By clicking a retailer link you consent to third party cookies that track your onward journey. If you make a purchase, Which? will receive an affiliate commission which supports our mission to be the UK's consumer champion.

Millions of people in the UK at risk of using insecure routers

Weak passwords, a lack of updates and network vulnerabilities mean some home routers could be putting users at risk
Hollie Hennessy

Millions around the UK could be at risk of using routers with security flaws, a Which? investigation has found.

In December 2020, we conducted a survey of more than 6,000 UK adults, asking them which routers they're using at home. We found millions could be using devices more than five years old that are no longer being supported with firmware updates.

We sent a selection of the most commonly used old devices to security specialists, Red Maple Technologies, to find out just how secure they are, and discovered issues with more than half, from ISPs such as Virgin, Sky, TalkTalk, EE and Vodafone.

This could potentially affect up to 7.5 million Brits based on our survey.

Some of these models haven't seen an update since 2018 at the latest, and some haven't been updated since as far back as 2016, which could affect six million of these users. Without firmware and security updates, there's no guarantee that security issues will be fixed.

Routers might sit in the corner of the room collecting dust, but they're a vital part of everyday life. Especially as we now need the internet more than ever to work, shop and stay in touch with loved ones. Read on to find out if you're affected and what to do next.


Browse our reviews of wi-fi routers, mesh networks and extenders to see which impressed in our test labs


Security flaws found in Which? tests

We focused our research on 13 older router models that are still being used, and most of them did not meet modern security standards. The main issues were:

  • Weak default passwords These passwords can be easily guessed by hackers, are common across devices and could grant someone access. This can be done from outside of the home network, so a hacker could access a router from anywhere in the world.
  • Local network vulnerabilities While the risk here is lower as a hacker would have to be in the vicinity of the router, vulnerabilities such as this could allow a cybercriminal to completely control your device, see what you're browsing or direct you to malicious websites.
  • Lack of updates Firmware updates aren't only important for performance, they're also needed to fix security issues when they arise. Most of the routers we looked at hadn't had a security update since 2018 at the latest, with no guarantee of a new one in the near future.

The routers on test weren't all bad, though. Old devices from BT and Plusnet had been recently updated and we didn't find any unfixed vulnerabilities or weak default passwords.

If you have one of the below routers, we'd recommend asking your provider for an upgrade as soon as you can.

Weak passwords - devices affected:

  • Sky SR101
  • Sky SR102
  • TalkTalk HG523a
  • TalkTalk HG533
  • TalkTalk HG635
  • Virgin Media Super Hub 2
  • Vodaone HHG2500

Lack of updates - devices affected:

  • Sky SR101
  • Sky SR102
    TalkTalk HG523a
  • TalkTalk HG635
  • TalkTalk HG533
  • Virgin Media Super Hub
  • Virgin Media Super Hub 2

Local network vulnerabilities - devices affected:

  • EE Brightbox 2

Routers aren't the only device you need to keep an eye on: use our mobile phone support calculator to find out if your smartphone is still receiving important security supdates.


What to do if you're affected

If you own one of the routers listed with weak default passwords, the first thing you should do is change it. Our guide on changing router passwords can help. And for tips on setting a good replacement, read our guide to creating secure passwords.

If you're using a device that's no longer being updated, or if you've had your router for five years or more and know there are newer models available, you could try to arrange an upgrade.

How easy this is to do depends on your situation and your internet provider. When we asked, only Virgin Media said it gives free upgrades - customers with older routers can request a new one through the Connect app.

Other providers may offer you a new model at a cost - a single upfront payment. Or in the case of Sky, you can sign up for Sky Broadband Boost, which involves a rolling £5 monthly payment and among other benefits, will get you upgraded to the latest router.

If you want a new router and you're in contract

It doesn't hurt to ask. While an internet provider is not obliged to provide you with a new router for free, if you call and explain your concerns you might get lucky, especially if your router is quite old.

If you're not able to get a free upgrade, find out what your options are to work out your best next step. In the meantime, make sure you change your default router password if you feel it's not strong enough.

If you want a new router and you're out of contract

When your contract expires you have a number of options - not least threatening to leave. If you want to stay with your provider, say you'll recontract with them if they provide you with a new router. If your router is old and they refuse, you should seriously consider switching.

A new contract with a new provider should afford you their latest equipment, which includes a new router. This can also save you money - in a recent survey of more than 2,000 broadband customers, 19% were likely to be out of contract and at risk of overpaying. And if you're on standard broadband, an upgrade to fibre broadband will get you faster speeds and greater reliability.

Which? calls for more transparency from ISPs

We think it's unacceptable that customers are being left on old, unsupported kit - our research suggests that up to 2.4 million UK adults haven't had a new router in the past five years. ISPs should be far more upfront about how long routers will be receiving firmware and security updates, and they should actively upgrade customers who are at risk.

We went to the ISPs with our findings and most told us they would monitor devices for security threats, updating them if needed. However, there's no guarantee. BT Group told Which? that older routers still receive security patches if problems are found, but the EE Brightbox 2 has a security vulnerability that is still unfixed.

Aside from Virgin Media, none of the ISPs we contacted gave a clear indication of customers using their old routers. Virgin said that it didn't recognise or accept the findings of our research and that nine in 10 of its customers are using the latest Hub 3 or Hub 4 routers. However, our survey was of all those using or with devices connected to the router, rather than just the paying account holders.

Companies should also have a clear point of contact for researchers, such as Which?, to let them know of vulnerabilities so they can be fixed. Only Sky, Virgin Media and Vodafone appeared to have dedicated web pages for this.

As part of the proposed legislation to tackle insecure devices, Which? is also calling for the government to ban default passwords, and prevent manufacturers from allowing consumers to set weak passwords that may be easily guessable and hackable.

Want to see which ISP router is best or have a look at third-party options? Browse all our wi-fi router reviews.