Which? warns that more than 2 million Brits are on old and insecure routers – wagging a finger at Huawei-made kit Consumer org Which? reckons more than two million Britons are connected to the internet through routers that were last updated in 2016. This eye-catching finding came from a Which? survey launched today, seemingly criticising UK ISPs for not complying with a proposed law whose first draft hasn't been introduced to Parliament. …
... more junk being recycled and more sales if the manufacturers decide, or find out, that the device can't up upgraded ... a law that will make the manufacturers more money. Routers will be designed and sold to work for 10 years and then when a bug is found in two years time they will say sorry, it can't be fixed, you need to "upgrade" to a new router.
Plus there are in my view at least two types of problems. Problem one is if a bad actor from the "internet" can access my LAN. Then I'm in trouble.
Type 2 are things which can cause problems, like not enforcing strong passwords or allowing people on my LAN to do naughty things.
Type 1 problems need to be fixed but on the other hand are relatively rare.... none of my outdated ADSL routers have issues like this reported with them.
Type 2 are often not such big issues but are a lot more common. Not enforcing strong passwords can be solved by err, using a strong password, for example.
Most people do not change the password on their router. The norm nowadays is to have a "secure" password printed on the bottom of the box - which is at least unique to each box.
Type 2 (LAN-facing) vulnerabilities are exploitable by evil JavaScript delivered on a web page, whether deliberately, or by a web server being hacked, or (usually) via Malvatising.
So Type-2 is only slightly less important than Type 1.
The problem with white-label rebranded routers is that their modified firmware - maybe just to add company logos and colours - but often to block some features - night not be updated with stock firmwares for the same models - even if available. Sometimes is possible, sometimes it's not but attempting specific "hacks" that many users may not be able to perform.
Here the comms regulator issued a year and a half ago a ruling that ISP can't mandate the use of their modem/routers - nor can force the customers to buy/rent them. Users must always be able to use their own, and all required configurations must be provided to the users.
ISPs tried to neuter the regulation but failed - although they still try some dirty tricks with user not getting their modem/routers - let's when they get fined.
Still, being able to use commercial modem/routers means you can install any available update - and you can also select brands/models who keep firmware updated.
I have to say I found he article a bit TLDR, not necessarily with the El Reg reporting of it, but I find Which to be a bit of a scaremonger that is quite happy to take " minor risks" and present them as "critical issues" as long as it gets them some publicity.
However, where did you read this about lack of support if you switch routers? I have had a VM router in my house in one form or another for the last 8 years and they have never raised any form of issue with my having it in modem only mode and connected upstream from my 3rd party router.
I had it from my previous ISP - not one of the "big players" - am not saying you can't do it (I did but had to fake the MAC address!) - it's just they sulk if you ring up when the line has problems?
Anyone skilled enough to want to swap routers, is unlikely to bother ISP support's call centre (have you switched it off/on again)!
VM do not have a problem with modem only mode. I been with the same ISP (through the various incarnations to VM) since dial-up days and have always had my own router.
I have spoken to tech support on occasion they never have a problem when I tell them I use my own router.
I have had my VM router replaced for newer versions over the years and the engineer just plugs my router into the VM one.
Not being a Which subscriber and so not able to access the full report, from what has been reported (eg. BBC News) it does seem Which has gone off half-cocked on this.
There are a number of problems it seems Which fails to unravel.
Firstly, we have the router itself, in the main the support and update issue is down to the ISP and their agreement with the relevant OEM. So provided the ISP keeps paying the router will/should be supported and getting updates. The only potential benefit here is for the government to insist that routers are supported for a minimum period - say 10 years.
Secondly, we have the issue that ISP's don't generally update the routers of existing customers to new models - I've had problems with my EE Brightbox 2, EE's solution has been to send me a replacement Brightbox 2 and not their new router which they send out to new subscribers.
Thirdly, we have the issue (already pointed out in Elreg comments) that with ISPs insisting residential customers use their router, there is little Joe Public users can do if the ISP supplied router is not fit for purpose.
Perhaps the government should legislate giving ISP's 90 days to fix vulnerabilities reported to them (clock starts when vulnerability reported to a trusted third-party clearing house eg. Ofcom) after which after which the service contract becomes void and the ISP either has to provide a new more secure router or pay customers ISP switching costs. Also all ISP's contribute to a bug bounty pot (administered by a trusted third-party...).
What's also not mentioned is that the domestic edge router isn't connected to the Internet, its connected to a port on a ISP's router. The ISP should be the primary firewall for attempts to compromise its customers' kit. I rather suspect it doesn't, I feel that my ISP, for example, has few technical smarts, its primairly a billing and sales organiztion with technical support limited to 'turni it off and on again' and the like.
(Of course, it doesn't help that my router (a Sagecomm) has an annoying habit of resetting its admin password to the default.)
Nothing nefarious about Huawei's kit or practices. Just that in a reverse of a recent Line of Duty finale, the world + dog would rather believe it's a red conspiracy rather than utter incompetence and laziness on the part of Huawei.
My isp just replaced my Huawei router and all the connection drop-outs and random packet-caused resets have vanished. I feel bad for all the times they called out Openreach when it was a PEBCAK.
But it's not Huawei that are installing these routers, it's British ISPs.
So obviously the British ISPs are under the control of the Chinese Peoples Army. It's obvious to anyone who has tried to deal with them that they aren't hyper efficient free market capitalists.
Plus Branson has a beard so is obviously a communist and probably controlled by Corbyn (must stop reading Daily Mail)
The average 'home router' is modem + firewall + router.
One major risk is following instructions that come with your shiny new IoT garbage to configure port forwarding.
Here's a suggestion to ISPs: supply non-configurable routers.
In one easy step, we make people safer... and sadly, dumber.
One major risk is following instructions that come with your shiny new IoT garbage to configure port forwarding.
The average home user just plugs their router in, for them upnp does the necessary port opening, albeit with all of its security vulnerabilities.
"Here's a suggestion to ISPs: supply non-configurable routers."
They already do that. It doesn't fix anything, but it does have the extra feature of making me sad when I see it. For example, the one supplied to my parents wouldn't let me change the DNS servers to a pihole, or set firewall rules, or actually do very much at all. Fortunately, the advanced section (three options) contained the UPNP off setting, so it wasn't a total loss. I could have turned off its WiFi and used a downstream router (fortunately it doesn't redirect DNS queries) but that would have been another possible point of failure that I couldn't easily fix since I don't live nearby.
"Here's a suggestion to ISPs: supply non-configurable routers."
I'm not happy with that idea. My ISP in effect did that. They "upgraded" remotely and took away my ability to run admin level. They've frozen me out of being able to make changes to the DHCP settings I had in place. I suppose the best thing would be to replace it but then it's a matter of finding smething that's neither a load of cack nor over-priced. In my case overpriced would include paying for an included wireless access point as the location of the master socket isn't the best place to get a good signal out.
EE: ..a very low risk vulnerability for the small number of our customers who still use the EE Brightbox 2. ... it is recommended they only give network access to people they trust, and they should be suspicious of any unsolicited emails and web pages
RU Serious EE? How many people, especially those that are happy to have dodgy Chinese boxes foisted on them could honestly say that they could recognise phishing emails or malicious web pages? That's an unbelievable statement by what claims to be a responsible provider!!!
Thought I would use the same WiFi SSID and pwd, only to be told that many of the characters I use, backslash, curly brackets, quotes, etc (IIRC) are "not permitted." I've solved the issue by reusing my BT HomeHub router but I should imagine plenty of us here immediately think "hold on, how the hell are you storing this password?" when told that certain characters cannot be used.
I use alphanumeric symbols in passwords ... that's OK as long as you use enough. I think I recall that you can use an arbitrary length English characters phrase for wifi security and it gets hashed. So you could use this paragraph. Not now, of course.
If a service insists that funny characters ARE added, then I reach for fullstop . or exclamation !
After an upgrade to an e-mail service I use, I was notified that while my password remained the same, now I must type it lower case. Hmm.
"and your data porn's flowing through these"
Based on what people actually visit on the web, the idea that a home firewall/router is out of date is not exactly an existential threat to much. Yes, somebody could hack it to mine Bitcoins. Someone could hack it to execute a DDOS attack. Etcetera.
Now, as for your data being "at risk" from dodgy router software, I'm absolutely sure that the larger security vulnerability for your data is the malware already on your computer, the malware already on the server you are accessing, and the APIs and data that have been left open to world+dog by developers who haven't mastered copy-and-paste from StackExchange, and of course that you've used the same password for, like, just ever, and it's been published at least 47 times from different dumps from said server data.
And you want to blame the poor router in the corner, blinking its lights in that lonely, forlorn pattern. (Yes, a pattern...)
Meaning, UK ISPs dictating what kit they are willing to pay for happens to be made in China.
I'm not sure Huawei is the issue here. To me, the issue is UK ISPs that did not put the money on the table to get secure kit. If that had been in the specs, Huawei or not, the Chinese would have had to deliver.
I've always binned the ISP router immediately, and then put in one of my own. There are literal standards for this, and any router of the supported ADSL/VDSL etc. standard is better than whatever junk they give you and then never update (and I'll update on MY schedule, thanks, not yours).
But to be honest, it's almost always easier to double-insulate and have a modem / modem-mode router going through to your real router (that firewalls off the other and provides LAN / Wifi etc.). Everything past my router I should be assuming is sniffable/compromisable anyway. The problem is I don't want stuff on my network sniffing and talking out and the only way to do that is to put a real barrier / firewall between the two. No, my ISP should not be deciding what can/can't happen on my local network, so they shouldn't be running my Wifi or my only "network switch" in their router that they control.
Currently, though, it's actually cheaper, faster and easier in my location to run a 4G modem direct into my own router. They can't update the firmware, they can't control what it does, and it still goes through my years-old firewall setup (with UPnP gateway features DISABLED from day one). And I just assume that everything outside my router is sniffing everything I do (e.g. DNSCrypt, VPN, HTTPS, etc.). You'd have to compromise the 4G modem, then you'd have to use that to attack the Internet side of my router, compromise that too, and then you'd have to get into my isolated VLANs to get close to my devices. And all my CCTV, home-automation, etc. junk is on a separate VLAN and SSID.
And then you'd have to get past the software firewall on my laptops etc. which is default-deny and treats the Wifi as an untrusted network on each device. And you wouldn't be able to use a DNS compromise as nothing refers to an outside DNS server anywhere along the way and results are verified.
I'm not saying it's invincible by any means but just running an ISP-controlled-router as your sole network-management device is just handing people who can't get into the 21st Century the keys to all your computers.
The thing is, you don't just trust house guests, your children's friends, etc., to not be hackers with the wifi password pinned on the fridge, you also trust them to have secure, unhacked, fully updated personal network devices... the level of security that the ISP is failing to provide to you.
I suppose you could do everything on VPN only, on top of an otherwise exposed router.
"you also trust them to have secure, unhacked, fully updated personal network devices..." Highly unlikely.
As for house guests, you may not even know their surnames, much less whether they're trustworthy.
And as for the children of El Reg readers, demonstration of hacking ability is a rite of passage ;)
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
