quickly and easily – but some websites may be acting unlawfully.

We pride ourselves on being a responsible internet service provider. So when we get a Court Order that compels us to block content that is breaking the law, we act on them. This happens when websites or servers offer access to copyright or trademark infringing material and Virgin Media (along with other ISPs in the UK) has to block this access by law.

To find out more information the Court Orders that are currently in place, see List of Court Orders.


Weak security message on Virgin Media Hub 3 when using iOS14

Recently upgraded your iPhone to iOS 14? You may have noticed a message warning of ‘weak security’ when connecting your phone to your WiFi. This is nothing to worry about and your WiFi is still perfectly secure.

Step 1. Enter 192.168.0.1 into your browser Step 2. Enter your admin name and password Step 3. Once signed in, go to Advanced settings > Wireless> Security Select the dropdown next to Security and change it to WPA2-PSK Step 4. Select Apply changes


'Weak Security' on Virgin Media Boosters when using iOS14

Recently upgraded your iPhone to iOS 14 and have a Hub 3?

You may have noticed a message warning of ‘weak security’ on your WiFi connection. This is nothing to worry about and your WiFi is still perfectly secure.

Step 1. Connect a laptop to the Booster using an Ethernet cable.

Step 2. Using your browser, login to Virgin Media Powerline Booster's GUI page.

Step 3. Enter the Settings Password which is printed on the back of the Booster (not your WiFi password).

Step 4. Select Wireless settings then Security.

Step 5. Under 2.4Ghz Wireless security settings, check security. If security is not WPAC-PSK, then drop down and select WPA2-PSK.