Millions of homes could be using outdated router software vulnerable to hackers

The organisation found that old equipment provided by some of the largest internet service providers (ISPs), including EE, Sky, TalkTalk, Virgin Media and Vodafone, could be putting users at risk of cyber attacks. This includes the ability for hackers to spy on what they are browsing online or even directing them to malicious websites used by scammers.

Compromised routers can also be enrolled in botnets by hackers and used to carry out DDoS attacks on internet services.

The investigation covered 13 old router models and found that nine of them had flaws that would likely see them fail to meet requirements proposed in upcoming government laws to tackle the security of connected devices. The legislation is not yet in force and so the ISPs aren’t currently breaking any laws or regulations.

Which? said the security risks could potentially affect around 7.5 million people, based on the number of respondents who said they were using the older router models.

Around six million people within this group of users could be using a router that has not been updated since 2018 or earlier.

Problems uncovered include weak default passwords, which could allow a cyber criminal to hack the router and access it remotely, a lack of security firmware updates, and a local network vulnerability issue with the EE Brightbox 2 that could give a hacker full control of the device.

The survey of 6,026 UK adults also suggested that 2.4 million users haven’t had a router upgrade in the last five years.

Aside from Virgin Media, none of the ISPs Which? contacted about the issue gave a clear indication of the number of customers using their old routers.

Virgin said that it did not recognise or accept the findings of the Which? research and that nine in 10 of its customers are using the latest Hub 3 or Hub 4 routers.

Which? Computing editor Kate Bevan said: “Given our increased reliance on our internet connections during the pandemic, it is worrying that so many people are still using out-of-date routers that could be exploited by criminals.

“Internet service providers should be much clearer about how many customers are using outdated routers and encourage people to upgrade devices that pose security risks.

“Proposed new government laws to tackle devices with poor security can’t come soon enough – and must be backed by strong enforcement.”