An investigation by the UK consumer watchdog Which? found that millions of households have outdated router models with various security flaws. Surprisingly, most of the vulnerable devices were provided by reputable UK internet providers such as EE, Sky, TalkTalk, Virgin Media, and Vodafone.
The research covered security threats such as weak default passwords, lack of firmware updates, and local network vulnerabilities. The investigation revealed that the affected internet users faced serious router security risks, including hacking, spying, or redirection to malicious websites.
The report coincided with the proposed new government laws to tackle the security of connected devices.
Report says users unaware of security risks
The Which? report found that most UK internet users were unaware of the router security risks posed by the outdated equipment provided by their internet providers.
About 7.5 million people were affected and six million homes had not updated their routers since 2016, while most had not received an update since 2018. Another 2.4 million households or 7 out of 13 routers had not been upgraded for the past five years.
Which? computing editor Kate Bevan noted that the reliance on outdated routers was concerning given the increasing dependence on the internet during the pandemic.
Which? advised users to discuss with their internet providers about upgrading their outdated routers. The consumer watchdog also urged internet providers to be transparent about their plan to support lasting routers with firmware and security updates.
“Internet service providers should be much clearer about how many customers are using outdated routers and encourage people to upgrade devices that pose security risks,” Bevan said.
Security risks posed by outdated equipment include spying, hacking, and redirecting internet users to malicious websites.
Similarly, some older router models also have weak default passwords that are easy to crack by cybercriminals. They also lacked firmware updates, thus exposing them to various security risks, according to the Which? report.
The consumer watchdog found that two-thirds of 13 router models supplied by UK internet providers had various router security risks and would fail the proposed government regulations.
However, some older models probed by Which? did not have any security vulnerabilities. These include old BT and Plusnet routers that passed the weak passwords, firmware updates, and local network vulnerability tests.
The report also discovered a security vulnerability in EE Brightbox 2, granting a hacker full control of the device. This vulnerability could allow a resident threat actor to install malware.
Internet providers dispute Which? security risk report
Internet service provider BT Group denied supplying vulnerable and outdated routers, claiming that its older router models still received security updates.
Contrarily, Which? said it found an active vulnerability in Brightbox 2 router supplied by EE, which is part of the BT Group.
Virgin media also refused to recognize or accept the findings claiming that 90% of its customers were using the latest Hub 3 or Hub 4 routers. Which? explained that Virgin only counted paying customers and not everyone using their routers.
TalkTalk said that old router models accounted for a very small percentage of its networking devices. Customers could also change passwords at will, according to the company.
Plusnet said that it monitored all its routers “for possible security threats and updates with firmware. These updates happen automatically so customers have nothing to worry about.”
Vodafone also contradicted the Which? report, saying all its routers had device-specific passwords. The UK-based telecoms added that it had stopped supplying the HHG2500 router model in 2019.
Additionally, customers having the HHG2500 router model would continue receiving firmware and security updates as “long as the device remains on an active customer subscription.”
The company also encouraged users with default passwords to change them using supplied instructions.
“Most of the devices you might deploy today, from new Wi-Fi systems to connected exercise bikes, will automatically update themselves,” says Tim Erlin, VP, product management and strategy at Tripwire. “That’s the level of automation we should expect from consumer devices, but it does put the onus on the vendors to deliver updates in a timely manner.”