Millions of internet users could be at risk of hacking attacks due to using outdated routers from their broadband providers, according to a Which?
An investigation by the consumer site found that old equipment provided by internet service providers (ISPs), including EE, Sky, TalkTalk, Virgin Media, and Vodafone, could be putting users at risk of hackers spying on what they are browsing online or even directing them to malicious websites used by scammers.
Which? investigated 13 old router models and found more than two-thirds, nine of them, had flaws that would likely see them fail to meet requirements proposed in upcoming government laws to tackle the security of connected devices.
Because the legislation is not yet in force, the providers aren’t currently breaking any laws or regulations.
Lab testing identified a range of issues with the routers. These security risks could potentially affect around 7.5 million people, based on the number of respondents who said they were using these router models in Which?’s nationally representative survey.
Around six million people within this group of users could be using a router that has not been updated since 2018 or earlier.
This means the devices have not been receiving security updates which are crucial for defending them against cyber criminals.
The problems uncovered by the investigation on the old router models that failed were:
• Weak default passwords, which in certain circumstances could allow a cyber-criminal to hack the router and access it from anywhere;
• a lack of firmware updates, which are vital for both security and performance;
• a local network vulnerability issue with the EE Brightbox 2. This could give a hacker full control of the device, and for example allow them to add malware or spyware, although they would have to be on the network already to attack.
The survey also suggested that 2.4 million users haven’t had a router upgrade in the past five years.
Old BT and Plusnet routers that Which? tested all passed the security tests – researchers didn’t find password issues, a lack of firmware updates or a local network vulnerability with these devices.
Which? contacted the ISPs about the findings, with most responding by saying they monitor for security threats and provide updates if needed.
BT Group told Which? that older routers still receive security patches if problems are found – although Which? did find an unfixed vulnerability on the EE (part of the BT Group) Brightbox 2 router.
Apart from Virgin Media, none of the ISPs that Which? contacted gave a clear indication of the number of customers using their old routers.
Virgin said that it did not recognise or accept the findings of the research and that nine in 10 of its customers are using the latest Hub 3 or Hub 4 routers.
However, Which? said that Virgin was counting just paying account holders, whereas the survey was of anyone using routers within a household.
As part of proposed legislation to tackle unsecure devices, Which? is also calling for the government to ban default passwords and also prevent manufacturers from allowing consumers to set weak passwords that may be easily guessable and hackable.
“Given our increased reliance on our internet connections during the pandemic, it is worrying that so many people are still using out-of-date routers that could be exploited by criminals,” said Kate Bevan, Which? computing editor. “Internet service providers should be much clearer about how many customers are using outdated routers and encourage people to upgrade devices that pose security risks.”
Bevan added: “Proposed new government laws to tackle devices with poor security can’t come soon enough – and must be backed by strong enforcement.”
Recent Stories