Survey Claims Half of UK Broadband Users Leave Routers Open to Cyberattack
A new survey of 3,242 UK internet users, which was conducted on behalf of Broadband Genie and supported by McAfee’s cybersecurity researchers (inc. threat intelligence data), has claimed that millions of people could be leaving their home networks open to hackers because 47% fail to change ANY of their router’s default settings.
The survey also found that 69% of respondents had never changed their WiFi password, while more than 80% have left both their router name and admin credentials at their factory defaults. Older users (65+) were also said to be most at risk, with 62% saying they’ve never changed their router’s settings. While younger users are more engaged. Among 18-24 year olds, only 29% said they had never accessed their router.
According to the survey, this is said to equate to around 12.7 million vulnerable home routers across the UK. When asked the main reason why users haven’t changed their router’s default settings, the overwhelming majority (73%) stated that they didn’t understand why they would need to (down from 75% last year), followed by 22% not knowing how to. The latter is a bit surprising, as most routers include clear instructions for doing this and often recommend it as part of the setup routine.
Advertisement
Oliver Devane, Senior Security Researcher at McAfee, said:
“Many default settings can be dangerous in the hands of cybercriminals. Your router is the gateway to all the connected devices in your home, so it’s key to make sure it’s secure, and that means updating the settings as well as employing best practices.
Just like changing the lock on your front door, changing the default router password will ensure only authorised people can access your home network.”
However, while the above is correct, it’s still always wise to take opinion surveys like this with a sizeable pinch of salt. Part of the reason for that, in this case, is because most broadband routers are supplied to homes by ISPs, which tend to come with a randomly generated router password (some of these can be quite strong, but not always – experiences do vary).
In the past some routers (quite a few years ago now) were, sadly, supplied with easy to guess universal passwords. But that hasn’t been the norm for a while now, and the government’s recent Secure by Design rules have since technically banned easily guessable passwords like ‘admin’ or ‘12345’ from shipping with newer devices.
However, the fact that your router is often the single most important device in your home network for security should be incentive enough to ensure that you’ve set a strong password and not simply used the one supplied by your ISP, which may or may not be effective. The safest rule is to never assume it’s going to be secure out of the box.
Mark is a professional technology writer, IT consultant and computer engineer from Dorset (England), he also founded ISPreview in 1999 and enjoys analysing the latest telecoms and broadband developments. Find me on X (Twitter), Mastodon, Facebook, BlueSky, Threads.net and Linkedin.
« Tim Creswick Departs as CEO and Founder of London Full Fibre ISP Vorboss
Advertisement
Leave a Reply
Privacy Notice: Please note that news comments are anonymous, which means that we do NOT require you to enter any real personal details to post a message and display names can be almost anything you like (provided they do not contain offensive language or impersonate a real persons legal name). By clicking to submit a post you agree to storing your entries for comment content, display name, IP and email in our database, for as long as the post remains live.
Only the submitted name and comment will be displayed in public, while the rest will be kept private (we will never share this outside of ISPreview, regardless of whether the data is real or fake). This comment system uses submitted IP, email and website address data to spot abuse and spammers. All data is transferred via an encrypted (https secure) session.
12345? That’s amazing, I have the same combination on my luggage!
Someone’s watched Spaceballs obviously……LOL
I and I guess most contributors on these pages probably have a customised setup on their routers anyway. It’s a lot easier when installing a new router to make it match the previous routers settings (SSID/Password, IP address DHCP range and admin password) than re-pair every device on the network.
Agreed, I have known people to do this.
I will say if you login to the vodafone router it will nag you to change the credentials on both the wifi and the admin login. However that relies on you logging in though.
Admittedly this is where Eero is winning because theres no gui and it is all controlled via an app and makes it far easier to change wifi password/SSID etc.
issue is alot of ISP’s don’t change up routers for newer ones with app support….
My password is something like this 6I!v0xdd^@1A&R. Try guessing something like that 🙂
Wi-Fi password is a bit easier, but I doubt anyone would park outside these days just to use my Wi-fi and anyone I see parked outside for any length of time I would go and ask them what they want. Next door neighbours both have broadband, and they don’t have the skills to find my Wi-fi password.
That reminds me of an XKCD cartoon 🙂
https://xkcd.com/936/
You would go and ask someone why they are parked outside? Do you own the road?
I don’t use any password. I setup my own radius server and have my AP authenticate using that. Could break in still if they wanted but would be a little more difficult after being presented with user+pass+cert. Overkill? yes. am I a homelab nerd? yes. did I get out much as a kid? nope.
Joking aside – it is a problem though if people don’t set strong passwords.
My netflix got hacked the other day – the one service I don’t need to touch for account as it always stays logged in. forgot to change it’s email. someone who could read spanish and liked gansta movies definitely enjoyed their 4K for a bit before it was revoked by netflix.
According to security.org’s password strength checker:
6I!v0xdd^@1A&R would take 200,000,000 years to crack
“correct horse battery staple” would take 15 octillion years to crack, as would “this password is uncrackable” (couldn’t resist it! 😉
My actual (32-char) KeePass password would take 2 quattuordecillion years to crack
I think I’d go with xckd’s time to crack rather than security.org’s though, given the methodology.
@PoweredByVeg, yep, I do own the road. LOL
To park outside my place, they would have to park outside my drive.
@Peter Lewis, that is interesting.
@Ad47uk
They don’t need to park outside your house, They could park a few doors down or further, wi-fi can travel a fair distance especially if you have a high gain antenna.
I can open my phone now and access about 15 Wi-Fi networks from neighbouring properties and I could fire up Tails OS right now if I wanted to and try to gain access any of them from the comfort of my own home.
@Mark, the majority of people around here have drives, so again they would have to park outside a driveway, my Wi-Fi, fades out just after my next door neighbour, I know that because I listen to music on headphones when I go out walking and my phone beeps when it changes from home network to mobile network.
I can get about 5 networks that could be used with my phone from my studio, which is upstairs at the front of the house. There are others, but there is something called direct Roku, Direct HP, which I presume is my next door neighbour and others that belong to the same routers, just different SSID.
So the chance of anyone getting close enough is pretty slim.
You may be able to see 15 and may be able to fire up Tails OS, but have the got the knowledge to use them? I don’t I do know someone who has the knowledge, not that it is easy these days and with WPA3, it will be more difficult, the problem is, many people will not use WPA3, because of older devices. My router is set to WPA3 and WPA2,
Amazed the figures aren’t even higher. In my years of roaming around and connecting to various friends, family, and small business Wi-Fi networks, 97% of them are still called “SKY9876SJKHG” or equivalent, with random untypeable passwords/keys – vaguely secure, but annoying! I think most people aren’t even aware that they /can/ be changed. And I’ve yet to find a ‘default’ Wi-Fi system that supports WPA3, for example, even though it’s been the standard for a few years now. Most still allow ancient protocols like the original WPA.
I would offer to ‘help’ and upgrade people’s networks, but I rarely do unless asked, as I don’t want to go in and randomly break everything. Easier on a brand new installation, rather than an existing one full of dodgy IoT junk that will need reconfiguring!
I’m struggling to understand the problem here. It’s not 2005, there aren’t any routers that come with standard default settings anymore, and I would hope we’ve moved past even algorithmically generated SSIDs and passwords in favour of those generated by PRNGs. In much the same way as your front door already won’t have the same key as anyone else in your street, even if the lock is made by the same company.
The PSTI and its EU counterpart has driven those standards up even further.
If anything an ISP supplied router has stronger settings than those that the average customer would prefer to use, because given the choice they’d make it “password” (or password1 if they’re serious on security). Or they use settings from a previous router that might not be as good as their new one. Some ISPs have paid attention to a bit of physical security too. I note the new EE routers have flipped those pull out cards around so you can’t see anything from the outside, eg if the router is placed near a window.
Just feels like another example of a “security researcher” trying to make an name for themselves.
Its still a issue, yes its more difficult because its not a default but the ISPs don’t vary in length and usually only use alphanumeric characters so If i was trying to gain access to a certain network I would just target say 8 character alphanumeric combinations
Instead of an ISP supplying security details on the back of a router with a card, perhaps they could email or text them. Should always change the default info, regardless of which way it’s received in any case.
You should always change or better still just supply your own equipment but at least it’s safer than it used to be with all devices by a certain manufacturer having the same credentials or in the early days of wifi when by default security was disabled.
But the issue isn’t just a user problem. I’ve come back home many a times and seen that the router had reset to default settings.
I simply cannot be bothered to change the password for every device in my house every time this happens.
It’s possible the router may be faulty, contact your ISP, explaining the issue, and ask for a replacement.
If it keeps doing that, then there must be a problem with the router, even if your provider updates it, the router should not go back to default settings. Get in touch with your provider.
Sorry, but is this really a security issue? In fact I do the opposite, so my SSID and WiFi passwords are the ones supplied with my original BT router goodness knows how long ago.
It can be a security issue, if someone gets into your router, and also if someone decided to use your Wi-Fi to do what ever they wanted. The chances of it happening are pretty slim for most people, but it can and have.
Standard router firewall settings are also a problem since they usually default to allow all services/port#s out which enables data collection beyond the usual tech bros on http/s.
Default nothing, anything enabled explicitly is still a baseline hardening.
Obviously just a foundation but you’re either in control, or you’re not..
Nobody needs to type a strong WiFi password if they use a password manager. Set the strong password in the password manager then use copy/paste from each device. For devices that don’t have your password manager you may be able to use a QR code. Both Android and iOS has support for QR codes to join WiFi networks. There are free websites that can generate these or a Python package (wifi-qrcode-generator) if want something offline.