Millions of older broadband routers have these security flaws, warn researchers

A new investigation has found that older routers, which aren't regularly upgraded, present some serious security vulnerabilities.
Written by Daphne Leprince-Ringuet, Contributor

Million of users in the UK could potentially be affected, estimated Which?, as vulnerable routers present an opportunity for hackers.

Image: Kittichai Boonpong / EyeEm / Getty Images

Millions of households in the UK are using old broadband routers that could fall prey to hackers, according to a new investigation carried out by consumer watchdog Which? in collaboration with security researchers. 

After surveying more than 6,000 adults, Which? identified 13 older routers that are still commonly used by consumers across the country, and sent them to security specialists from technology consultancy Red Maple Technologies. Nine of the devices, it was found, did not meet modern security standards.  

Up to 7.5 million users in the UK could potentially be affected, estimated Which?, as vulnerable routers present an opportunity for malicious actors to spy on people as they browse, or to direct them to spam websites. 

SEE: Network security policy (TechRepublic Premium)

One major issue concerns the lack of upgrades that older routers receive. Some of the models that respondents reported using haven't been updated since 2018, and even in some cases since 2016.  

The devices highlighted for their lack of updates included Sky's SR101 and SR102, the Virgin Media Super Hub and Super Hub 2, and TalkTalk's HG523a, HG635, and HG533. 

Most of the providers, when they were contacted by Which?, said that they regularly monitor the devices for threats and update them if needed.  

Virgin dismissed the research, saying that 90% of its customers are using later-generation routers. TalkTalk told ZDNet that it had nothing to add to the release. 

The researchers also found a local network vulnerability with EE's Brightbox 2, which could let a hacker take full control of the device.  

An EE spokesperson told ZDNet: "We take the security of our products and services very seriously. As detailed in the report, this is a very low risk vulnerability for the small number of our customers who still use the EE Brightbox 2. (…) We would like to reassure EE Brightbox 2 customers that we are working on a service patch which we will be pushing out to affected devices in an upcoming background update." 

In addition, BT Group – which owns EE – told Which? that older routers still receive security patches if problems are found. Red Maple's researchers found that old devices from BT have been recently updated, and so did routers from Plusnet. 

The consumer watchdog advised that consumers who are still using one of the router models that are no longer being updated ask their providers for a new device as soon as possible. 

This, however, is by no means a given: while Virgin Media says that it gives free upgrades for customers with older routers, the policy is not always as clear with other providers. 

"It doesn't hurt to ask," said Hollie Hennessy, senior researcher at Which?. "While an internet provider is not obliged to provide you with a new router for free, if you call and explain your concerns you might get lucky, especially if your router is quite old." 

For consumers whose contracts are expiring soon, Hennessy suggested asking for a new router as a condition to stick with a given provider – and consider switching if the request is not met. 

Weak passwords remain a top concern 

On top of being denied regular updates, many older routers were also found to come with weak default passwords, which can be easily guessed by hackers and grant an outsider access.  

This was the case of the same TalkTalk and Sky routers, as well as the Virgin Media Super Hub 2 and the Vodafone HHG2500. 

The first thing to do, for consumers who own one of these models, is to change the password to a stronger one, as opposed to the default password provided, said Which?. 

The organization, in fact, is calling for the government to ban default passwords and prevent manufacturers from allowing consumers to set weak passwords as part of a new legislation that was proposed last month. 

SEE: Wi-Fi hotspots, pollution meters, gunshot locators: How lampposts are making cities smarter

As part of an effort to make devices "secure by design", the UK's department for Digital, Culture, Media and Sport has announced a new law that will stop manufacturers from using default passwords such as "password" or "admin", to better protect consumers from cyberattacks. 

The future law would also make it mandatory to tell customers how long their new product will receive security updates for. In addition, manufacturers would have to provide a public point of contact to make it easier to report security vulnerabilities in the products. 

In a similar vein, Which? called for more transparency from internet service providers. The organization said that providers should be more upfront about how long routers will be receiving firmware and security updates, and should actively upgrade customers who are at risk. 

Only Sky, Virgin Media and Vodafone appear to have a web page dedicated to letting researchers submit the vulnerabilities that they found in the companies' products, according to Which?. 

Editorial standards