Consumer advisory firm Which? has warned that millions of Brits continue to use old and unsecured WI-Fi routers, vulnerabilities in which could be exploited by hackers to steal their personal data or to spy on their online activities.
The consumer firm investigated thirteen Wi-Fi routers supplied by internet service providers like EE, Sky, TalkTalk, Virgin Media and Vodafone to Brits across the UK, and found that nine of them featured flaws that could be exploited by hackers to spy on users’ online activities or to redirect them to malicious websites used by scammers.
Which? said these routers would fall foul of the UK’s upcoming legislation on the security of connected devices. The routers have been found to potentially affect around 7.5 million people, out of which 6 million people are using a router that has not been updated since 2018 or earlier.
Security flaws discovered by Which? in the nine router models included the use of weak default passwords by ISPs, a lack of firmware updates, and a network vulnerability in the EE Brightbox 2 router that hackers could exploit to gain full control of the device and add malware or spyware.
While Which? did not identify any security vulnerabilities in old BT and Plusnet routers, such as Hub 3B, Hub 4A, Hub 5B, and Plusnet Hub Zero 2704N routers, flaws were identified in routers supplied by the likes of Virgin Media, Sky, TalkTalk, and Vodafone.
For instance, routers like Vodafone HHG2500, Sky SR101, Sky SR102, TalkTalk HG533, TalkTalk HG523a, TalkTalk HG635, and Virgin Media Super Hub 2 were found using weak default passwords. These devices, except Vodafone HHG2500, also suffered from a lack of security or performance updates.
While Sky did not comment on Which’s findings, TalkTalk said the affected routers formed a tiny proportion of those in use at present, Plusnet said all WI-Fi routers are regularly updated with firmware and monitored for security threats, and Vodafone said the HHG2500 router was last supplied to customers in August 2019 but will continue to receive updates as long as they are on an active customer subscription.
Virgin Media, however, refused to accept Which’s findings. “We do not recognise or accept the findings of the Which? research – nine in ten of our customers are using the latest Hub 3 or Hub 4 routers. The safety and security of our customers is always a top priority and we have robust processes in place to protect them by rolling out security patches and firmware updates as well as issuing customer communications where necessary,” it said. According to Which?, Virgin Media took into account just paying account holders whereas the Which? study was based on anyone using routers within a household.
“Given our increased reliance on our internet connections during the pandemic, it is worrying that so many people are still using out-of-date routers that could be exploited by criminals,” said Kate Bevan, Which? Computing editor.
“Internet service providers should be much clearer about how many customers are using outdated routers and encourage people to upgrade devices that pose security risks. Proposed new government laws to tackle devices with poor security can’t come soon enough – and must be backed by strong enforcement.”
Last year, Digital Minister Matt Warman said the government would introduce new legislation that would put the onus of making IoT devices secure from cyber attacks on the manufacturers of such devices.
The new legislation is expected to make it mandatory for IoT device manufacturers to ensure that device passwords will be unique and not resettable to any universal factory setting, to provide a public point of contact so anyone can report a vulnerability and it will be acted on in a timely manner, and to explicitly state the minimum length of time for which the device will receive security updates at the point of sale, either in store or online.
“We want to make the UK the safest place to be online with pro-innovation regulation that breeds confidence in modern technology. Our new law will hold firms manufacturing and selling internet-connected devices to account and stop hackers threatening people’s privacy and safety. It will mean robust security standards are built in from the design stage and not bolted on as an afterthought,” said Warman.