BT, TalkTalk, Virgin Media and Vodafone on UK Router Security and Upgrades
Last week we covered how Sky Broadband was responding to the UK government’s new internet and network security laws, which among other things prompted them to launch a new router upgrade scheme and be more transparent with customers about the state of security updates for their existing network kit. Since then, we’ve asked the other major ISPs how they plan to respond.
Just to recap, there are actually two sets of laws playing a role here. The first reflects the new Secure by Design rules under the Product Security and Telecommunications Infrastructure Act (PSTI), which came into effect on 29th April 2024 (here). This requires, among other things, that manufacturers and retailers must be “open with consumers on the minimum time they can expect to receive important security updates” for their smart / connected devices (e.g. broadband routers, phones, TVs, game consoles, smart doorbells etc.).
The second one is the new Telecoms Security Act, which sets out expectations for how telecoms providers should monitor and reduce the risks of security compromises relating to older devices (such as routers), which no longer receive security updates. This comes into force at the end of March 2025, although Sky Broadband’s approach seems to already be taking account of both laws.
Advertisement
Naturally this made us curious about the approaches being taken to this by BT (inc. EE and Plusnet), Virgin Media (VMO2), TalkTalk and Vodafone, which have all now provided a response.
Big ISPs and Router Security Changes
➤ TalkTalk
The provider said that they’re currently in the process of putting procedures in place to comply with the Telecoms Security Act requirements and will communicate this to customers in due course. As for the PSTI, TalkTalk claims to have been compliant since 29th April 2024, although they didn’t elaborate on how they were achieving that.
A Spokesperson for TalkTalk said: “The requirements included in the Telecoms Security Act come into force at the end of March 2025 and we will communicate with customers in due course.”
BT said they are already “fully compliant” with the new PSTI regulations, although they don’t currently plan on introducing a router upgrade scheme. But the provider does say that they continually review the products and services they offer to ensure they get the best possible experience and to maintain their responsibility to be sustainable.
Crucially, the operator notes that the majority of the broadband router/hubs that EE, BT and Plusnet customers have, are still supported by security updates and would not need to be upgraded at this time. But majority is not the same word as “all“, which leaves a little question mark over what active kit might have fallen by the wayside.
Virgin have introduced a page that provides useful information about the security of their consumer equipment (here), which includes sub-links to manufacturers pages showing the security updates and planned support lifetime. For example, the latest Hub 5x will be supported until the 31st December 2029. But sadly this same information isn’t yet available across most of their router models (it should be soon).
The provider also notes that a separate deadline, which takes effect next year for Tier 1 providers (like VMO2), exists to ensure all customer premises equipment (CPE) is still supported and / or customers are contacted and offered a replacement as required (we believe this to be the March 2025 obligation). But Virgin doesn’t say precisely what approach they’ll take to implementing that.
➤ Vodafone
Vodafone has setup a PSTI Page that provides details on device support and compliance. For example, if you type “Vox 3 (Intelligent WiFi Hub)” into the search box (this is one of their older broadband routers), then it gives you a statement of complaince and reveals that this device will continue to receive security updates until 31st December 2026.
A Spokesperson for Vodafone told ISPreview: “As per the PTSI requirements, customers can find support information throughout our sales journeys and on our PSTI information page for relevant devices.”
In short, there are still quite a few unknowns as to how certain broadband ISPs will approach these changes, but it’s positive to see that they’re all aware of the new measures. Nevertheless, some providers seem to be taking a more proactive approach than others, and it’s worth noting that the new rules also apply to smaller players.
Mark is a professional technology writer, IT consultant and computer engineer from Dorset (England), he also founded ISPreview in 1999 and enjoys analysing the latest telecoms and broadband developments. Find me on X (Twitter), Mastodon, Facebook, BlueSky, Threads.net and Linkedin.
« Solar Storm – SpaceX Warns Starlink Broadband Users of Degraded Service
Maybe best for the smaller players to stop providing routers and tell people to get their own. If they supply no hardware, then it is not their problem.
Providers using Openreach VDSL (FTTC / SOGEA) have a contractual obligation to ensure customers are using modems/routers certified by Openreach to ensure they don’t negatively impact the network and cause issues for other on the same DSLAM etc. The easiest way to do that is provide the router. So although not providing a router is an option it poses other issues
Smaller players that don’t bundle a router tend to get around that by offering an optional pre-configured router at extra cost. But of course, all of that will steadily become irrelevant as we transition to FTTP.
The risk with not offering a router is that you end up causing confusion, such as for the many regular consumers that might struggle with the extra technical requirements (i.e. correctly choosing both the right router model and setting it up for their service). Not all routers are created equal.
And:
– Anything on Virgin Media’s network (whether sold by VM or through their wnew wholesale operation) has to be provided by the CP for a similar reason as Bob provided for Openreach VDSL: you can stuff up the network for other people or remove limits with non-standard kit.
– Some Altnets have similar requirements on CPs
– Many retail and very small business customers don’t consider themselves to be buying internet access but “WiFi”; hence loads of big CPs coming out with WiFi guarantees about being able to connect in all rooms in your house, with people willing to switch provider to get a better WiFi signal compared to getting a different router. Smaller providers stopping issuing CPE kit may be cutting off their noses to spite their face if they are targeting home and very small business markets.
@Bob, as Mark says, things will be different with FTTP and I know in the days of dial up we were supposed to have modems BT certified, I did not think it was a thing these days.
I had a supra modem when i first started using a a BBS, that was certainly not BT certified as it was American, but it worked ok. I did eventually get a U.S robotics Courier, that was certified.
@Mark, I had a couple of providers over the years that did not supply their own router, mainly dial up, but a couple of ADSL as well
@Alex, Virgin is a bit different unless you are only using their broadband service, they supply a TV service, so I presume their router will have to cope with that.
But then again, these days with Fibre maybe not as it will just be another FTTP network
I prefer using my own router, I doubt very much if I will use another provider router again.
Maybe at some point, just to have a muck around with things, I may build my own router and use one of the router OS that is around.
Depends on price for the hardware and if I can be bothered.
The contractual obligation for Openreach certified modems was certainly in breach of EU legislation that is likely retained. Remember those green circles and red triangles back in the day? Well, the same EU legislation that made those go away means it certainly was illegal for Openreach to demand “certified” modems. Basically, imagine every incumbent telecommunications provider in the EU did the same. It would make a mockery of the single market, so certified in one EU country certified in them all. More specifically there where a couple of firms authorised to certify telecommunications equipment (and an xDSL modem is such) and certification from any of those firms means it is authorised for use in the EU.
OK we are not in the EU anymore but it is likely retained legislation and part of regulation alignment with the EU. If Openreach wanted to control the VDSL modem they needed to keep providing it themselves.
I think longer term ISPs will put pressure on the wholesale providers to implement vCPE technology running on the ONT which will thus become the endpoint for the PPP session with the customer being able to set the private IP and have limited firewall control but not much else so the kit you connect won’t be acting as anything more than a switch and access point.
This would prevent people inadvertetly exposing improperly secured devices to the Internet and mitigate risks posed by those using ancient end of Life hardware they do not wish to replace or who are running recent hardware with out of date firmware.
This will also reduce their costs as they will no longer have to enter into supply chain agreeemnts for CPE while reducing some of the burden of regulatory compliance.
Technically savvy users won’t like it much though
A good friend if mine’s father worked for BT back in the day of the Red and Green markers on the underside of phone equipment. Guess what their phones had on them…? You guessed it, the red circle! LOL… I don’t know anyone who paid any real attention to it.
@Mark Jackson, absolutely right the additional support overhead shouldn’t be overlooked.
They get paid enough by customer for support. The reason that customers don’t get rates as cheap as the Openreach wholesale price is because that is added on top.
Also, what about providers who insist on supplying a modem (BT, EE, Sky, Now and others) when a customer will never use it, because they have their own vastly superior router? Give the option for “No router required” and that’s where you can get your savings towards supporting other customers!
even if you believe that your own router is “vastly superior” (that is extremely debatable), none of the big ISPs officially support 3rd party equipment. If you have a service issue the very first step is going to be to connect their router and see if the problem remains.
A relatively small number of unused devices (which are “rented” and would be returned if the customer leaves) is probably peanuts compared to complicating the order process.
@Ivor, my router is superior to most routers provided by ISPs, for a start it is not locked down like most ISP provided ones are and the Wifi is certainly better than any ISP ones I have seen or used so far. Also, it is not full of junk that is not needed, like what BT and EE stick in theirs.
@ivor ISP provided routers are by and large cheap junk that is best avoid. Not least because historically they never provided firmware updates for security.
Actually my router is vastly superior to any UK ISP supplied one. DNS over TLS, DNSSEC, Antivirus for all devices, VPN for devices that can’t support VPN agent/client, Advert blocking, QOS, time server, monitoring of latency and reporting, Web URL logging, Bandwidth traffic analysis of clients and apps, in fact too many things to list out. Oh, and the new one will sport 10gbps ports and Wifi 7 – but that’s a few months off yet as waiting for new model.
Lots of opinions here but not a lot of data.
I’ll engage on one point though – the claim about a lack of firmware updates. Would like to see some evidence on that one.
Indeed on this very website we can see articles covering ISPs that have had to release new updates to fix problems, let alone all the updates that go out in the background without anyone noticing (which is how it *should* be)
@Ivor
I tend to try and cut down on the amout of e-waste I’m responsible for so I chose an ISP that didn’t require me to have their Router.
With Plusnet, who are hardly a small ISP these days, it was a simple matter of clicking the ‘x’ next to it in the basket and they just didn’t ship one to me. They seem happy enough to support the connection without it. Nothing really hard about that in terms of complicating the order process from my end or theirs.
I know my way around a router, so the rare times there is an issue I’ve always ruled that out, although plusnet have asked me to check x, y and z on the router before but obviously weren’t able to tell me where x, y and z are in the setting. It’s my device, I wouldn’t expect them to support it or know their way around it. I know they can see they didn’t ship a router to me or at least I’m not using it as a support agent mentioned it to me once.
I do very much get why providing support via “own brand” routers is easier (remote access, staff training, costs etc) and better/easier for most customer. I don’t think people who use their own routers are put off doing so becuase the ISP shipped them one, thay are also likely to be a bit more tech savvy so it would be good if more ISPs took the attitude Plusnet did and would support the connection but not the device as such if you had issues. They would, of course, need to be very clear in their sales pitch that this was the case because quite a few people would expect their own device supported.
(At the time I moved to Plusnet from Virgin Media I checked with BT, EE, TalkTalk, Vodafone and SKY all who would have made me take their routers so plusnet does seem to be a rarity out of the bigger players. When I was with Vodafone they insisted I plug in their router before they would provide any support, even though the problem very obviously wasn’t to do with my router… the cable had come away from the house in a very bad storm )
I truly cannot believe that ISPs consider it cheaper and more reasonable procedure to just sent every router over a few years old to the scrap heap as opposed to hiring a single person to keep it security updated. If the guys at OpenWRT, DDWRT, Merlin, Opnsense, IPfire and ClearOs all do this for free on their own time. How can a major ISP not hore someone like this to do it for their routers?
probably because none of those groups have a legal requirement to certify or guarantee the reliability or security of those products. It isn’t a “single person job” in that case.
it just doesn’t make sense to support old hardware forever, especially when there’s an opportunity to provide customer with higher performance hardware and an improved customer experience, particularly around wifi which has become a huge differentiating factor for the ISPs.
Isn’t opnsense a fork of pfsense, which is a commercially supported product?
@ivor if you want good WiFi then an ISP provided router is *always* going to suck in comparison to ceiling mounted access points with wired backhaul and PoE powered.
@Ivor, you say about higher performance hardware and an improved customer experience, but do most people notice or care? For the majority of people if their router works, and get them connected to the net that is all they are worried about, it is sales talk that makes them think they need or want the latest router with the latest Wi-Fi and in most cases they don’t. The same with super-duper speedy fibre and mobile phones, to be honest.
If these people just do a bit of streaming , browse the net, email, maybe listen to so music, then in reality my old 12-year-old TP link router will do the job just fine, it only uses 2.4 Ghz WIFI, but the majority would not even notice.
The only reason I gave up using it was because it could not cope with the amount of Wi-Fi devices I have, I would be using it now otherwise.
Sorry, but people are blasted with sales rubbish.
Yes, opnsense is a fork of pfsense, if I muck around with making my own router, I will be using opnsense I expect.
Oh Ivor, Ivor, Ivor.
Merlin who produces firmware for selected Asus routers is overseen by Asus and keeps a strict code between managed code and what he does. Asus even support you using his firmware under warranty – yep you read that right. Can even return with his firmware on it under warranty.
I speak from experience, having used everything from Cisco to Ubiquiti to the thing my ISP supplies.
I’ve had weirder issues on the “vastly superior” Ubiquiti (a brand that people love to rave about, and I suspect the person going on about ceiling mounted APs is referring to them too) than I have on the ISP kit.
“Sorry, but people are blasted with sales rubbish.” – indeed they are, when they spend all that money on third party kit that doesn’t actually deliver a proportionate increase in quality or performance (and often don’t know how to use it properly anyway), whether it’s some ugly spider router or someone who thinks they need an access point in every room and believes that disabling IPv6 fixes all problems.
No idea what a “Merlin” is but from a brief Google search, Asus’s PSTI obligations don’t seem to extend to that. It would apply to their own firmware only. I wouldn’t certify compliance against some random person’s modified firmware either, to be fair.
Yeah we will agree to disagree on 3rd party kit. In the VDSL days, the combined routers from ISP were always rubbish, and you got a better sync speed by getting your own BT Openreach HG612 modem (for Huawei cabinet) and use with own router for the management side. If you’d use the ISP router you would have got lower speeds of as much as 12mbps lower, depending on your line condition, and have to put up with primitive management controls and the unknown of them doing anything and monitoring. You’d go through the ISP’s DNS for a start which is nearly always unencrypted and no DNSSEC enabled.
Yes, you wouldn’t certify against Merlin’s firmware for an organisation, but the point was to demonstrate that he is not just a random dude maintaining firmware. Asus accept his work and often go on to use stuff in stock firmware later. I would never consider an ISP that locked me down to their router. Sky tried doing that on VDAL and I just kicked their rubbish router to the kerb and set DHCP Option 61 and boom, a connection was made to my Openreach modem with all the benefits of my router management. VLANS in an ISP router? Oh, you can’t do that sir!
@Ivor
“indeed they are, when they spend all that money on third party kit that doesn’t actually deliver a proportionate increase in quality or performance (and often don’t know how to use it properly anyway), whether it’s some ugly spider router or someone who thinks they need an access point in every room and believes that disabling IPv6 fixes all problems.”
Not all of us spend a lot of money on third party kit, my TP link router cost me around £70, ok it was on offer and the newer hardware version is £100 now, but still not a lot these days for a decent router.
It is still better than the ones supplied by ISPs because I have full access to it, change what I want when I want, if I want to. If people want more features, then they go for the more expensive ones. I got mine to replace the one Plusnet sent as it was failing, my mate fixed it once, but he could not tell me how long it would last. So I thought I would get a new one that would work even if I changed providers.
I am glad I did because the thing my new ISP sent me is a big ugly box thing that is to be honest, not that good.
A lot of ISPs still don’t support IPv6, mine does, but I did not realise they did until reading some article, may have been on here. Changed the settings in my router to turn it on, not that it makes any difference as my VPN don’t support IPV6 and send everything out as Ipv4. Not sure what problems people will solve by turning Ipv6 off.
The ISP I am with, their routers are awful, so I always tell people that are having problems to buy their own router.
My ISP uses Icotera routers.
Not my experience, at least. I am still on VDSL. That HG612 (isn’t this technically an ISP supplied device?!?) is Broadcom based. I’d expect identical performance with any Broadcom-based router, including the one my ISP supplies, and in practice that’s what I see.
I happen to have lines on both an ECI and a Huawei cabinet (at the same property and therefore same cabling/routing) and *there is* a 15Mbps or so difference, but that’s not due to the choice of modem or router on my end. Your blessed HG612 syncs just as low as the ISP router does. The ECI version of the Openreach modem (Lantiq based?) doesn’t work any better.
Since the HG612 hasn’t received a firmware update from Openreach in a very long time I’d expect a modern ISP device with modern firmware to be just as good, if not better. An ISP also has more sway in getting things fixed as compared to an open source project. Especially with Broadcom, given their history of outright hostility to all but the largest customers.
If you feel that you need bells and whistles like DNSSEC or VLANs then go for it – but that’s not a reason to say ISP equipment is inherently bad or worse than stuff you can pay a lot of money for and end up with a different set of bugs and issues.
The only ISP router I have come across that gives a better sync rate is Now Broadband Hub Two (using Sky Q’s router) BUT you cannot do gateway only or bridge mode/modem only mode. So unless you want double NAT with your own stuff you no choice but to ditch it.
Even the Openreach engineer agreed the Openreach HG612 was usually the best and yes it had firmware update for G.INP.
Can’t speak for ECI, as fortunately the next cabinet is that and I missed out on the joys of an ECI cabinet and went to Huawei cabinet.
Who said I was using open source either? Actually if its open source probably a better chance of getting stuff fixed unless the issue needing fixing sits in a SDK from Broadcom that no longer gets updated as an example.
My own kit EVERY TIME over tosh given by ISP’s. They really are garbage in 99.7% of cases. I have only seen Netomnia/You Fibre give an Asus AXE16000 router to their 8/10gbps customer packages – now that is a decent router from an ISP compared to the other ISP offerings.
“I truly cannot believe that ISPs consider it cheaper and more reasonable procedure to just sent every router over a few years old to the scrap heap as opposed to hiring a single person to keep it security updated.”
In most cases, it’s not the ISP choosing not to continue supplying security updates, its the equipment vendor ending their support for that model. The equipment vendor (NetGear/TP-Link/Draytek/Vantiva/Sagemcom/Eero/etc.) that develops the firmware and decides for how long they’ll continue to provide firmware updates for it, not the ISP.
Its in the ISPs interest for their equipment vendors to support the equipment they supply their customers for as long as possible.
The Telecoms Security Act then obligates ISPs, for CPE they supply AND manage, to offer customers a replacement once it is declared EOL by the equipment vendor.
It is possible for OpenWRT to be used commercially, the Netgear WAX206 is a fork of OpenWRT, with Netgear’s logo etc.
So BT and co could fork OpenWRT, they dont need to worry a lot bout the core working of the firmware, just stick their skin and maintain any custom patches they use on top.
However I cant see any of them doing it as they will prefer something propriety. Locking down is in their DNA.
In addition if the industry got together and ditched the obsolete PPPoE for IPoE, it would be easiest for customers to use same router on migration, as DHCP would simply authenticate and issue IP without customer needing to enter credentials, same way you just plug in the HUB5 from VM to activate the service. Main reason we keep PPPoE is to make things easier for ISP staff who dont want to change up their network design from what they used to.
Does this mean I might get an router upgrade from Virgin. I’m still using the Hub 3.
It’s about time they just set a standard for equipment so much waste.
Every provider has this equipment and they can choose to change colour or slap logo etc on it.
It would make it so much easier for support and if you move providers.
This would save so much money as well.
Product Security and Telecoms Infrastructure Act applies to all devices that have an IP address. Devices that are connected to the Internet or can be connected to the Internet. I would think that all the routers have an IP and are connected to the Internet. They are in scope of not just TSa but PSTIa as well.
As per the law, every device that says “Huawei” on it, must be removed.
Finally, Broadcom no longer supports the BCM63138 chip that is the SoC in majority of the UK consumer broadband routers, how can the ISPs claim that these routers receive software security updates when the chip manufacturer no longer supports them?
Well done for ISP review on getting the ISPs to comment on their plans, but their plans clearly do not cut it. Replace the Huawei modems (HG612 and alike), every device with an IP that isn’t supported by the Chip manufacturer, update your linux and libraries, update all applications (as they will have known vulnerabilities otherwise), remove default passwords and secure all management traffic with SSL1.2 or better. This is inclusive of the LAN side GUI, thank you kindly.