Internet users could be at risk of hacking attacks due to using outdated routers from their broadband providers that have security flaws, according to the consumer campaign group Which?. Which? tested 13 old router models and found nine of them had flaws that would likely see them fail to meet requirements proposed in upcoming UK Government laws to tackle the security of connected devices. The legislation is not yet in force and so ISPs aren’t breaking any laws or regulations.
The consumer advice group’s lab testing identified a range of issues with the routers. These security risks could potentially affect around 7.5 million people, based on the number of respondents who said they were using these router models in a Which? survey. Typical problems uncovered by the lab tests on the old router models that failed were weak default passwords, which could allow a cyber criminal to hack the router and access it from anywhere; and a lack of firmware updates.
Kate Bevan, Which? Computing editor, said: “Given our increased reliance on our internet connections during the pandemic, it is worrying that so many people are still using out-of-date routers that could be exploited by criminals. Internet service providers should be much clearer about how many customers are using outdated routers and encourage people to upgrade devices that pose security risks.
“Proposed new government laws to tackle devices with poor security can’t come soon enough – and must be backed by strong enforcement.”
Comments
David Cummins, VP of EMEA at Tenable, said: “The fact that six million people have not updated their router in three years is not really a huge surprise. We’re a plug-and-play society that does not consider the need for security updates, nor how technology receives those updates. These routers are built to enable functionality first, but the fact that so many are affected by flaws and security issues is a concern. Most people have wifi at home and, with organisations allowing employees to work from home for the last year, these routers extend the corporate threat landscape.
“The proposed security legislation from the UK Government will go some way to make ISPs more responsible for providing regular updates to patch vulnerable routers. In the meantime, consumers need to recognise the cyber risks home routers pose, and check with their ISP if their device needs to be updated or upgraded. For organisations with employees accessing corporate networks, services and data from home, steps should be taken to address the risk.”
Nigel Thompson, VP Product Marketing at BlackBerry described the IoT (Internet of Things) as a misunderstood risk among home workers. “Just one poorly secured device becomes a doorway to entire networks, threatening safety, privacy and data.
“The lack of visibility into employee devices during WFH concerns IT teams, according to new research released yesterday by BlackBerry. More than 80 per cent consider it “highly important” to improve this, as home wireless networks, modems, routers, printers and other devices typically tend to lack the same level of protection as components on a corporate network, and are therefore more vulnerable to attack and exploitation. If an employee’s home network is not secure, no device connected to it is safe. Cyber criminals know this, and are already exploiting it.
“With 82pc of company leaders planning to allow employees to work remotely some of the time, according to BlackBerry’s survey, a long-term solution to securing home workers must be found. The imperative lies with us all: ISPs must secure and update their devices continually, IT managers must implement technologies that can help consolidate and centrally manage endpoint and mobile device security in a unified manner, and employees must recognise the value of multi-factor authentication – which three in four enterprise risk managers plan to invest more in this year – plus strong passwords and an attitude of zero-trust. With this triple-layered protection, organisations needn’t see the humble router as a critical threat to data.”
