on 07-02-2021 14:11
Hi, I'm trying to sort out the iOS14 weak security issue and following the instructions re hub. But the http://192.168.0.1/ comes up as not secure! Plus I can't remember what I changed the password to either.Is there any way I can reset password and why is the website not secure?
on 02-12-2021 20:24
I had the problem myself, this was the first result when I googled, so I assume this post has a lot of traffic. That is why I posted the fix I came across while trying different ways to get rid of it.
on 03-02-2022 06:39
Hi
i too is trying to sort out this weak security issue on apple products and it seems like non one here has the right help. I think it’s a problem with VM routers.
I’ve called it support and they don’t even have no knowledge of this issues.
my contract is soon expire. Can’t wait. Never using VM again.
on 03-02-2022 09:46
@Mygod1971 wrote:Hi
i too is trying to sort out this weak security issue on apple products and it seems like non one here has the right help. I think it’s a problem with VM routers.I’ve called it support and they don’t even have no knowledge of this issues.
my contract is soon expire. Can’t wait. Never using VM again.
That’s because there’s no issue to fix. It’s just apple being over zealous about newer Wifi standards
on 05-02-2022 10:15
Hi @Mygod1971,
I am very sorry to hear you're facing some issues with your Apple devices and are considering leaving us as a result.
Would you mind confirming what Apple device(s) is affected by this issue for you, what version of iOS you're currently on with said device(s)?
Thanks,
on 05-02-2022 11:53
@Twyst wrote:I beg to differ about your local network being secure. The instant you introduce a device where you haven't set the software up yourself it can never be fully trusted.
'secure' is a relative adjective. The answer to 'is x secure?' is never a binary yes or no. Things can be 'more secure' or 'less secure' but it is never as simple as 'x is secure'.
And where do you draw the line of trust? Writing your own software? Creating your own transistors and processors?
on 05-02-2022 12:06
@Julesfb wrote:But the http://192.168.0.1/ comes up as not secure!
This is the web browser advising you that the router's Web GUI is served up over plain old HTTP, instead of over HTTPs.
The 's' in HTTP used to mean 'Secure Sockets Layer' or SSL. Now it actually means TLS or Transport Layer Security.
SSL or TLS are standards for encypting protocols like HTTP during transmission. Without SSL or TLS, the web pages you are visiting are transmitted to and from the web server (in this case the hub) in clear text. So that means it is possible for another device or a wire-tap could be used in your network to 'sniff' the data packets and potentially read the password that you are using to sign into the hub.
If the hub was a random website on the wider internet, that would indeed be bad news.
But as the hub sits on your local network and it's web GUI is not accessible from the Internet, it's not so much of a problem. It is very unlikely (but not impossible) that there is a device between your computer and your hub that is 'sniffing' packets. Packets that are passed over the air (WiFi) are of couse encrypted anyway, although it is possible any other device connected to your WiFi network could 'sniff' them.
It is a bit of a challenge implementing TLS on locally connected devices that are accessed via HTTP. Public Key Infrastructure (PKI) is used to verify that a domain/website you are visiting is really the domain/website it claims to be. The problem is that you can only get certificates 'signed' by a root Certificate Authority so that devices will trust them, if they are publicly available domains. It isn't an 'unsolvable' problem but it does have its challenges and I can fully understand VM providing the hubs without TLS on the WebGUI.
Some of the browser developers and big tech companies are a bit over zealous when it comes to trying to enforce standards. They have their own agenda. Perhaps it is pushing more companies to rely on 'cloud' managed hardware? Who knows.
It's important not to read too much into the lack of TLS on the hub's administration pages. It is not an unreasonable thing for VM to do.