Routers have become essential in billions of homes. But how often do you think about their security?

After plugging in a home router, most people don’t give it much second thought until it breaks down or the WiFi doesn’t work anymore for some reason. However, in a world where our devices are becoming increasingly connected with each other and where more of us are working from home, even seemingly benign WiFi routers could pose important security threats. According to a recent assessment by consumer watchdog Which?, it’s estimated that about six million people have not updated their router since 2018 or earlier — and that’s just in the UK.

Woefully ill-prepared

According to security experts, your typical home router is woefully ill-prepared in the face of a cyberattack. Most home routers have weak default passwords, lack critical firmware updates, and feature network vulnerabilities such as those involving EE’s Brightbox 2 (this could give a hacker complete control over the device).

The cybersecurity researchers examined 13 router models provided by EE, Sky, and Virgin Media. Two-thirds of these devices were found to be flawed, including the Sky SR101 and SR102; Virgin Media Super Hub and Super Hub 2; and the TalkTalk HG635, HG523a, and HG533.

The only routers that passed all security tests were those from BT, including the Home Hub 3B, 4A and 5B, and Plusnet’s Hub Zero 270N. However, BT had a critical vulnerability in its Brightbox 2 router supplied by EE, which is part of BT Group.

Fortunately, modern spectrum compatible routers have device-specific default passwords and automatically perform firmware updates. However, older models will suffer from the problems identified in this raport.

BT Group, Virgin Media, and TalkTalk denied the validity of the findings each claiming that old and outdated routers comprise only a small fraction of their userbase. However, other security research groups came to similar conclusions in the past.

“We have been trying to convince one of the ISPs in question to fix a critical security flaw that allows several million of their customer routers to be remotely hijacked and gain access to home networks,” Pen Test Partners security consultant Ken Munro told the BBC.

“We reported the issue over a year ago – but they have procrastinated multiple times.”

Around 7.5 million internet users in the UK were affected by the vulnerabilities, with no updates since 2018 and even 2016 in some cases, the report found. Six million British households used outdated equipment provided by the internet providers, the authors added.

“Internet service providers should be much clearer about how many customers are using outdated routers and encourage people to upgrade devices that pose security risks,” said Which? computing editor Kate Bevan.

In order to solve this problem, a topdown approach may prove the best. Most broadband consumers are not particularly tech-savvy, which is why the responsibility for ensuring their devices are secure must fall on the internet provider.

The UK government is currently drafting legislation that will broadly regulate smart devices, but which will also include rules such as banning default passwords from being preset on devices and requiring manufacturers to inform consumers of how long their devices will receive security software updates. Although the study focused on the UK alone, it’s hard to believe that other countries would fare much better.