Old Router Risks Could Affect Millions

The Investigation

The Which? investigation surveyed 6,000 UK adults and, with the help of Red Maple Technologies, looked at the security aspects of 13 models of (commonly used) old routers from companies such as Virgin, Sky, TalkTalk, EE, and Vodafone.

Could Affect Millions

It was discovered that 6 million users may have router models that have not been updated since 2018 at the latest, with some not being updated since as far back as 2016! The investigation discovered issues with more than half of all routers (of those surveyed).  This suggests that as many as 7.5 million users could using routers that have security risks.

Vulnerabilities and Risks

Which? reports that the security vulnerabilities and risks to the old (and not updated) routers include:

• Weak default passwords that can be easily guessed by hackers, meaning that the router could be accessed remotely, from anywhere in the world.
• Local network vulnerabilities which could allow a cybercriminal to take control of a user’s device, see what a person is browsing, or even direct a user to malicious websites.
• Lack of updates to the Firmware which could negatively affect a device’s performance and leave outstanding security issues.

What To Do

There are a number of measures that can be taken to ensure that a router is as secure as possible.  These measures include:

• Changing the username and password(s).  Changing the username and password of the router from the default one (printed on a label on the device) to something much more secure makes it much less vulnerable to common attacks. Using WPA2 security requires each new device to submit a password to connect anyway, but if it is not active it can be switched on through your router settings. Changing the network password (via the router settings) can also improve security.
• Keeping the router’s firmware up to date. The router control panel should enable the updating of the firmware, thereby ensuring that the router has the latest fixes and patches installed. In some cases, users may have to download new firmware from the manufacturer’s site to make the router as secure as possible.
• Changing the network name/SSID. Changing this from the default name will give would-be attackers less of an idea of the type/name of the router manufacturer, thereby making it more difficult for them.
• Stopping the Wi-Fi network name/SSID from being broadcast.  This can be achieved via the router settings, but it will mean that the user will need to manually type in the network name when connecting new devices (because it will not be visible).
• Disabling Remote Access, UPnP, and WPS. Using the router settings to turn off features like remote access, Universal Plug and Play (usually for easy games console and smart TV access) and Wi-Fi Protected Setup (WPS – for easy connection of new devices) may sacrifice some convenience but will also make the router more secure.
• Using a guest network. This enables you to give access to a Wi-Fi connection without giving access to the rest of the network.
• Enabling the router’s firewall. This will filter data and block unauthorised access.
• Plugging other ways in through your devices and programs. This involves keeping security on devices and their programs/apps up to date and patched : use strong passwords, use security software, and disable any devices that do not need access to Wi-Fi.
• Asking your service provider for a router upgrade. Which? recommends that users with certain routers ask their provider for an upgrade as soon possible. Some providers offer free upgrades (Virgin Media), others may require a one-off payment to cover a new router or, as with Sky, an extra £5 monthly payment (Broadband Boost) ensures the latest router upgrades.
• Considering the cost/benefit of moving to a new provider. Switching, in some cases, could be a way to get a new, up-to-date, and more secure router, and improve the broadband speed and service.

What Does This Mean For Your Business?

If you have an old router with old firmware, you could have a weak link in your cyber-security.  If that old router links to IoT devices, these could also be at risk because of the router.  Taking a close look at your router, its settings and getting to grips with firmware updates, the firewall, and what information about your router may be visible to would-be attackers could be important steps in improving router security.

Also, router manufacturers could take more responsibility for reducing the risks to business and home router users by taking steps such as disabling the internet until a user goes through a set up on the device which could include changing the password to a unique one. 

Vendors and ISPs could also contribute to improved router security for all by having an active upgrade policy for out-of-date, vulnerable firmware, and by making sure that patches and upgrades are sent out quickly.

ISPs could do more to educate and to provide guidance on firmware updates (e.g. with email bulletins).  Some tech commentators have also suggested using a tiered system where advanced users who want more control of their set-up can have the option, but everyone else gets updates rolled out automatically.

For Northamptonshire based IT support or advice, please call your local MSP, Paradise Computing, on 01604 655900 or send us a message using our online contact form.