A new survey of 3,045 UK internet users, which was conducted by Broadband Genie between 1st January and 26th April 2024, has revealed that 89% of respondents have never updated the firmware of their home router and 86% have never changed the device’s administrator password (falling to 72% for those who have never changed their WiFi password).
The survey also found that 75% have never checked to see what or who is linked to their router and 52% have never changed or updated any of their router’s settings (this is up from 48% in 2022). The study goes on to claim that leaving the router set to its default password “allows hackers to easily identify which make and model of router the target is using,” although a lot of ISPs these days supply long randomised passwords that have no specific structure for identification.
In addition, routers that have been supplied (bundled) by your ISP are often setup to auto-update their firmware, which means that the customer doesn’t need to perform any specific actions in order to ensure that their device is kept up-to-date. But it’s still wise to check with your broadband provider and confirm what their policy is.
Advertisement
The main exception tends to be third-party devices, such as those purchased separately, which often do require a manual action to check for recent firmware. But one issue here is that not all device manufacturers make such firmware updates accessible or easy to find, while others may only offer very limited support and could thus risk leaving security vulnerabilities unpatched – sometimes even on relatively modern kit.
As part of this study the comparison site also asked respondents, specifically those who had never changed their router’s factory settings, why they had never done so. The majority (75%) said they didn’t understand why they would need to.
The fact that your router is often the single most important device in your home network for security should be incentive enough to ensure that you’ve set a strong password and not simply used the one supplied by your ISP, which may or may not be effective or properly randomised. The rule is to never assume it’s going to be secure out of the box. Clearly more effort needs to be put into raising awareness about such issues.
At this point it’s worth noting that the Government’s Product Security and Telecommunications Infrastructure Act (PSTI), which came into effect on 29th April 2024 (here), included their new Secure by Design policy. This introduced tougher security standards for device makers and the ability to hit those that fail to comply (both retailers and manufacturers) with financial penalties.
Advertisement
Some examples of the changes include banning easily guessable default passwords (“admin“, “123456” etc.), as well as prompting users to change the default password, not to mention improved support for security issues and a requirement for related network products to state how long they will be supported by vital security patches (firmware updates) etc.
Some of the Improved Security Protections
➤ Common or easily guessable passwords like ‘admin’ or ‘12345’ will be banned to prevent vulnerabilities and hacking.
➤ Manufacturers will have to publish contact details so bugs and issues can be reported and dealt with.
➤ Manufacturers and retailers will have to be open with consumers on the minimum time they can expect to receive important security updates.
The changes touched everything from consumer broadband routers to Smartphones, TVs, game consoles, internet-connected fridges and smart doorbells etc.
Advertisement
This site uses Akismet to reduce spam. Learn how your comment data is processed.
The majority of people would not have a clue how to do those things, trying to talk a person though it a few months ago was like walking thought treacle. A lot of people only just about know how to input their Wifi password into their devices.
Seems a bit of a non-story, the vast majority of people will be using the ISP supplied router which will generally not need any user intervention to update.
@Dave, as JimB posted, ISP routers do seem to come with a random password these days, to log in and for Wi-Fi. But there are still some people who buy routers for various reasons and know little about them.
I’ve seem to remember hearing that some ISP supplied routers are now restricting users ability to change settings – does anyone have any info on this or have I got the wrong end of the stick? I always use my own customised setup (SSID, password, IP address and DHCP setup) then if I Change routers or ISP then match the settings to the previous router.
Few years ago I’ve heard about BT supplied routers to be very restricted (including separating 2.4GHz and 5GHz), although never confirmed this myself.
@Teddy, I don;lt know about the latest BT routers, but the one before it was possible to separate the 2.4GHz and 5GHz as I did it for a mate and also disabled the Smart Setup as it caused problems.
This is the problem with some ISP routers, they are bloated, I liked Plusnet routers, while the hardware was the same as BT routers, the firmware was better, it had no bloat and yet was still customisable.
I don’t understand the need for all the rubbish that ISPs put into routers. Smart this, smart that.
I don’t think I’ve met a single “normal” person (i.e. non network geek) who even knows that they can change the name of their Wi-Fi, let alone touch any other router settings. As for router updates – what’s firmware?
So when you visit people’s houses the Wi-Fi is always something like SKY13876438 with a hideous untypeable (but secure!) key. I wonder if there’s even a market for “advanced” home network setups, to take everything to the next level? If so, I could be set for life doing that for people!
Not too worried about this. Most ISP supplied router now come with a decent random password printed on a label on the underside. Also I read recently that ISPs have been publicizing the fact that customers shouldn’t switch their routers off at night as it stops OTA firmware updates from being supplied.
A shame with ‘modern practices’ soft/firmware needs constant updates and is never excellent from the get go, some people used to hate me for insisting testing allways included ‘0’, 1 to infinity , and -ves, for all parameter handling testing binary, hex and ascci/ebdic, to prevent ’embarrasment’ prior to release / implementtion, rather than what now always seems be ‘modern’ (lazy/’quick’/cheap practices of the releas of alpha/beta versions and subsequtn monkey user appraoch to ‘continuous software development’ because we didnt (can’t be aresed to) really get it right first time, any more, let alone scenario/storey board use (and incorect usages) continually adding on ‘features’ rather than just parameterising options, releasing )polluting the internet) with numerous ‘updates’ negligently making previous version usge ‘obsolete’, particulalry ‘App’ releases. And since when hasn’t there been a risk of introducing yet another set of buggs, in ‘new’ versions.. Quick , cheap or quality anyone, never the Quality, fit for use (without patches adnauseum) for the a couple of years? Some brunelian engineering please, Quality not quantity. Ditto of national communications infrastructure with standards and consistency to minimise future fragnets of costly problems, ooer rework / maintenance faux pas?
The Internet is a hideously complex entity and, in my opinion, it is no wonder that the man on the Clapham omnibus cannot understand, or wants to know the vulnerabilities in its implementation.I have not had too many changes of router over the 20 or so years (since ISDN days) but I have always had to configure my own. For quite a few years, ISP’s have generally reduced the burden on the end user and ‘net security, I’m sure, has improved – at least as far as the WiFi/RJ45. I have just received a new ISP configured router which would do most of the things I need but it is a ‘black box’ and does impact my (overcomplex) household networks.It ain’t flexible enough.
Previously, I have made sure I have periodically updated router firmware, especially after a known vulnerability is found. But I’m always worried that the updated firmware has bugs – another crowdstrike perhaps – are the ISP supplied routers a problem in this manner? I don’t like remote administration either as who knows what is planted, officially or otherwise. At least with an ONT to WAN connection, it should be possible to monitor traffic – or become ‘man in the middle’!
Passwords, ISP configured or administrator ‘owned’ are another weakish point which can never be fully overcome though two stage authorisation should drastically reduce cracking.