Millions of Brits could be at risk of cyberattacks due to poor default passwords and a lack of firmware updates

Millions of Brits use Wi-Fi routers that contain various security flaws and may put them at risk of cyberattacks, an investigation by British consumer watchdog Which? has found.

Together with Red Maple Technologies, Which? looked at 13 commonly used older router models offered by various British internet service providers (ISPs) and found that over half of them didn’t meet the security standards of today. The main issues affecting routers suplied by ISPs such as Virgin, EE, Sky, TalkTalk, and Vodafone were weak default passwords, local network vulnerabilities, and the lack of firmware updates to patch security loopholes.

“Some of these models haven’t seen an update since 2018 at the latest, and some haven’t been updated since as far back as 2016, which could affect 6 million of these users. Without firmware and security updates, there’s no guarantee that security issues will be fixed,” wrote Hollie Hennessy, Senior Researcher at Which?. Weak default passwords and a lack of firmware updates affected seven devices in total, while local network vulnerabilities were found to affect just one.

A router that has an easy-to-guess and/or default password could grant malicious actors a way into your home network and the devices connected to it. You should always replace your router’s default username and password with a strong and unique password or passphrase.

Meanwhile, routers that have out-of-date firmware oten contain easily exploitable vulnerabilities. If your router doesn’t receive firmware updates to plug such security flaws, you are best off arranging an upgrade of your device with your ISP or buy an aftermarket device.

When it comes to exploiting local network vulnerabilities, a hacker would have to be in close vicinity to exploit a device; however, if successful, they could completely take over the device, observe your browsing habits or even direct you to compromised websites.

On the bright side, some routers, namely some offered by BT and Plusnet, didn’t suffer from any of the aforementioned lapses in security. The full list of the routers tested is available on the website of the consumer wachtdog.

Which? contacted the ISPs with the findings of their investigation. While BT Group said that its older routers would receive updates if they were found to be affected by security issues, its EE Brightbox router has a vulnerability that remains unfixed. Meanwhile Virgin Media, “did not recognize or accept” the consumer watchdog’s findings, saying that nine in ten of its customers were using its latest routers.

Same old story

Overall, the study’s results bring echoes of some other studies, including the Home Router Security Report 2020 by Germany’s Fraunhofer Institute last year, a test by Independent Security Evaluators in 2019, and a review by the American Consumer Institute in 2018.

Router security has been a perennial problem, and it has become an especially important consideration since the COVID-19 pandemic forced most professionals to work from outside the generally much safer confines of the office. To mitigate the chances of your router and connected devices getting compromised by cybercriminals, you can refer to our article focusing on tips for boosting your router security. While you’re at it you might want to go over our recommendations for reviewing your router’s configuration settings.