Millions around the UK could be at risk of using routers with security flaws, a Which? investigation has found.
In December 2020 we conducted a survey of more than 6,000 UK adults, asking them which routers they’re using at home. We found millions could be using devices over five years old, that are no longer being supported with firmware updates.
We sent a selection of the most commonly used old devices to security specialists, Red Maple Technologies, to find out just how secure they are, and discovered issues with more than half, from ISPs such as Virgin, Sky, TalkTalk, EE and Vodafone.
This could potentially affect up to 7.5 million Brits, based on our survey.
Some of these models haven’t seen an update since 2018 at the latest, and some haven’t been updated since as far back as 2016, which could affect 6 million of these users. Without firmware and security updates, there’s no guarantee that security issues will be fixed.
Routers might sit in the corner of the room collecting dust, but they’re a vital part of every day life. Especially as we now need the internet more than ever to work, shop and stay in touch with loved ones. Read on to find out if you’re affected, and what to do next.
Browse our reviews of wi-fi routers, mesh networks and extenders to see which impressed in our test labs.
Security flaws found in Which? tests
We focused our research on 13 older router models that are still being used, and most of them did not meet modern security standards. The main issues were:
- Weak default passwords – These passwords can be easily guessed by hackers, are common across devices and could grant someone access. This can be done from outside of the home network, so a hacker could access a router from anywhere in the world.
- Local network vulnerabilities – While the risk here is lower as a hacker would have to be in the vicinity of the router, vulnerabilities like this could allow a cyber criminal to completely control your device, see what you’re browsing, or direct you to malicious websites.
- Lack of updates – Firmware updates aren’t only important for performance, they’re also needed to fix security issues when they arise. Most of the routers we looked at had not seen a security update since 2018 at the latest, with no guarantee of a new one in the near future.
The routers on test weren’t all bad, though. Old devices from BT and Plusnet had been recently updated and we didn’t find any unfixed vulnerabilities or weak default passwords.
If you have one of the below routers, we’d recommend asking your provider for an upgrade as soon as you can.
Weak passwords – devices affected:
- TalkTalk HG533
- TalkTalk HG523a
- TalkTalk HG635
- Virgin Media Super Hub 2
- Vodaone HHG2500
- Sky SR101
- Sky SR102
Lack of updates – devices affected:
- Sky SR101
- Sky SR102
- Virgin Media Super Hub
- Virgin Media Super Hub 2
- TalkTalk HG523a
- TalkTalk HG635
- TalkTalk HG533
Local network vulnerabilities – devices affected:
What to do if you’re affected
If you own one of the routers listed with weak default passwords, the first thing you should do is change it. Our guide on changing router passwords can help. And for tips on setting a good replacement, read our guide to creating secure passwords.
If you’re using a device that’s no longer being updated, or if you’ve had your router for five years or more and know there are newer models available, you could try to arrange an upgrade.
How easy this is to do depends on your situation, and your internet provider. When we asked, only Virgin Media said it gives free upgrades – customers with older routers can request a new one through the Connect app.
Other providers may offer you a new model at a cost – a single upfront payment, or in the case of Sky, you can sign up for Sky Broadband Boost, which involves a rolling £5 monthly payment and among other benefits, will get you upgraded to the latest router.
If you want a new router and you’re in contract
It doesn’t hurt to ask. While an internet provider is not obliged to provide you with a new router for free, if you call and explain your concerns you might get lucky, especially if your router is quite old.
If you’re not able to get a free upgrade, find out what your options are to work out your best next step, and in the meantime, make sure you change your default router password if you feel it’s not strong enough..
If you want a new router and you’re out of contract
When your contract expires you have a number of options – not least threatening to leave. If you want to stay with your provider, say you’ll recontract with them if they provide you with a new router. If your router is old and they refuse, you should seriously consider switching.
A new contract with a new provider should afford you their latest equipment, which includes a new router. This can also save you money – in a recent survey of more than 2,000 broadband customers, 19% were likely to be out of contract and at risk of overpaying. And if you’re on standard broadband, an upgrade to fibre broadband will get you faster speeds, and greater reliability.
Use Which? Switch broadband to find the best broadband deals where you live.
Which? calls for more transparency from ISPs
We think it’s unacceptable that customers are being left on old, unsupported kit – our research suggests that up to 2.4 million UK adults haven’t had a new router in the last five years. ISPs should be far more upfront about how long routers will be receiving firmware and security updates, and they should actively upgrade customers who are at risk.
We went to the ISPs with our findings, and most told us they would monitor devices for security threats, updating them if needed. However, there’s no guarantee. BT Group told Which? that older routers still receive security patches if problems are found, but the EE Brightbox 2 has a security vulnerability which is unfixed.
Aside from Virgin Media, none of the ISPs Which? contacted gave a clear indication of customers using their old routers. Virgin said that it did not recognise or accept the findings of the Which? research and that nine in ten of its customers are using the latest Hub 3 or Hub 4 routers. However, our survey was of all those using or with devices connected to the router, rather than just the paying account holders.
Companies should also have a clear point of contact for researchers, like Which?, to let them know of vulnerabilities so they can be fixed. Only Sky, Virgin Media and Vodafone appeared to have dedicated web pages for this.
As part of the proposed legislation to tackle unsecure devices, Which? is also calling for the government to ban default passwords and prevent manufacturers from allowing consumers to set weak passwords that may be easily guessable and hackable.
Want to see which ISP router is best, or have a look at third-party options? Browse all our wi-fi router reviews.
