Millions of UK households vulnerable to hacking through older broadband routers

Without firmware and security updates, there's no guarantee that security issues will be fixed, says consumer group Which?

Nearly 7.5 million people in Britain are vulnerable to security flaws in older router models, consumer group Which? has warned.

The organisation conducted a survey of more than 6,000 UK adults in December 2020, asking them which routers they were using at home.

"We found millions could be using devices over five years old, that are no longer being supported with firmware updates," Which? said.

In the study, it tested 13 router models provided to customers by ISPs, including Virgin Media, TalkTalk, EE, and Sky, and found that more than two-thirds included flaws that could enable hackers to access the network.

"Without firmware and security updates, there's no guarantee that security issues will be fixed," the organisation said.

About six million people could be using devices that have not been updated since 2018 or earlier, Which? estimates.

The devices affected by lack of updates included Virgin Media Super Hub, Virgin Media Super Hub 2, Sky SR101, Sky SR102, TalkTalk HG523a, TalkTalk HG533 and TalkTalk HG635.

Several devices were found to have weak default passwords, potentially enabling hackers to spy on users as they browse online.

The devices that contained weak passwords included TalkTalk HG635, TalkTalk HG523a, TalkTalk HG533, Virgin Media Super Hub 2, Vodafone HHG2500, Sky SR101 and Sky SR102.

Out of 13 models tested for flaws, nine failed to meet requirements proposed as part of the government plans to improve laws around connected devices.

Which? says that routers from TalkTalk, EE, Sky, Vodafone and Virgin Media were among those affected by security weaknesses.

However, not all ageing routers were equally vulnerable. Old devices from BT and Plusnet were found to have received security updates recently, no unfixed flaws or weak default passwords were found on those devices.

In response to the study, Virgin Media rejected the findings of the study and said that nine out of ten of its customers were using its latest router models.

BT Group, which also owns EE, said that most of its customers use its latest modem and that the company constantly monitors "all our routers" for potential security threats and provides security updates when needed.

TalkTalk said that a very small proportion of the affected devices were being used by customers and users can "change their passwords easily at any time".

Vodafone said that one of the devices named in the study has not been supplied since August 2019, and the other "will continue to receive firmware and security updates as long as the device remains on an active customer subscription."