Millions of Old Broadband Routers in the UK Have Serious Security Flaws
Researchers Warn That Up to 7.5 Million Britons’ Data Is Flowing Through Insecure Routers with Default Passwords and No Updates.
According to a recent Which? investigation, millions of people around the UK could be at risk of using routers with security flaws, or that are no longer being supported with firmware updates.
Image Source: BBC
After surveying over 6,000 adults in December 2020, Which? identified 13 older routers that are still being used by households across the country, and sent them to Red Maple Technologies security specialists. It was found that nine of the devices did not meet modern security standards.
Some of these models haven’t seen an update since 2018 at the latest, and some haven’t been updated since as far back as 2016, which could affect six million of these users. Without firmware and security updates, there’s no guarantee that security issues will be fixed.
The main issues that were discovered during the investigation include:
Weak default passwords
These passwords can be easily guessed by hackers and could easily grant them access. This can be done from outside of the home network, so a hacker could access a router from anywhere in the world. Devices affected by this issue include Sky SR101, Sky SR102, TalkTalk HG523a, TalkTalk HG533, TalkTalk HG635, Virgin Media Super Hub 2, Vodafone HHG2500.
Local network vulnerabilities
This could allow a cybercriminal to completely control your device, see what you’re browsing or direct you to malicious websites. Devices affected by this issue include Sky SR101, Sky SR102, TalkTalk HG523a, TalkTalk HG635, TalkTalk HG533, Virgin Media Super Hub, Virgin Media Super Hub 2.
Lack of updates
Besides performance, firmware updates are needed to fix security issues when they arise. Most of the analyzed routers hadn’t had a security update since 2018. Devices affected by this issue include EE Brightbox 2.
If you’re using a device that’s no longer being updated, or if you’ve had your router for five years or more and know there are newer models available, you could try to arrange an upgrade.
As part of an effort to make devices “secure by design”, the UK Government has announced a new law that will stop manufacturers from using default passwords such as “password” or “admin”, which are often preset in a device’s factory settings and are easily guessable, to better protect consumers from cyberattacks. You can check out our password security guide here. In addition, “manufacturers will be required to provide a public point of contact to make it simpler for anyone to report a vulnerability”.
Which? requested more transparency from Internet service providers, saying that they should be more straightforward about the amount of time routers will be receiving firmware and security updates and that ISPs should actively upgrade customers who are at risk.