Consumer org Which? reckons more than two million Britons are connected to the internet through routers that were last updated in 2016.
This eye-catching finding came from a Which? survey launched today, seemingly criticising UK ISPs for not complying with a proposed law whose first draft hasn't been introduced to Parliament. The proposal in question is Secure by Design, where the Department for Culture, Media and Sport (DCMS) will be asking phone, tablet, and IoT gadget makers to state when they'll stop providing security updates for new devices entering the market.
Pre-legislative oddities aside, there was a useful point in the survey of 6,000 UK adults carried out in December 2020: six million Britons are using routers that last received security patches in 2018, while 2.4 million of that number are using boxes that might not have been updated for five years.
Which? did not elaborate on these findings but did assert that several models still in use today contain unpatched vulnerabilities. Of 13 old routers examined, nine had flaws. These included weak default passwords, no recent firmware updates, and a "network vulnerability issue" with EE's Brightbox 2 router.
"Consumers with routers that are five years old or more should ask their provider if the device is still supported with security updates and if it is not they should ask for an upgrade," said Which? in a prepared statement.
ISP-branded routers are typically white-label devices sourced from China; both Huawei and ZTE have supplied such kit to UK ISPs in the recent past.
Which? published a list of affected devices that it suggested were insecure, most notably including the Huawei-made TalkTalk HG533 model: first issued in 2013, dangerously insecure by 2019, and unquestionably obsolete by 2021.
As we reported two years ago, Huawei was warned in 2013 of a vulnerability in the internet access device, claimed it was fixed in 2014 without actually fixing it, then sat around doing nothing until the same vuln was rediscovered in 2017 by security researchers. Which? said the HG533 was vulnerable to "weak passwords" and a "lack of updates", neither of which are the same as the UPnP vuln Huawei previously ignored.
Our customers are secure – oh aye?
Virgin Media seemingly told Which? to stuff off when its researchers came wagging their fingers disapprovingly, according to the consumer rights org: "Aside from Virgin Media, none of the ISPs Which? contacted gave a clear indication of the number of customers using their old routers. Virgin said that it did not recognise or accept the findings of the Which? research and that nine in 10 of its customers are using the latest Hub 3 or Hub 4 routers."
Which? said its survey had asked about routers in use within a household, not only routers used by currently subscribing customers. On the flip side, BT and Plusnet got a pat on the head from Which? for passing all of its security tests: no easily guessed default passwords, firmware updates still available, and no local network vulns.
An EE spokesperson told The Register: "As detailed in the report, this is a very low risk vulnerability for the small number of our customers who still use the EE Brightbox 2. As is the case for all home broadband customers, regardless of their provider, it is recommended they only give network access to people they trust, and they should be suspicious of any unsolicited emails and web pages. We would like to reassure EE Brightbox 2 customers that we are working on a service patch which we will be pushing out to affected devices in an upcoming background update."
So that's alright then. EE's owner, BT, said: "We want to reassure customers that all our routers are constantly monitored for possible security threats and updated when needed. These updates happen automatically so customers have nothing to worry about. If a customer has any issues, they should contact us directly and we will be happy to help."
Reusing old routers as part of a household mesh network or Wi-Fi signal extender is pretty commonplace. Provided the device still functions, it seems likely that many Brits haven't given a second thought to whether or not they're still secure. After all, these are internet-connected devices just like a laptop or mobile phone. ®
"The legislation is not yet in force and so the ISPs aren't currently breaking any laws or regulations," said Which?, in much the same way as Apple might write: "Our press office loves El Reg and really enjoys talking to you guys!" ®