back to article Which? warns that more than 2 million Brits are on old and insecure routers – wagging a finger at Huawei-made kit

Consumer org Which? reckons more than two million Britons are connected to the internet through routers that were last updated in 2016. This eye-catching finding came from a Which? survey launched today, seemingly criticising UK ISPs for not complying with a proposed law whose first draft hasn't been introduced to Parliament. …

  1. IGotOut Silver badge

    Boiler plate response.

    Got compromised router due to our lack of updating?

    Beware of dodgy emails!

  2. Version 1.0 Silver badge

    So this means?

    ... more junk being recycled and more sales if the manufacturers decide, or find out, that the device can't up upgraded ... a law that will make the manufacturers more money. Routers will be designed and sold to work for 10 years and then when a bug is found in two years time they will say sorry, it can't be fixed, you need to "upgrade" to a new router.

    1. Anonymous Coward
      Anonymous Coward

      Re: So this means?

      Plus there are in my view at least two types of problems. Problem one is if a bad actor from the "internet" can access my LAN. Then I'm in trouble.

      Type 2 are things which can cause problems, like not enforcing strong passwords or allowing people on my LAN to do naughty things.

      Type 1 problems need to be fixed but on the other hand are relatively rare.... none of my outdated ADSL routers have issues like this reported with them.

      Type 2 are often not such big issues but are a lot more common. Not enforcing strong passwords can be solved by err, using a strong password, for example.

      1. Missing Semicolon Silver badge

        Re: So this means?

        Most people do not change the password on their router. The norm nowadays is to have a "secure" password printed on the bottom of the box - which is at least unique to each box.

        Type 2 (LAN-facing) vulnerabilities are exploitable by evil JavaScript delivered on a web page, whether deliberately, or by a web server being hacked, or (usually) via Malvatising.

        So Type-2 is only slightly less important than Type 1.

      2. Anonymous Coward
        Anonymous Coward

        Re: So this means?

        Type 1 issues that exist but have not been reported? You are right that type 2 is the far more common problem.

    2. LDS Silver badge

      Branded routers are usually worse

      The problem with white-label rebranded routers is that their modified firmware - maybe just to add company logos and colours - but often to block some features - night not be updated with stock firmwares for the same models - even if available. Sometimes is possible, sometimes it's not but attempting specific "hacks" that many users may not be able to perform.

      Here the comms regulator issued a year and a half ago a ruling that ISP can't mandate the use of their modem/routers - nor can force the customers to buy/rent them. Users must always be able to use their own, and all required configurations must be provided to the users.

      ISPs tried to neuter the regulation but failed - although they still try some dirty tricks with user not getting their modem/routers - let's when they get fined.

      Still, being able to use commercial modem/routers means you can install any available update - and you can also select brands/models who keep firmware updated.

      1. Binraider Bronze badge

        Re: Branded routers are usually worse

        Curious. Where does Virgin stand on this - you can put the router into dumb modem mode to use your own, but can you actually replace the modem?

        1. Falmari Silver badge

          Re: Branded routers are usually worse

          Maybe you could in the past but not so sure today. Today's Virgin Tivo boxes not only connect to the TV cable but they also have to be connected to the router either Ethernet or wireless.

          Without the Virgin router would your TV work?

  3. thondwe

    Catch 22

    So the provider router sucks, but we won't support you if you switch router*!

    *The better ISPs don't do this! Mine (Aquiss) doesn't even provide a router - so am happily left to my own devices (groan!)

    1. Aristotles slow and dimwitted horse Silver badge

      Re: Catch 22

      I have to say I found he article a bit TLDR, not necessarily with the El Reg reporting of it, but I find Which to be a bit of a scaremonger that is quite happy to take " minor risks" and present them as "critical issues" as long as it gets them some publicity.

      However, where did you read this about lack of support if you switch routers? I have had a VM router in my house in one form or another for the last 8 years and they have never raised any form of issue with my having it in modem only mode and connected upstream from my 3rd party router.

      1. thondwe

        Re: Catch 22

        I had it from my previous ISP - not one of the "big players" - am not saying you can't do it (I did but had to fake the MAC address!) - it's just they sulk if you ring up when the line has problems?

        Anyone skilled enough to want to swap routers, is unlikely to bother ISP support's call centre (have you switched it off/on again)!

      2. Falmari Silver badge

        Re: Catch 22

        VM do not have a problem with modem only mode. I been with the same ISP (through the various incarnations to VM) since dial-up days and have always had my own router.

        I have spoken to tech support on occasion they never have a problem when I tell them I use my own router.

        I have had my VM router replaced for newer versions over the years and the engineer just plugs my router into the VM one.

      3. Annihilator Silver badge

        Re: Catch 22

        Sky are one of the worst culprits.

    2. Roland6 Silver badge

      Re: Catch 22

      Not being a Which subscriber and so not able to access the full report, from what has been reported (eg. BBC News) it does seem Which has gone off half-cocked on this.

      There are a number of problems it seems Which fails to unravel.

      Firstly, we have the router itself, in the main the support and update issue is down to the ISP and their agreement with the relevant OEM. So provided the ISP keeps paying the router will/should be supported and getting updates. The only potential benefit here is for the government to insist that routers are supported for a minimum period - say 10 years.

      Secondly, we have the issue that ISP's don't generally update the routers of existing customers to new models - I've had problems with my EE Brightbox 2, EE's solution has been to send me a replacement Brightbox 2 and not their new router which they send out to new subscribers.

      Thirdly, we have the issue (already pointed out in Elreg comments) that with ISPs insisting residential customers use their router, there is little Joe Public users can do if the ISP supplied router is not fit for purpose.

      Perhaps the government should legislate giving ISP's 90 days to fix vulnerabilities reported to them (clock starts when vulnerability reported to a trusted third-party clearing house eg. Ofcom) after which after which the service contract becomes void and the ISP either has to provide a new more secure router or pay customers ISP switching costs. Also all ISP's contribute to a bug bounty pot (administered by a trusted third-party...).

      1. martinusher Silver badge

        Re: Catch 22

        What's also not mentioned is that the domestic edge router isn't connected to the Internet, its connected to a port on a ISP's router. The ISP should be the primary firewall for attempts to compromise its customers' kit. I rather suspect it doesn't, I feel that my ISP, for example, has few technical smarts, its primairly a billing and sales organiztion with technical support limited to 'turni it off and on again' and the like.

        (Of course, it doesn't help that my router (a Sagecomm) has an annoying habit of resetting its admin password to the default.)

  4. Anonymous Coward
    Anonymous Coward

    Huawei

    Given how much the government is vilifying Huawei, do we think they would really be pushing ISPs to bring in a new patch from them?

    1. El blissett

      Re: Huawei

      Nothing nefarious about Huawei's kit or practices. Just that in a reverse of a recent Line of Duty finale, the world + dog would rather believe it's a red conspiracy rather than utter incompetence and laziness on the part of Huawei.

      My isp just replaced my Huawei router and all the connection drop-outs and random packet-caused resets have vanished. I feel bad for all the times they called out Openreach when it was a PEBCAK.

      1. Yet Another Anonymous coward Silver badge

        Re: Huawei

        But it's not Huawei that are installing these routers, it's British ISPs.

        So obviously the British ISPs are under the control of the Chinese Peoples Army. It's obvious to anyone who has tried to deal with them that they aren't hyper efficient free market capitalists.

        Plus Branson has a beard so is obviously a communist and probably controlled by Corbyn (must stop reading Daily Mail)

  5. iron Silver badge

    I suspect this survey of 6,000 UK adults had 5,999 responses of "what's a router?" and 1 response of "hahahaha I don't use ISP supplied kit."

    1. ITMA

      Or more like 5000 went to their sheds to check if their bench mounted Black & Decker router was vulnerable...

      (Checking the manual)

      RPM - check

      Took changing - check

      Nope. Nothing about default password.

      (Neighbour)

      Mine is secure! It's a Makita!

      LOL!

  6. Mike 125

    Tech is slowly taking control.. because we let it.

    The average 'home router' is modem + firewall + router.

    One major risk is following instructions that come with your shiny new IoT garbage to configure port forwarding.

    Here's a suggestion to ISPs: supply non-configurable routers.

    In one easy step, we make people safer... and sadly, dumber.

    1. Roland6 Silver badge

      Re: Tech is slowly taking control.. because we let it.

      One major risk is following instructions that come with your shiny new IoT garbage to configure port forwarding.

      The average home user just plugs their router in, for them upnp does the necessary port opening, albeit with all of its security vulnerabilities.

      1. Yet Another Anonymous coward Silver badge

        Re: Tech is slowly taking control.. because we let it.

        No it's the internet that's the problem. Have the router connect to your ISPs website and that's all it can connect to.

        Chat with all your friends on BT and death to the TalkTalk infidels

    2. doublelayer Silver badge

      Re: Tech is slowly taking control.. because we let it.

      "Here's a suggestion to ISPs: supply non-configurable routers."

      They already do that. It doesn't fix anything, but it does have the extra feature of making me sad when I see it. For example, the one supplied to my parents wouldn't let me change the DNS servers to a pihole, or set firewall rules, or actually do very much at all. Fortunately, the advanced section (three options) contained the UPNP off setting, so it wasn't a total loss. I could have turned off its WiFi and used a downstream router (fortunately it doesn't redirect DNS queries) but that would have been another possible point of failure that I couldn't easily fix since I don't live nearby.

      1. katrinab Silver badge
        Meh

        Re: Tech is slowly taking control.. because we let it.

        The Plusnet one doesn't let you change DNS servers either. But it does let you turn off DHCP, so you can configure DHCP on your Pi Hole and ignore the DNS settings on the router.

    3. Doctor Syntax Silver badge

      Re: Tech is slowly taking control.. because we let it.

      "Here's a suggestion to ISPs: supply non-configurable routers."

      I'm not happy with that idea. My ISP in effect did that. They "upgraded" remotely and took away my ability to run admin level. They've frozen me out of being able to make changes to the DHCP settings I had in place. I suppose the best thing would be to replace it but then it's a matter of finding smething that's neither a load of cack nor over-priced. In my case overpriced would include paying for an included wireless access point as the location of the master socket isn't the best place to get a good signal out.

  7. Flywheel Silver badge
    WTF?

    Dumb and Dumber

    EE: ..a very low risk vulnerability for the small number of our customers who still use the EE Brightbox 2. ... it is recommended they only give network access to people they trust, and they should be suspicious of any unsolicited emails and web pages

    RU Serious EE? How many people, especially those that are happy to have dodgy Chinese boxes foisted on them could honestly say that they could recognise phishing emails or malicious web pages? That's an unbelievable statement by what claims to be a responsible provider!!!

  8. John H Woods Silver badge

    New PlusNet router

    Thought I would use the same WiFi SSID and pwd, only to be told that many of the characters I use, backslash, curly brackets, quotes, etc (IIRC) are "not permitted." I've solved the issue by reusing my BT HomeHub router but I should imagine plenty of us here immediately think "hold on, how the hell are you storing this password?" when told that certain characters cannot be used.

    1. Robert Carnegie Silver badge

      Re: New PlusNet router

      I use alphanumeric symbols in passwords ... that's OK as long as you use enough. I think I recall that you can use an arbitrary length English characters phrase for wifi security and it gets hashed. So you could use this paragraph. Not now, of course.

      If a service insists that funny characters ARE added, then I reach for fullstop . or exclamation !

      After an upgrade to an e-mail service I use, I was notified that while my password remained the same, now I must type it lower case. Hmm.

  9. Brian Miller

    Is all data equal?

    "and your data porn's flowing through these"

    Based on what people actually visit on the web, the idea that a home firewall/router is out of date is not exactly an existential threat to much. Yes, somebody could hack it to mine Bitcoins. Someone could hack it to execute a DDOS attack. Etcetera.

    Now, as for your data being "at risk" from dodgy router software, I'm absolutely sure that the larger security vulnerability for your data is the malware already on your computer, the malware already on the server you are accessing, and the APIs and data that have been left open to world+dog by developers who haven't mastered copy-and-paste from StackExchange, and of course that you've used the same password for, like, just ever, and it's been published at least 47 times from different dumps from said server data.

    And you want to blame the poor router in the corner, blinking its lights in that lonely, forlorn pattern. (Yes, a pattern...)

    1. DevOpsTimothyC Bronze badge
      Trollface

      Re: Is all data equal?

      The pattern is a speed up ... --- ...

  10. Pascal Monett Silver badge
    Stop

    "white-label devices sourced from China"

    Meaning, UK ISPs dictating what kit they are willing to pay for happens to be made in China.

    I'm not sure Huawei is the issue here. To me, the issue is UK ISPs that did not put the money on the table to get secure kit. If that had been in the specs, Huawei or not, the Chinese would have had to deliver.

    1. Doctor Syntax Silver badge

      Re: "white-label devices sourced from China"

      That does assume there is such a thing as secure kit as opposed to the choice of kit whose insecurities have been discovered and kit whose insecurities remain unknown. Yes, I'm feeling pessimistic today.

  11. Anonymous Coward
    Anonymous Coward

    I replaced my LAN cables with string

    And put a Faraday cage around my cat

    I’m safe, right?

  12. Lee D Silver badge

    I've always binned the ISP router immediately, and then put in one of my own. There are literal standards for this, and any router of the supported ADSL/VDSL etc. standard is better than whatever junk they give you and then never update (and I'll update on MY schedule, thanks, not yours).

    But to be honest, it's almost always easier to double-insulate and have a modem / modem-mode router going through to your real router (that firewalls off the other and provides LAN / Wifi etc.). Everything past my router I should be assuming is sniffable/compromisable anyway. The problem is I don't want stuff on my network sniffing and talking out and the only way to do that is to put a real barrier / firewall between the two. No, my ISP should not be deciding what can/can't happen on my local network, so they shouldn't be running my Wifi or my only "network switch" in their router that they control.

    Currently, though, it's actually cheaper, faster and easier in my location to run a 4G modem direct into my own router. They can't update the firmware, they can't control what it does, and it still goes through my years-old firewall setup (with UPnP gateway features DISABLED from day one). And I just assume that everything outside my router is sniffing everything I do (e.g. DNSCrypt, VPN, HTTPS, etc.). You'd have to compromise the 4G modem, then you'd have to use that to attack the Internet side of my router, compromise that too, and then you'd have to get into my isolated VLANs to get close to my devices. And all my CCTV, home-automation, etc. junk is on a separate VLAN and SSID.

    And then you'd have to get past the software firewall on my laptops etc. which is default-deny and treats the Wifi as an untrusted network on each device. And you wouldn't be able to use a DNS compromise as nothing refers to an outside DNS server anywhere along the way and results are verified.

    I'm not saying it's invincible by any means but just running an ISP-controlled-router as your sole network-management device is just handing people who can't get into the 21st Century the keys to all your computers.

  13. Anonymous Coward
    Anonymous Coward

    Virgin said that it did not recognise or accept the findings

    read as: lalala, we're not listening. But with legislation (what legislation, lol?!) they WOULD listen VERY. CAREFULLY.

  14. Anonymous Coward
    Anonymous Coward

    Another argument for VPNs

    @ £3 / month, how much is your security worth?

  15. Robert Carnegie Silver badge

    Trusted users

    The thing is, you don't just trust house guests, your children's friends, etc., to not be hackers with the wifi password pinned on the fridge, you also trust them to have secure, unhacked, fully updated personal network devices... the level of security that the ISP is failing to provide to you.

    I suppose you could do everything on VPN only, on top of an otherwise exposed router.

    1. Anonymous Coward
      Anonymous Coward

      Re: Trusted users

      "you also trust them to have secure, unhacked, fully updated personal network devices..." Highly unlikely.

      As for house guests, you may not even know their surnames, much less whether they're trustworthy.

      And as for the children of El Reg readers, demonstration of hacking ability is a rite of passage ;)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021