Study Finds Security Flaws in Routers Bundled by Big UK ISPs

A new study from consumer magazine Which? has warned that millions of UK consumers may be “at risk of being hacked in their homes” because the “outdated” broadband router they use, as supplied by several major ISPs including EE, Sky Broadband, TalkTalk, Virgin Media and Vodafone, could contain potential security flaws.

The report examined 13 “old router models,” many of which will still be in wide circulation because broadband providers don’t tend to retire them unless they break or the customer switches / upgrades to a different service. Unfortunately the study found that 9 out of the 13 routers tested had flaws, which they claimed would “likely see them fail to meet requirements proposed in upcoming government laws to tackle the security of connected devices.”

The laws mentioned above are a reference to the Government’s new Secure by Design proposals, which will require many network connected consumer devices (Smartphones, broadband routers, internet connected TVs etc.) to follow certain pro-security practices (i.e. banning universal default passwords, transparency on future support for security updates and providing a route for third parties to report vulnerabilities).

However, the proposed rules have not yet become law and don’t look as if they’ll be applied retrospectively, plus there is a caveat for if they impose “impractical obligations on businesses.” In other words, it remains unclear whether the issues identified by Which? would actually cause broadband ISPs to be in breach of the future law, particularly since we’re talking about old hardware, albeit kit that’s still technically supported by an ISP.

The Study’s Findings

Broadly speaking Which? identified three key issues.

• Weak default passwords, which in certain circumstances could allow a cyber criminal to hack the router and access it from anywhere (around 7 out of 13 routers had these). A lot of consumers leave default passwords unchanged;

• A lack of firmware updates, which are vital for both security and performance (c.6 million homes were estimated to be using a router that has not been updated since 2018 or earlier [7 out of the 13 routers tested] and 2.4 million haven’t had a router upgrade in the last 5 years);

• A local network vulnerability issue with the EE Brightbox 2. This could give a hacker full control of the device, and for example allow them to add malware or spyware, although they would have to be on the network already to attack.

The good news is that the study didn’t run into any problems when testing old BT and Plusnet routers, although admittedly on the latter they only tested Plusnet’s Hub Zero 2704N and not the Hub One etc. An overall summary of all the routers tested can be found below. All of these are older, albeit still technically supported, devices – the most recent routers from each ISP follow better practices and aren’t a concern.

Weak passwords – devices affected:

TalkTalk HG533

TalkTalk HG523a

TalkTalk HG635

Virgin Media Super Hub 2

Vodafone HHG2500

Sky SR101

Sky SR102

Lack of updates – devices affected:

Sky SR101

Sky SR102

Virgin Media Super Hub

Virgin Media Super Hub 2

TalkTalk HG523a

TalkTalk HG635

TalkTalk HG533

Network vulnerabilities – devices affected:

EE Brightbox 2

The three routers that passed the security tests:

BT Home Hub 3B

BT Home Hub 4A

BT Home Hub 5B

Plusnet Hub Zero 2704N

Most of the ISPs tested responded to say that they still monitor for security threats on older kit and will provide updates if needed, although the vulnerability found within EE’s BrightBox 2 router suggests that there may be room for improvement (although you’d already have to be on the user’s home network in order to exploit that vulnerability).

However, aside from Virgin Media, none of the ISPs Which? contacted gave a clear indication of the number of customers using their old routers. Virgin said that it did not recognise or accept the findings of the research and that 9 in 10 of its customers are using their latest Hub 3 or Hub 4 routers. But Which? notes that Virgin was counting just paying account holders, whereas their study was of anyone using routers within a household.

Finally, the study found that only Sky Broadband, Virgin Media and Vodafone appeared to have dedicated web pages so that security researchers can report issues with their network or devices.

A Spokesperson for BT and EE said:

“The vast majority of our customers are using our award winning BT Smart Hub 2 or EE Smart Hub. We want to reassure customers that all our routers are constantly monitored for possible security threats and updated when needed. These updates happen automatically so customers have nothing to worry about. If a customer has any issues, they should contact us directly and we will be happy to help.”

A Virgin Media spokesperson said:

“We do not recognise or accept the findings of the Which? research – nine in ten of our customers are using the latest Hub 3 or Hub 4 routers. The safety and security of our customers is always a top priority and we have robust processes in place to protect them by rolling out security patches and firmware updates as well as issuing customer communications where necessary.”

A TalkTalk spokesperson said:

“These routers make up a very small proportion of those in use by our customers. Customers using all of these routers can change their passwords easily at any time.”

A Plusnet spokesperson said:

“We want to reassure customers that all our routers are constantly monitored for possible security threats and updates with firmware. These updates happen automatically so customers have nothing to worry about. If a customer has any issues, they should contact us directly and we will be happy to help.”

A Vodafone spokesperson said:

“All new Vodafone routers have device specific passwords. Vodafone stopped supplying the HHG2500 router to customers in August 2019. Customers who still have the HHG2500 router will continue to receive firmware and security updates as long as the device remains on an active customer subscription. Customers who haven’t already changed their password should do so.”

Which? states that ISPs should be more transparent about how long routers will receive firmware and security updates, although in our experience they generally do update older kit once an issue has been identified (the pace at which this occurs often depends more on the device manufacturer than the ISP itself).

We also agree that consumers who are using devices that are 5 years old or more should ask their ISP if it’s still supported and, if not, then seek an upgrade. Indeed, it’s generally a good idea to talk to your ISP about getting a new router after that sort of period, which is often possible if you also negotiate to re-contract on to a new package at the same time (not all providers will do this if it isn’t deemed strictly necessary).

At the same time we should remember the need to keep electronic waste down to a minimum, so if the router is still doing its job and the ISP are still supporting it then there may be no need to rush toward an upgrade.

However, we think that Which?’s study failed to examine other key factors above, such as the security dangers inherent to older devices that may still be using WEP WiFi encryption (very weak), or even the first generation of WPA encryption.