On 6 May 2021 the not-for-profit consumer choice group Which? released the results of an investigation that found numerous older routers weren’t secure, potentially putting millions of people at risk of cyber-attack.

Which? looked at 13 router models from Internet Service Providers (ISPs) like EE, Sky and Virgin Media, and found security issues with nine of them that would probably see them fail to meet the requirements of a proposed new law to help reduce attacks on internet-connected devices.

Which? estimate that about 7.5 million people could be affected by these security issues, and that about 6 million may be using a router that hasn’t been updated since 2018.

What security issues have been discovered?

The main issues Which? found were:

  • Routers using weak default passwords: weak passwords can be attacked using a range of methods, and continuing to use a default password (i.e. the one that was set on the device in the factory) allows an attacker that knows it to access any device still using it.
  • Routers not receiving software or firmware updates: over time, issues and weaknesses are found in software that are corrected with updates. If updates are not provided or installed, these vulnerabilities will remain available for attackers to exploit.
  • A vulnerability on the EE Bright Box 2: a specific issue with this router allowed an attacker that already had local network access (e.g. by compromising the Wi-Fi or by plugging in a cable) to gain full control of the router.

These are serious issues that could allow attackers to access routers and change settings or interfere with normal usage.

With working from home and remote access to work systems and data, it’s not just online shopping or personal banking that could be impacted (though of course that is bad enough), but businesses too.

Which systems are affected?

The following routers were found to have issues:

  • EE: Bright Box 2 (local network vulnerability)
  • Sky: SR101 and SR102 (weak password and lack of updates)
  • TalkTalk: HG523a, HG533 and HG635 (weak password and lack of updates)
  • Virgin Media: Super Hub (lack of updates) and Super Hub 2 (weak password and lack of updates)
  • Vodafone HHG2500 (weak password)

Several routers passed all the security tests, including:

  • BT: Home Hub 3B, 4A and 5B
  • Plusnet: Hub Zero 270N

What’s the new law about?

The UK is planning new legislation to improve the security of ‘Internet of Things’ (IoT) devices like smart speakers (e.g. Amazon Echo and Google Home) and smart home appliances (e.g. Nest thermostat and Ring doorbell). The law, and the seven month consultation with the NCSC is designed to:

  • Avoid the use of default passwords; all internet-connected devices require a unique password
  • Allow anyone to report a vulnerability in an internet-connected device to a public point of contact
  • Ensure manufacturers clearly state the minimum period of time for which security updates will be provided

The legislation is not yet in force, so in this case the ISPs have not failed to meet any legal or regulatory requirements, but probably would do were it in force.

Recommended actions

  1. Check the password in use on your router. This issue relates to the ‘admin’ password: this is the password you need to enter to access the settings on the router. It might be printed on a sticker on the back or bottom of the router. If you are using the default password, change it! There is advice on choosing, managing and storing strong passwords in our Think IT Insights password article.
  2. If you’re using one of the routers that hasn’t recently had updates, contact your ISP to see if you can swap it for one that will.
  3. If you need any help or advice, just get in touch with us and we’ll do our best to help.