Millions of households could be at risk of cyber-attack because they’re running outdated and unpatched routers, a new investigation has found.
Unprotected routers are an increasingly popular target for attackers, theoretically enabling them to hijack smart home devices and eavesdrop on communications and web browsing.
Consumer rights group Which surveyed more than 6000 UK adults back in December to find out which router models they were using.
Extrapolating this data, it calculated that as many as 7.5 million households may be running routers with security issues.
After selecting some of the most common devices, it enlisted the help of Red Maple Technologies to test them, and discovered issues with more than half, from ISPs including Virgin, Sky, TalkTalk, EE and Vodafone.
One of the most common issues was a lack of firmware updates, leaving the devices potentially exposed to exploitation. Which claimed most of the models it tested hadn’t been updated since 2018, and some since 2016 — affecting an estimated six million users.
Another problem is weak default passwords which are easy to guess, allowing remote attackers to potentially hijack devices.
The researchers also discovered local network vulnerabilities, although these require an attacker to be within Wi-Fi range to exploit.
Which said not all old routers are inherently insecure, as long as they don’t allow weak default passwords and have regular firmware updates. However, it urged consumers to check and change any weak passwords and to request a new model if theirs is no longer receiving updates.
Tripwire VP of product management and strategy, Tim Erlin, argued that most modern connected devices will automatically update.
“The situation with updating connected devices in consumers’ homes has changed fairly dramatically and rapidly. It wasn’t long ago that the idea of a device automatically updating without the user’s knowledge was considered problematic, whereas now it’s a basic expectation,” he added.
“That rapid shift has left a sizable security gap in terms of deployed devices that don’t auto-update. Unfortunately, it’s likely that gap won’t be closed until those devices are simply replaced.”