Millions with old routers at risk of being hacked in their homes, Which? warns

Millions of internet users could be at risk of hacking attacks due to using outdated routers from their broadband providers that have security flaws, a Which? investigation has found. 

Households across the country are using their home broadband more than ever, to work, educate their children or keep in touch with loved ones.

But many are unaware that old equipment provided by internet service providers (ISPs), including EE, Sky, TalkTalk, Virgin Media and Vodafone, could be putting them at risk of hackers spying on what they are browsing online or even directing them to malicious websites used by scammers.

Which? investigated 13 old router models and found more than two-thirds, nine of them, had flaws that would likely see them fail to meet requirements proposed in upcoming government laws to tackle the security of connected devices. The legislation is not yet in force and so the ISPs aren’t currently breaking any laws or regulations.

The consumer champion’s lab testing identified a range of issues with the routers. These security risks could potentially affect around 7.5 million people, based on the number of respondents who said they were using these router models in Which?’s nationally representative survey.

Around six million people within this group of users could be using a router that has not been updated since 2018 or earlier. This means the devices have not been receiving security updates which are crucial for defending them against cyber criminals.

The problems uncovered by Which?’s lab tests on the old router models that failed were:

  • Weak default passwords, which in certain circumstances could allow a cyber criminal to hack the router and access it from anywhere;

  • a lack of firmware updates, which are vital for both security and performance;

  • a local network vulnerability issue with the EE Brightbox 2. This could give a hacker full control of the device, and for example allow them to add malware or spyware, although they would have to be on the network already to attack.

The survey also suggested that 2.4 million users haven’t had a router upgrade in the last five years.

Which? is concerned that many customers are being left using old kit, often with no guarantee of an upgrade, and is encouraging consumers in this position to talk to their broadband provider about getting an upgrade.

In contrast to the other ISPs, the old BT and Plusnet routers that Which? tested all passed the security tests – researchers didn’t find password issues, a lack of firmware updates or a local network vulnerability with these devices.

When Which? contacted the ISPs with its findings, most of them said that they monitor for security threats and provide updates if needed. BT Group told Which? that older routers still receive security patches if problems are found – although Which? did find an unfixed vulnerability on the EE (part of the BT Group) Brightbox 2 router.

Aside from Virgin Media, none of the ISPs Which? contacted gave a clear indication of the number of customers using their old routers. Virgin said that it did not recognise or accept the findings of the Which? research and that nine in 10 of its customers are using the latest Hub 3 or Hub 4 routers. However Which? notes that Virgin was counting just paying account holders, whereas Which?’s survey was of anyone using routers within a household.

Which? believes that ISPs should be more upfront about how long routers will receive firmware and security updates – one of the requirements of proposed government laws to tackle unsecure devices – and encourage people to upgrade devices that are at risk.

As part of its proposed legislation to tackle unsecure devices, Which? is also calling for the government to ban default passwords and also prevent manufacturers from allowing consumers to set weak passwords that may be easily guessable and hackable.

The consumer champion also believes broadband providers should be ready to respond when security researchers warn them about possible issues – and should make it easy for researchers to contact them. Only Sky, Virgin Media and Vodafone appeared to have dedicated web pages for this.

Consumers with routers that are five years old or more should ask their provider if the device is still supported with security updates and if it is not they should ask for an upgrade.

Kate Bevan, Which? Computing editor, said:

“Given our increased reliance on our internet connections during the pandemic, it is worrying that so many people are still using out-of-date routers that could be exploited by criminals.

“Internet service providers should be much clearer about how many customers are using outdated routers and encourage people to upgrade devices that pose security risks.

“Proposed new government laws to tackle devices with poor security can’t come soon enough – and must be backed by strong enforcement.”

Notes to editors

  • Opinium on behalf of Which? carried out a nationally representative survey of 6,026 UK adults aged 18+, conducted in December 2020.

  • Working with security specialist Red Maple Technologies, Which? tested commonly used legacy routers to identify security risks.

Further details on Which?’s testing:

Weak passwords – devices affected:

  •  TalkTalk HG533

  •  TalkTalk HG523a

  •  TalkTalk HG635

  •  Virgin Media Super Hub 2

  •  Vodafone HHG2500

  •  Sky SR101

  •  Sky SR102

Lack of updates – devices affected:

  • Sky SR101

  • Sky SR102

  • Virgin Media Super Hub

  • Virgin Media Super Hub 2

  • TalkTalk HG523a

  • TalkTalk HG635

  • TalkTalk HG533

Network vulnerabilities – devices affected:

  • EE Brightbox 2

The three routers that passed the security tests:

  • BT Home Hub 3B

  • BT Home Hub 4A

  • BT Home Hub 5B

  • Plusnet Hub Zero 2704N

Further details on Which?’s lab tests

  • A significant problem uncovered by Which?’s lab tests on the old router models was weak default passwords – with more than half (seven out of 13) of the old routers having this flaw that could allow a cyber criminal to hack the router and access it from anywhere. This issue affected TalkTalk, Virgin Media, Vodafone and Sky models.

    A lot of consumers leave default passwords unchanged on their equipment because they are not aware of the security risks of doing so, potentially leaving them exposed to hackers.

  • Another issue exposed by the lab tests was a lack of firmware updates, which are vital for both security and performance. More than half (seven out of 13) of the routers had not been updated since 2018, for some this went as far back as 2016.

  • Which? also found a local network vulnerability issue with the EE Brightbox 2, which has not yet been fixed.

New cyber security laws to protect smart devices amid pandemic sales surge – 21 April

The government is planning a new law to make sure virtually all smart devices meet new requirements:

  • Customers must be informed at the point of sale the duration of time for which a smart device will receive security software updates

  • A ban on manufacturers using universal default passwords, such as ‘password’ or ‘admin’, that are often preset in a device’s factory settings and are easily guessable

  • Manufacturers will be required to provide a public point of contact to make it simpler for anyone to report a vulnerability.

Which?’s advice on how to change your router password: which.co.uk/routerpasswd.

Rights of reply

BT Group (BT and EE)

“The vast majority of our customers are using our award winning BT Smart Hub 2 or EE Smart Hub.

“We want to reassure customers that all our routers are constantly monitored for possible security threats and updated when needed. These updates happen automatically so customers have nothing to worry about. If a customer has any issues, they should contact us directly and we will be happy to help.”

Virgin Media

A Virgin Media spokesperson said:

“We do not recognise or accept the findings of the Which? research – nine in ten of our customers are using the latest Hub 3 or Hub 4 routers. The safety and security of our customers is always a top priority and we have robust processes in place to protect them by rolling out security patches and firmware updates as well as issuing customer communications where necessary.”

TalkTalk 

“These routers make up a very small proportion of those in use by our customers. Customers using all of these routers can change their passwords easily at any time.”

Plusnet

“We want to reassure customers that all our routers are constantly monitored for possible security threats and updates with firmware. These updates happen automatically so customers have nothing to worry about. If a customer has any issues, they should contact us directly and we will be happy to help.”

Sky

Sky did engage with Which? on its findings but did not provide a comment.

Vodafone 

“All new Vodafone routers have device specific passwords. Vodafone stopped supplying the HHG2500 router to customers in August 2019. Customers who still have the HHG2500 router will continue to receive firmware and security updates as long as the device remains on an active customer subscription. Customers who haven’t already changed their password should do so, following these instructions.” – A Vodafone spokesperson

About Which?

Which? is the UK’s consumer champion, here to make life simpler, fairer and safer for everyone. Our research gets to the heart of consumer issues, our advice is impartial, and our rigorous product tests lead to expert recommendations. We’re the independent consumer voice that influences politicians and lawmakers, investigates, holds businesses to account and makes change happen. As an organisation we’re not for profit and all for making consumers more powerful.

The information in this press release is for editorial use by journalists and media outlets only. Any business seeking to reproduce information in this release should contact the Which? Endorsement Scheme team at endorsementscheme@which.co.uk.

Press Release