/ Technology

Are you aware of the hazards of older routers?

Given how much personal information passes through them each day, it’s always important to ask: just how secure is your home broadband router?

Your router is the gateway to your home network – supplying your smartphone, laptop and other gadgets with a secure internet connection.

But along with your router perhaps not performing as well as you’d like, there’s always a chance that someone unwanted might try to gain access to it and all that personal information that flows through it.

Generally speaking, they’d need to be in close proximity and have serious technical knowledge to hack your router – but the risks still exist, especially with older routers that may no longer be receiving software and security updates.

Age concern

To work out exactly what the situation with old routers is, we enlisted the help of information security firm Context IS.

We looked at two routers that were seven and five years old from two major ISPs – and based on our survey, it’s highly likely both are still being used in thousands of homes.

On both, the analysts found long-established security holes in small pieces of software that allow routers to talk to devices the devices connected to it, including USB drives and printers.

Flawedband

These flaws could allow an attacker to upload and run malicious code, but only if they had physical access to the router.

It’s worth reiterating that the risk is low, but we’d still always recommend you make an effort to have the most up-to-date router possible to minimise as yet undiscovered vulnerabilities.

Do you even know how old your broadband router is? Do you make an effort to upgrade it regularly? Should broadband companies do more to protect their customers?

How old is your internet router?

Getting on a bit – 2 to 5 years old (34%, 931 Votes)

Newish – 1 or 2 years old (22%, 604 Votes)

Old – Over 5 years old (19%, 519 Votes)

Brand new – less than 6 months old (12%, 335 Votes)

Fairly new – 6 months to a year (11%, 294 Votes)

I have no idea how old it is (3%, 90 Votes)

Total Voters: 2,773

Loading ... Loading ...
Comments

I’d have thought this topic was a good place to stress the dangers of using public WiFi.

@mpassingham – I think we need some advice on how to check the security of our routers. Mine is a couple of years old but I know people who have routers that are at least ten years old. Please can Which? provide us with some useful information?

Thanks Michael. I have a Zyxel VMG8924-B10A and see that firmware downloads are available. I will contact my ISP for advice.

My ISP did contact all customers a few years ago when one of the models of routers they had supplied did have a serious problem.

“These flaws could allow an attacker to upload and run malicious code, but only if they had physical access to the router.” Be interesting to hear of scenarios where this might happen.

Hey Malcolm, I just checked with Michael and physical access means simply being within range of the wifi coverage of the router and having the admin password.

@oscarwebb, thanks Oscar. I thought it meant wired in to it. How difficult is it to obtain a router password without physically handling it?

Thanks Michael.

I am sure there are easier ways to hack our data without trying to break in through the router.

It would.be interesting to know what the secure life expectancy of the average router should be, how much security updating actually takes place, and whether any warnings are available when a router becomes vulnerable. Many of the telephone scams currently occurring refer to “unauthorised activity on your router” – that is probably what worries people. Perhaps the answer to that should be “No worries – I’ve just ordered a new one”.

This comment was removed at the request of the user

Great advice Duncan. Are you a regular Motherboard reader, by the way? I like their stuff.

This comment was removed at the request of the user

Hi Guys,

Thought it would be useful to leave this link to our Consumer Rights site article – “How can I protect my personal data online?” – Better safe than sorry, I always say.

https://www.which.co.uk/consumer-rights/advice/how-can-i-protect-my-personal-data-online

This comment was removed at the request of the user

I’ve been having connection problems for the last week or so, dropouts getting more and more frequent and finally no connection at all. My router has served faithfully for 13 years but I have now declared it dead. I have just swapped it for a 4 year old spare and all is working again. Just tried Duncan’s link to F-Secure (thanks Duncan) and it has pronounced that everything is OK.

This comment was removed at the request of the user

13 years – that’s impressive, Colin!

I have found a router security website that lists many router tests.
https://routersecurity.org/testrouter.php

Please Google and do your own research before trying any of them including problems with whatever

My router is a high-end older model (2012/13 manufacture, I believe), but still has high performance and behaves exceptionally well – particularly thanks to flashing the latest stable build of the DD-WRT open source firmware as it becomes available. I observe best practices for privacy and security including custom DNS at the router, router-level VPN as required, and strong original passphrases.

What all of that paragraph goes to show, however, is just how complicated managing a router still is in 2018. I’d go as far as to wager that, even for the basics of their operation, routers are still the most onerous and difficult home electronic products for consumers to manage. This partly isn’t helped by the varying degrees of co-operation of ISPs in supplying credentials for third-party equipment, while their own ‘free’ routers are still clunky to use.

Despite this context, there’s been a surprisingly halting start for truly smart routers with mesh networking, simple app-based management, automatically cycling passwords and signal self-improvement/beamforming. They are miles beyond the standard experience, and Google’s has been available for several years, but few consumers have yet taken the plunge and upgraded (I do feel like they missed a trick with the Google Home devices though – why not offer a premium version that incorporates the mesh networking and kill two birds with one stone?). I think price and a lack of education/understanding of how routers work are the two deterrents to improving the situation. Most people simply don’t know that they could get a lot more out of their current router or a newer model, or are scared to attempt anything because of the complexity and up-front cost.

Hopefully once the prices of some of these more modern solutions come down, we’ll see a revolution in performance, reliability and security for lots more people – we might need the ISPs to loosen their grip on the credentials and access they provide to end users first, though.

This comment was removed at the request of the user

On the topic of routers, I thought I’d add that there are three common technical ways (beyond basic placement and channel selection) to improve the service provided by an existing one:

1.) Activate beamforming – if available on your router, this allows it to target the signal it puts out towards devices using it in their particular locations. It’s imperfect and will always be most effective with routers that have multiple antennae angled differently.

2.) Consider channel-hogging – the 2.4GHz and 5GHz channels you use can be effectively coupled to occupy extra, higher or lower channels as well – 5GHz can occupy twice as many as 2.4GHz.

3.) Increase the wattage of your antennae – this is a risky tweak as it can in fact overheat your router and damage it if done without care and specific knowledge of the model.

I feel like 2.) raises a big debate that I don’t think we’ve ever had on Convo (maybe we should cover it!) about responsible channel use. In remote rural areas, I see no issue with greedily hogging the airwaves, but in built-up areas where there may be 10 or more networks in range, it can cause serious interference for neighbours who may not realise why their WiFi has become so poor by comparison to before, and risks causing a race towards antenna competition if they do.

This is where mesh networking can be hugely useful, allowing for lower output antennae on a greater number of base units without detriment to speed and signal, and decreasing interference.

I wonder if the community would be interested in a discussion on the hidden etiquette of WiFi signal and potential technological solutions like this.

This comment was removed at the request of the user

It would be interesting to learn more about routers. I’ve never paid much attention because the only time I have bought hardware to get online was when I bought a 14.4 kbps modem in the around 1993 and there was not a great deal of choice at the time.

I presume that there is no difference in security between using the 2.4 and 5GHz bands on a router.

There are lots of interesting mesh solutions coming out, and the prices are dropping. That BT set is way above the price of some of the other options (but again, ISP monopoly on knowledge is a controlling factor here).

Unfortunately, flashing the majority of routers is still fraught with risk, and it’s far too easy to brick many of them, restricting many users from benefiting from the tweaks I listed and from looking at alternative firmware options.

I don’t think you’re remotely alone in relying on ethernet. It’s still by far the best solution for speed, latency and reliability – the question is just whether you choose to use the internet at a desk or enjoy mobility, and the majority enjoy the portability of WiFi and don’t need to be static power-users with heavy demands or aren’t gaming at a desk.

It’s partly a problem of old housing stock. In the US and Canada, where many houses have been built recently or have seen wholesale structural improvements (possibly due to lower cost), many houses now come with comprehensive in-wall ethernet wiring through to every room (to the same degree as electrical wiring) and often through to the cabinet – or a direct fibre connection into the building.

Here we are still predominantly dealing with per-property infrastructure that consists of a very old copper telephone wire to the cabinet and (at best) jerry-rigged ethernet cables or powerline adapters. I would strongly argue that WiFi is king for every device in most UK households (when perhaps it should only be a few mobile ones) purely because of these limitations in the very fabric of properties.

Perhaps we need to demand a rethink of house-building and planning requirements to include ethernet/fibre. Interested to hear your thoughts.

@wavechange a lot has changed! Home routers as we know them are complex things now, because they’re really a compact combination of a wireless access point (which provides the wireless interface), a network switch (which splits the traffic between devices connected to the network), a load balancer (which makes sure none of the individual devices steals all of the bandwidth when uploading/downloading) and a modem, which, well, does what a modem always did, just in a better way than at 14.4Kbps.

In a large public or office environment (such as at Which? HQ or in airports/trains) the ‘routers’ you see stuck to the walls are usually just access points providing the wireless connection, and these are connected by ethernet cables to the network switch, which is a big heavy box sitting in a server cabinet. This is load-balanced by a server and the internet connection itself is usually fibre optic, served directly to the premises.

Now, in a large office like that with lots of independent square footage, 50 access points all broadcasting the same network ID on the same channel to mobile devices, works well, and you can move around and not worry about losing connection.

But with home routers in a densely populated area, everyone is trying to run dozens of conflicting versions of that setup in the same space. That’s why routers have a default setting where they don’t hog channels, and try to adjust for each other’s channel occupancy. There’s a limit to that though – there are barely over a dozen channels that 2.4GHz can share, so there is conflict between signals and that makes everything worse.

This does sound like something we could go into in more depth. Rest assured that security is the same on all channels, because it relates to the data (split into ‘packets’) being passed through the system and how they are encrypted, rather than the wavelength being used. That’s not to say the security on those is perfect…

I remember being told about multiple wireless access points and the costs involved by our IT staff at the university I worked in. Shortly after I took early retirement in 2011 wireless coverage was extended to cover all the buildings on campus allowing users to move around and stay connected irrespective of whichever access point they are near to. Speeds vary but 200Mbps – both up and down – is possible in some locations. Universities use a system called Eduroam, which allows students and staff to move between universities round the world and be logged in automatically.

I learned from Duncan that the 5GHz band on the router has a shorter range but my home does not have thick walls and it’s fine.

5GHz has less ability to penetrate around corners and through walls/doors, and in most cases where distance/low interference is a requirement 2.4GHz will win out on reliability and range (it’s a lot like long wave/medium wave vs. FM radio). However, 5GHz is able to transmit data at much higher rates, and where line-of-sight from router to receiving device is present it will trump 2.4GHz. it’s also not that much worse on signal than 2.4GHz unless there are competing networks. 5GHz also gives access to a much wider range of channels so there is more that users can do to reduce interference with neighbours.

A limitation for 5GHz is compatibility with devices. For example, while most smartphones are 5GHz compatible, laptops older than three years often aren’t. That creates a need for both bandwidths and can mean phones get better transfer speeds than laptops on the same network.

Currently you have to find a balance, but getting a 5GHz-compatible device will add flexibility and potentially speed gains.

My family have an ancient house with thick walls and it was interesting to compare the performance of both bands, though I was using a laptop rather than a phone. My late 2011 MacBook pro works fine on the 5MHz band and the download speed is about 76Mbps, just the same as a newer laptop. On both bands there is a significant decrease in speed when more than one machine is in use, for example two machines running a speed test at the same time.

Not everyone with a dual band router is aware of the options and I’d be interested in learning how they can be combined, though appreciate that this could affect other users.

“My family have an ancient house with thick walls” – are the walls about 9ft thick and does it also have a moat and a drawbridge 😉

They walls are thick but not that thick. There is no drawbridge but there is a dry moat, presumably to prevent moisture penetrating through the walls of the basement rooms. I presume that the BT Home Hub provides protection against invaders.

With our old Netgear router, a laptop managed to get a signal around 100′ down the garden.

Now, a laptop struggles to get half-signal in the same room (sofa in the middle) with the Sky-Q router. We are on our second router and a Sky engineer tried various settings but couldn’t improve the signal.

A friend’s house has 6 foot thick walls, sits on a cliff top and needs a lot of range extenders.

This comment was removed at the request of the user

I did not realise that. All the more reason to push Sky to sort out the poor signal in the house, though they might not be able to help with the garden.

I think a lot of ISP routers are set to transmit on quite low powers, so everyone can get a little bit of wifi, even in high density housing areas. When I lived in Northwich, I could often get a better signal from my neighbours across the street, from their Netgear router, than I could from my own router.

We have been paying BT for our internet connection since 2011. Up until August this year we were still operating from our initial BT Hub 3. We renewed our contract with them in August and after running speed tests we found that we were not receiving advertised speeds. After lengthy conversations with BT they agreed to send us free of charge a BT Hub 4. To be honest it really hasn’t made any difference and I have not yet gone back to them to advise them of this. In view of this post regarding hazards of old routers, I believe that we are still in possession of an old router, any help on how I can get them to replace it with the most up to date router without it costing me would be very much appreciated.

This comment was removed at the request of the user

Duncan – thank you so much for all the advice. I have found this whole thread very interesting and have learnt a great deal. Never been on the Which? Conversation threads before but I will most certainly will be viewing topics going forward. I think one course of action that I will take is keep a record over the next few weeks of the speeds we are getting at different times of the day/night, days of the week and go back to them and try and negotiate a further upgrade of our router. We are on their Superfast Fibre Plus package. Our PC is not hard wired directly to our router and I’m sure that will be BTs cop-out.

This comment was removed at the request of the user

This is lovely to hear, Maureen – we do hope you stick around. Do feel free to @ any one of us if we can help with anything else, and thank you to Duncan for the advice 🙂

I have an elderly cheapo router from my ISP which I’ve stuck with for something like the past 8 years, for the following reasons:

1. It gets on with the job, mostly without a hitch; any rare problems (which may or may not be down to the router itself) are usually solved by rebooting it.

2. There is a button which must be pressed on the unit before it will accept registration of a new WiFi device, thus requiring physical access to the router in order to join the network. (NOT the same as optional WPS ‘easy registration’, as I understand it.)

3. The router also features MAC address filtering, so if I were feeling super-paranoid I could lock down access to devices whose network hardware addresses I recognise (presumably doesn’t guard against MAC address spoofing, but still a good deterrent to all but the most determined of hackers?).

I did try replacing it a few years ago with a TP-Link Archer router, due to the positive reviews and promise of better performance, but I found quite the opposite – speed and connection reliability were so bad that I had to return it.

My ISP sent me its latest free router not long ago as part of my broadband renewal, but I found it was much more basic – it had a WPS registration button but neither of the above security features, so it’s tucked away in a drawer as a spare.

Views welcome – is this a sensible approach to stick with my tried & trusted model and its security features, or is it misguided (e.g. because the firmware is very old and no updates are available)?

This comment was removed at the request of the user

Hi Duncan, thanks for your reply, and yes I changed the password. I wondered if it might not be prudent to give the make/model on a public forum, seeing as we’re talking about remote hacking etc. 🙂 But maybe that’s crossing the line betwen prudence and paranoia… I’m no expert!

This comment was removed at the request of the user

Chas / Duncan, from what I’ve seen so far, I think most router hacks don’t need to know the make and model of your router – they’ll just search for vulnerable routers, using a menu of one or more vulnerabilities and then assimilate all vulnerable routers into their botnet.

The main exception would be if anyone is out to get you personally and has come round to your house to attack your wifi. If you haven’t done anything to attract their attention, such cases are unlikely. By default, most routers broadcast the name of your broadband provider, from which it would usually be quite easy to guess your make and model of router, if it is an ISP supplied model.

So, whilst revealing the make and model of your router might make life a bit easier for hackers, it wouldn’t be a great risk, But, because good security is all about have multiple lines of defence, I’d suggest you shouldn’t reveal such details in public forums like this one.

This has been a very interesting discussion. We have a fairly old netgear router and have set it to only allow recognised mac addresses to connect by wifi. One issue we have though is that sometimes the wifi light is going 10 to the dozen implying that there is activity going on even though no-one in the house is connected to the wifi. Would be interested to hear thoughts on this. Our isp is bt – I wasn’t aware that some (or is it most?) isp’s block routers they don’t supply.

Ann, that’s interesting.

If you are with BT, is your router also set up to provide a public BT WiFi openzone hotspot?

As it happens, yes it is although I don’t know quite how it came about because I never gave them permission to use our broadband to be an openzone hotspot

This comment was removed at the request of the user

This comment was removed at the request of the user

Sorry Duncan, don’t understand ‘In the process the change the settings by remote programming that could account for that if you rightly say only certain mac addresses are allowed ‘.

This seeming wifi access when no-one in the house is using it has happened rather frequently and for a long period. We have 1 pc connected by lan, and my laptop and/or mobile phone connected by wifi. When I am away, we turn off the wifi.

This comment was removed at the request of the user

Michael says:
30 September 2018

My router is 18 years old. It is connected to my landline. I do not have wifi.

This comment was removed at the request of the user

This comment was removed at the request of the user

This comment was removed at the request of the user

Thanks for that Duncan. I had a look and we’re opted out of BT Community wi-fi. The link implies I can find out usage but I suspect that figure is only available if one has a bt home hub which we don’t. However I’ll continue to look for ways to monitor.

This comment was removed at the request of the user

My router was a best-buy when I bought it. It’s working perfectly well and it seems to me that I shouldn’t have to scrap it just because it’s old. Surely if the manufacturers discover a fault that was with the machine when I bought it, they should fix it no matter how old it is?

This comment was removed at the request of the user

Here’s a technical report that explains some router vulnerabilities:

akamai.com/us/en/multimedia/documents/white-paper/upnproxy-blackhat-proxies-via-nat-injections-white-paper.pdf

It shows how some routers can be fooled into exposing their login screen to the external internet.

Once that is done, routers where the administrator userid and password are unchanged from the factory defaults can be taken over and assimilated into botnets.

As already discussed above, changing the administrator password and userid should prevent such attacks. Most ISP routers already come with the admin passwords changed away from the easily hackable defaults.