Millions around the UK could be at risk of using routers with security flaws, a Which? investigation has found.
In December 2020, we conducted a survey of more than 6,000 UK adults, asking them which routers they're using at home. We found millions could be using devices more than five years old that are no longer being supported with firmware updates.
We sent a selection of the most commonly used old devices to security specialists, Red Maple Technologies, to find out just how secure they are, and discovered issues with more than half, from ISPs such as Virgin, Sky, TalkTalk, EE and Vodafone.
This could potentially affect up to 7.5 million Brits based on our survey.
Some of these models haven't seen an update since 2018 at the latest, and some haven't been updated since as far back as 2016, which could affect six million of these users. Without firmware and security updates, there's no guarantee that security issues will be fixed.
Routers might sit in the corner of the room collecting dust, but they're a vital part of everyday life. Especially as we now need the internet more than ever to work, shop and stay in touch with loved ones. Read on to find out if you're affected and what to do next.
We focused our research on 13 older router models that are still being used, and most of them did not meet modern security standards. The main issues were:
The routers on test weren't all bad, though. Old devices from BT and Plusnet had been recently updated and we didn't find any unfixed vulnerabilities or weak default passwords.
If you have one of the below routers, we'd recommend asking your provider for an upgrade as soon as you can.
If you're using a device that's no longer being updated, or if you've had your router for five years or more and know there are newer models available, you could try to arrange an upgrade.
How easy this is to do depends on your situation and your internet provider. When we asked, only Virgin Media said it gives free upgrades - customers with older routers can request a new one through the Connect app.
Other providers may offer you a new model at a cost - a single upfront payment. Or in the case of Sky, you can sign up for , which involves a rolling £5 monthly payment and among other benefits, will get you upgraded to the latest router.
It doesn't hurt to ask. While an internet provider is not obliged to provide you with a new router for free, if you call and explain your concerns you might get lucky, especially if your router is quite old.
If you're not able to get a free upgrade, find out what your options are to work out your best next step. In the meantime, make sure you change your default router password if you feel it's not strong enough.
When your contract expires you have a number of options - not least threatening to leave. If you want to stay with your provider, say you'll recontract with them if they provide you with a new router. If your router is old and they refuse, you should seriously consider switching.
A new contract with a new provider should afford you their latest equipment, which includes a new router. This can also save you money - in a recent survey of more than 2,000 broadband customers, 19% were likely to be out of contract and at risk of overpaying. And if you're on standard broadband, an will get you faster speeds and greater reliability.
We think it's unacceptable that customers are being left on old, unsupported kit - our research suggests that up to 2.4 million UK adults haven't had a new router in the past five years. ISPs should be far more upfront about how long routers will be receiving firmware and security updates, and they should actively upgrade customers who are at risk.
We went to the ISPs with our findings and most told us they would monitor devices for security threats, updating them if needed. However, there's no guarantee. BT Group told Which? that older routers still receive security patches if problems are found, but the EE Brightbox 2 has a security vulnerability that is still unfixed.
Aside from Virgin Media, none of the ISPs we contacted gave a clear indication of customers using their old routers. Virgin said that it didn't recognise or accept the findings of our research and that nine in 10 of its customers are using the latest Hub 3 or Hub 4 routers. However, our survey was of all those using or with devices connected to the router, rather than just the paying account holders.
Companies should also have a clear point of contact for researchers, such as Which?, to let them know of vulnerabilities so they can be fixed. Only Sky, Virgin Media and Vodafone appeared to have dedicated web pages for this.