» ISP News » 

Study Finds Security Flaws in Routers Bundled by Big UK ISPs

Thursday, May 6th, 2021 (9:05 am) - Score 4,800
security of broadband isp routers

A new study from consumer magazine Which? has warned that millions of UK consumers may be “at risk of being hacked in their homes” because the “outdated” broadband router they use, as supplied by several major ISPs including EE, Sky Broadband, TalkTalk, Virgin Media and Vodafone, could contain potential security flaws.

The report examined 13 “old router models,” many of which will still be in wide circulation because broadband providers don’t tend to retire them unless they break or the customer switches / upgrades to a different service. Unfortunately the study found that 9 out of the 13 routers tested had flaws, which they claimed would “likely see them fail to meet requirements proposed in upcoming government laws to tackle the security of connected devices.

The laws mentioned above are a reference to the Government’s new Secure by Design proposals, which will require many network connected consumer devices (Smartphones, broadband routers, internet connected TVs etc.) to follow certain pro-security practices (i.e. banning universal default passwords, transparency on future support for security updates and providing a route for third parties to report vulnerabilities).

However, the proposed rules have not yet become law and don’t look as if they’ll be applied retrospectively, plus there is a caveat for if they impose “impractical obligations on businesses.” In other words, it remains unclear whether the issues identified by Which? would actually cause broadband ISPs to be in breach of the future law, particularly since we’re talking about old hardware, albeit kit that’s still technically supported by an ISP.

The Study’s Findings

Broadly speaking Which? identified three key issues.

  • Weak default passwords, which in certain circumstances could allow a cyber criminal to hack the router and access it from anywhere (around 7 out of 13 routers had these). A lot of consumers leave default passwords unchanged;

  • A lack of firmware updates, which are vital for both security and performance (c.6 million homes were estimated to be using a router that has not been updated since 2018 or earlier [7 out of the 13 routers tested] and 2.4 million haven’t had a router upgrade in the last 5 years);

  • A local network vulnerability issue with the EE Brightbox 2. This could give a hacker full control of the device, and for example allow them to add malware or spyware, although they would have to be on the network already to attack.

The good news is that the study didn’t run into any problems when testing old BT and Plusnet routers, although admittedly on the latter they only tested Plusnet’s Hub Zero 2704N and not the Hub One etc. An overall summary of all the routers tested can be found below. All of these are older, albeit still technically supported, devices – the most recent routers from each ISP follow better practices and aren’t a concern.

Weak passwords – devices affected:

TalkTalk HG533

TalkTalk HG523a

TalkTalk HG635

Virgin Media Super Hub 2

Vodafone HHG2500

Sky SR101

Sky SR102

Lack of updates – devices affected:

Sky SR101

Sky SR102

Virgin Media Super Hub

Virgin Media Super Hub 2

TalkTalk HG523a

TalkTalk HG635

TalkTalk HG533

Network vulnerabilities – devices affected:

EE Brightbox 2

The three routers that passed the security tests:

BT Home Hub 3B

BT Home Hub 4A

BT Home Hub 5B

Plusnet Hub Zero 2704N

Most of the ISPs tested responded to say that they still monitor for security threats on older kit and will provide updates if needed, although the vulnerability found within EE’s BrightBox 2 router suggests that there may be room for improvement (although you’d already have to be on the user’s home network in order to exploit that vulnerability).

However, aside from Virgin Media, none of the ISPs Which? contacted gave a clear indication of the number of customers using their old routers. Virgin said that it did not recognise or accept the findings of the research and that 9 in 10 of its customers are using their latest Hub 3 or Hub 4 routers. But Which? notes that Virgin was counting just paying account holders, whereas their study was of anyone using routers within a household.

Finally, the study found that only Sky Broadband, Virgin Media and Vodafone appeared to have dedicated web pages so that security researchers can report issues with their network or devices.

A Spokesperson for BT and EE said:

“The vast majority of our customers are using our award winning BT Smart Hub 2 or EE Smart Hub. We want to reassure customers that all our routers are constantly monitored for possible security threats and updated when needed. These updates happen automatically so customers have nothing to worry about. If a customer has any issues, they should contact us directly and we will be happy to help.”

A Virgin Media spokesperson said:

“We do not recognise or accept the findings of the Which? research – nine in ten of our customers are using the latest Hub 3 or Hub 4 routers. The safety and security of our customers is always a top priority and we have robust processes in place to protect them by rolling out security patches and firmware updates as well as issuing customer communications where necessary.”

A TalkTalk spokesperson said:

“These routers make up a very small proportion of those in use by our customers. Customers using all of these routers can change their passwords easily at any time.”

A Plusnet spokesperson said:

“We want to reassure customers that all our routers are constantly monitored for possible security threats and updates with firmware. These updates happen automatically so customers have nothing to worry about. If a customer has any issues, they should contact us directly and we will be happy to help.”

A Vodafone spokesperson said:

“All new Vodafone routers have device specific passwords. Vodafone stopped supplying the HHG2500 router to customers in August 2019. Customers who still have the HHG2500 router will continue to receive firmware and security updates as long as the device remains on an active customer subscription. Customers who haven’t already changed their password should do so.”

Which? states that ISPs should be more transparent about how long routers will receive firmware and security updates, although in our experience they generally do update older kit once an issue has been identified (the pace at which this occurs often depends more on the device manufacturer than the ISP itself).

We also agree that consumers who are using devices that are 5 years old or more should ask their ISP if it’s still supported and, if not, then seek an upgrade. Indeed, it’s generally a good idea to talk to your ISP about getting a new router after that sort of period, which is often possible if you also negotiate to re-contract on to a new package at the same time (not all providers will do this if it isn’t deemed strictly necessary).

At the same time we should remember the need to keep electronic waste down to a minimum, so if the router is still doing its job and the ISP are still supporting it then there may be no need to rush toward an upgrade.

However, we think that Which?’s study failed to examine other key factors above, such as the security dangers inherent to older devices that may still be using WEP WiFi encryption (very weak), or even the first generation of WPA encryption.

Share with Twitter
Share with Linkedin
Share with Facebook
Share with Reddit
Share with Pinterest
By Mark Jackson
Mark is a professional technology writer, IT consultant and computer engineer from Dorset (England), he also founded ISPreview in 1999 and enjoys analysing the latest telecoms and broadband developments. Find me on Twitter, , Facebook and Linkedin.
Leave a Comment
18 Responses
  1. Aaron says:

    “But Which? notes that Virgin was counting just paying account holders”

    Virgin Media has had modem / routers combined since the original Super Hub, and as such the router is only usable if the user is a paying customer, the basically brick them once the account is closed… So this is a valid statement by Virgin Media…

    (Ex Virgin Media Installer of 5 – 6 years)

    1. Winston Smith says:

      I read that as VM considered the account holder as one user but Which counted everyone using the router.

  2. adslmax says:

    Plusnet firmware on Hub One never updated have to kept asked PN to push for updates after requested including wifi issues ongoing for hub one 5GHz drop in speed haven’t been fixed yet and still doing it!

    A Plusnet spokesperson said:

    “We want to reassure customers that all our routers are constantly monitored for possible security threats and updates with firmware. These updates happen automatically so customers have nothing to worry about. If a customer has any issues, they should contact us directly and we will be happy to help.”

    Then why did they updated firmware as they never did since 2017 with my Hub One. I ditch it and use my own router myself!

    Never use ISP’s router!

  3. xchris says:

    Vodafone is in fact the worst, as they don’t release the connection credentials to customers, so you are forced to use whatever crap they give.

    1. JP says:

      Vodafone do give.login credentials if you ask for them

    2. Brumski says:

      Not true. As long as the modem/router you intend to use is on the ‘Openreach MCT list’ they will provide PPPoE credentials.

  4. JP says:

    Every time I see something from Which it wiffs a bit.

    1. ianh says:

      I never get passed the subscribe button

  5. JmJohnson says:

    What’s the difference between an ISP supplying a router with a weak default password and supplying your own router which also has a weak default password ?
    It doesn’t matter if the password is weak or not considering it’s a default password.
    I’m also yet to find a router that is accessible via it’s WAN connection by default.
    The only recent widespread vulnerability I was aware of was heartbleed back in 2014 of which Sky pushed a fix for so the argument that they haven’t received an update since 2018 is mute… if it’s not broken then don’t fix it.
    Of course updates to improve performance are nice but the ISP has a responsibility to it’s customers… do they push an update that improves performance by 0.5% but could cause 0.1% of their customers to be without internet for x days due to bricking their routers (issue during update… ie power outage, manual reboot etc).

    This is why performance improvements are usually just applied to new kit or manually installed and security updates are mass deployed (when talking about firmware).
    Now if Which? cross-referenced dates of the last updates with the router chipsets, services, configs and CVE list then the metric may carry some weight.

  6. Ig Og says:

    I closed my vm account 13 months ago, called three times to send the SH3 back, no reply, they’re not interested.

  7. Anthony Goodman says:

    Anyone with any clout should see about forcing ISP routers to use open source operating systems so you can switch between ISPs at ease with them (and thus save the environment that Geta Thunburg and Extinction Rebellion bang on about so much) and also ensure they remain updated through work of the community and not relying upon ISPs.

    When I get a router the first thing I do is see if it supports OpenWRT as I know it will remain updated and secure. I shouldn’t have to do this all routers made now should be designed to support it or something like it.

  8. Name says:

    Coincidently all routers are Huawei crap?

    1. AQX says:

      Virgin use Netgear for the Hub 2..

  9. Mark says:

    Which? when did they become experts on vulnerabilities in routers and the CVE’s numbers, please?

  10. Stephen says:

    I know why all this is bad security wise, etc etc.
    ISP’s should somehow force customers to change their router password when they set up their account with clear guidance how, because environmentally speaking it is a very, very positive thing that these companies are keeping so many pieces of hardware in circulation over the old practice of packing them off to likely be sifted through as rotting toxic waste by Nigerian children.

    1. Anthony Goodman says:

      They are not keeping them in circulation though. If you leave that ISP that router becomes worthless and fit for the landfill. All they need to do is open them up for use on other networks and you’d be saving a lot of hassle and wasted hardware. If they opened them up to a standard opensource OS the community would keep them up to date too so much less work for ISPs.

  11. emilygrace says:

    Nice Post. Thanks For sharing this Article.

  12. Buggerlugz says:

    Firmware updates, or lack of them, is a huge bugbear for me. It’s a side-effect of today’s throw away society. “Hell, why bother, you’ll need a newer better tech thingy next month anyway!” mentality, it drives me up the wall.

    LG has this issue with LCD’s and Huawei with it’s routers.

    Is it just me or do 40 year old appliances still work because they’re built better and built to last? Then generally tech gear today is made cheaply with poor quality components that are expected to just die outside the warranty?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Comments RSS Feed

Javascript must be enabled to post (most browsers do this automatically)

Privacy Notice: Please note that news comments are anonymous, which means that we do NOT require you to enter any real personal details to post a message. By clicking to submit a post you agree to storing your comment content, display name, IP, email and / or website details in our database, for as long as the post remains live.

Only the submitted name and comment will be displayed in public, while the rest will be kept private (we will never share this outside of ISPreview, regardless of whether the data is real or fake). This comment system uses submitted IP, email and website address data to spot abuse and spammers. All data is transferred via an encrypted (https secure) session.

NOTE 1: Sometimes your comment might not appear immediately due to site cache (this is cleared every few hours) or it may be caught by automated moderation / anti-spam.

NOTE 2: Comments that break our rules, spam, troll or post via known fake IP/proxy servers may be blocked or removed.
Cheapest Superfast ISPs
  • Vodafone £19.50 (*22.50)
    Speed 38Mbps, Unlimited
    Gift: None
  • NOW £20.00 (*32.00)
    Speed 36Mbps, Unlimited
    Gift: None
  • Hyperoptic £20.00 (*25.00)
    Speed 50Mbps, Unlimited
    Gift: Promo Code: HYPERFALL21
  • Shell Energy £21.99 (*30.99)
    Speed 35Mbps, Unlimited
    Gift: None
  • Plusnet £22.00 (*38.20)
    Speed 36Mbps, Unlimited
    Gift: £70 Reward Card
Large Availability | View All
Cheapest Ultrafast ISPs
  • Gigaclear £24.00 (*49.00)
    Speed: 300Mbps, Unlimited
    Gift: None
  • Vodafone £24.00 (*27.00)
    Speed: 100Mbps, Unlimited
    Gift: None
  • Community Fibre £25.00 (*27.50)
    Speed: 200Mbps, Unlimited
    Gift: None
  • Hyperoptic £25.00 (*35.00)
    Speed: 150Mbps, Unlimited
    Gift: Promo Code: HYPERFALL21
  • Virgin Media £28.00 (*52.00)
    Speed: 108Mbps, Unlimited
    Gift: None
Large Availability | View All
The Top 20 Category Tags
  1. FTTP (3570)
  2. BT (3023)
  3. Politics (1941)
  4. Building Digital UK (1929)
  5. FTTC (1888)
  6. Openreach (1837)
  7. Business (1693)
  8. Mobile Broadband (1480)
  9. Statistics (1410)
  10. FTTH (1365)
  11. 4G (1277)
  12. Fibre Optic (1174)
  13. Virgin Media (1173)
  14. Wireless Internet (1163)
  15. Ofcom Regulation (1149)
  16. Vodafone (846)
  17. EE (835)
  18. 5G (772)
  19. TalkTalk (769)
  20. Sky Broadband (747)
Helpful ISP Guides and Tips

Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved - Terms , Privacy and Cookie Policy , Links , Website Rules , Contact