Wi-Fi wireless internet router on dark background 3d

Millions put at risk by old, out of date routers

Since the first stay-at-home measures were imposed by governments to keep everyone safe from the worsening COVID-19 pandemic, we at Malwarebytes have been making sure that you, dear reader, are as cyber-secure as possible in your home network, while you try to work and while your children attend online classes.

There has been much discussion of antivirus protection, patching your software, and using VPNs. But what if the security flaws aren’t in your phones or laptops, but the router your ISP gave you?

Which?, a consumer watchdog in the UK, recently released its findings about routers issued by UK Internet Service Providers (ISPs). Based on its assessment, it reckons that at least two million Britons are at risk from routers that haven’t been updated since 2016. This alone seems to go against the Secure by Design proposal, an already-drafted law that gives power to the Department of Culture, Media, and Sports (DCMS) to order tech makers (phone, tablet, IoT) to be transparent about when they’ll stop providing security updates to their new devices from launch.

Granted, the Secure by Design hasn’t been made law yet, so the ISPs aren’t breaking any regulations. However, it seems preposterous to think that companies would have to wait to be mandated before they start caring about their customers’ security and privacy.

Router flaws found by Which?

Which? has looked into routers provided by EE, Sky, TalkTalk, Virgin Media, and Vodafone. Based on 13 router models it tested, the watchdog found that two-thirds—9 routers out of the 13—had flaws that, if the Security by Design law were in effect, would easily mark these providers as non-compliant. Below are the old router vulnerabilities Which? found:

* Weak default passwords. These passwords can be easily guessed by hackers, are common across devices and could grant someone access. This can be done from outside of the home network, so a hacker could access a router from anywhere in the world.

* Local network vulnerabilities. While the risk here is lower as a hacker would have to be in the vicinity of the router, vulnerabilities such as this could allow a cybercriminal to completely control your device, see what you’re browsing or direct you to malicious websites.

* Lack of updates. Firmware updates aren’t only important for performance, they’re also needed to fix security issues when they arise. Most of the routers we looked at hadn’t had a security update since 2018 at the latest, with no guarantee of a new one in the near future.

The consumer body is concerned that many UK internet users are using old router models with no guarantee of an upgrade, thus making them “low hanging fruits” for criminal hackers to target. With its findings, Which? encourages customers of UK ISPs mentioned in the report to contact their provider and ask about potentially getting a router upgrade.

Although one of the companies that Which? contacted is using old routers, they said that they continue to monitor for threats and provide updates if needed. Despite this claim, Which? did find an unpatched vulnerability on one of the routers it tested. This could suggest that, although ISPs are doing what they can to patch flaws, it’s likely that they’d miss a few holes.

Virgin Media, one of the ISPs, didn’t accept the testing results from Which?, telling the BBC that “nine in 10 of its customers are using the latest Hub 3 or Hub 4 routers.” However, Which? Noted that Virgin only considered the number of paying households, whereas the testing counted each member of the household.

A wake up call to ISPs

Which? is a proponent of ISP transparency with regard to routers receiving firmware and security updates, a requirement of the Secure by Design proposal. The company also calls for the government to ban the use of default passwords, or ISPs allowing users to set weak passwords on their routers.

This is a good move. Although convenient, setting a weak password isn’t going to strengthen anyone’s security. On top of that, ISPs allowing users to always take the convenient and insecure route misses a good opportunity to educate their customers on good computer—and password creation and management—practices.

“Given our increased reliance on our internet connections during the pandemic, it is worrying that so many people are still using out-of-date routers that could be exploited by criminals.” says Kate Bevan, computer editor for Which?, in a press release. “Proposed new government laws to tackle devices with poor security can’t come soon enough – and must be backed by strong enforcement.”

Lastly, Which? calls for UK ISPs to “be ready to respond when security researchers warn them about possible issues – and should make it easy for researchers to contact them.”

Is your router secure?

Many households rely heavily on their routers, for working from home, studying, or simply keeping in touch with friends and families during these tough times. Sure, you may have been using it for years and you haven’t been hacked yet—”to the best of your knowledge”—but you shouldn’t take comfort in this for long. Now is a good time as any to focus on securing your router.

Using routers that can’t be patched if a serious vulnerability appears increases your risk of being exposed to attacks, and increases the risks for everyone else too. Routers are computers like any other and (as the Mirai botnet showed) they can be compromised and added to a botnet like any other.

So, the best way to stay safe is to make sure you’re using your ISPs latest router. 

Whatever router you’re using, be sure to change the default password if it had one. These are known to criminals and there are vast lists of default passwords circulating on the Internet for anyone to read. For more steps to take, Which? has a section on what to do if you’re affected by the routers mentioned in its lab tests.