MILLIONS of internet users could be at risk of hacking attacks due to using outdated routers from their broadband providers that have security flaws, a new investigation has revealed.

Households across the UK are using their home broadband more than ever, to work, educate their children or keep in touch with loved ones.

According to Ofcom full-fibre broadband is now available to over 437,000 (17%) of premises in Scotland – an increase of over 238,000 premises and the highest year-on-year increase seen so far in Scotland.

The rise is largely due to the continued investment in the rollout of fibre networks in Scotland from providers included last year, such as Openreach, Virgin Media and CityFibre.

Around 1.1 million homes in Scotland (42%) can get 1GB broadband, which includes full fibre services and Virgin Media’s fastest cable package. Scotland has the second highest availability of any UK nation.

READ MORE: Thousands of wireless cameras in Scotland ‘hacker-vulnerable’

According to new research many are unaware that old equipment provided by internet service providers (ISPs), including EE, Sky, TalkTalk, Virgin Media and Vodafone, could be putting them at risk of hackers spying on what they are browsing online or even directing them to malicious websites used by scammers.

The consumer organisation Which? has issued the warning after it investigated 13 old router models and found more than two-thirds, nine of them, had flaws that are likely to fail to meet requirements proposed in upcoming government laws to tackle the security of connected devices.

The legislation is not yet in force and so the ISPs are not currently breaking any laws or regulations.

Lab tests identified a range of security risks with the routers which could potentially affect around 7.5 million people.

Around six million people within this group of users could be using a router that has not been updated since 2018 or earlier, Which? said.

This means the devices have not been receiving security updates which are crucial for defending them against cyber criminals.

Problems with the old router models include having weak default passwords, which in certain circumstances could allow a cyber criminal to hack the router and access it from anywhere.

There are also issues with a lack of firmware updates, which are vital for both security and performance.


The research uncovered a vulnerability issue with the EE Brightbox 2 which could give a hacker full control of the device and, for example, allow them to add malware or spyware, although they would have to be on the network already to attack.

The survey also suggested that 2.4 million users haven’t had a router upgrade in the last five years.

In contrast to other ISPs, the old BT and Plusnet routers that Which? tested all passed the security tests – researchers did not find password issues, a lack of firmware updates or a local network vulnerability with these devices. The consumer organisation said it is concerned that many customers are being left using old kit, often with no guarantee of an upgrade, and is encouraging consumers in this position to talk to their broadband provider about getting an upgrade.

When ISPs were contacted with the findings, most of them said that they monitor for security threats and provide updates if needed.

The BT Group said that older routers still receive security patches if problems are found – although Which? said it did find an unfixed vulnerability on the EE (part of the BT Group) Brightbox 2 router.

Aside from Virgin Media, none of the ISPs contacted by researchers gave a clear indication of the number of customers using their old routers.

Virgin said that it did not recognise or accept the findings of the research and that nine in 10 of its customers are using the latest Hub 3 or Hub 4 routers.

However Which? said that Virgin was counting just paying account holders, whereas the survey was of anyone using routers within a household.

The consumer organisation said it believes that ISPs should be more upfront about how long routers will receive firmware and security updates – one of the requirements of proposed government laws to tackle unsecure devices – and encourage people to upgrade devices that are at risk.

As part of its proposed legislation to tackle unsecure devices the consumer organisation is also calling for the government to ban default passwords and also prevent manufacturers from allowing consumers to set weak passwords that may be easily guessable and hackable.

Kate Bevan, Which? computing editor, said: “Given our increased reliance on our internet connections during the pandemic, it is worrying that so many people are still using out-of-date routers that could be exploited by criminals.

“Internet service providers should be much clearer about how many customers are using outdated routers and encourage people to upgrade devices that pose security risks.

“Proposed new government laws to tackle devices with poor security can’t come soon enough – and must be backed by strong enforcement.”

A BT Group spokesman said: “We want to reassure customers that all our routers are constantly monitored for possible security threats and updated when needed. These updates happen automatically so customers have nothing to worry about. If a customer has any issues, they should contact us directly and we will be happy to help.”

TalkTalk said “These routers make up a very small proportion of those in use by our customers. Customers using all of these routers can change their passwords easily at any time.”

Plusnet added: “We want to reassure customers that all our routers are constantly monitored for possible security threats and updates with firmware. These updates happen automatically so customers have nothing to worry about."

Vodafone said: “All new Vodafone routers have device specific passwords. Vodafone stopped supplying the HHG2500 router to customers in August 2019. Customers who still have the HHG2500 router will continue to receive firmware and security updates as long as the device remains on an active customer subscription. Customers who haven’t already changed their password should do so, following these instructions.”

The research made use of a survey carried out by Opinium of 6,026 UK adults aged over 18 and  conducted in December 2020.

The consumer organisation worked with security specialist Red Maple Technologies to test commonly used legacy routers to identify security risks.