7.5 Million at risk from out-of-date ISP routers

Consumer watchdog Which? have investigated 13 legacy router models supplied by leading UK internet service providers (ISPs) including EE, Sky, TalkTalk, Virgin Media and Vodafone – a report discovered that around 7.5 million internet users are at risk from out-of-date hardware.

Out of the 13 router models investigated, 9 presented pressing security flaws that are unlikely to be in compliance with upcoming UK government legislation around tackling the security of connected devices.

The new legislation is in response to government figures showing that 49% of UK residents have purchased at least one smart device since the start of the COVID-19 Pandemic. Due to this huge increased national scope of vulnerability to potential cyber-attacks, the proposed legislation will ban easy to guess default passwords across all, enforces policies to make it easier to report software bugs that can be exploited by hackers on legacy or modern hardware.

Kate Bevan, Which?’s Computing Editor, commented that “proposed new government laws to tackle devices with poor security can’t come soon enough – and must be backed by strong enforcement.” Which? are simultaneously pushing for increased transparency from ISPs about how customers automatically or manually update their routers and how they should actively upgrade existing customers who are identified as being in the ‘at risk’ category.

Of those 7.5 million affected, 6 million users currently possess ISP hardware that has not been updated since 2018 and a few instances even as far back as 2016 – meaning that these vulnerable devices have not received security updates for defence against the latest threats posed by cybercrime.

A cluster of three main problems with ISP legacy hardware were identified by Which? ranging from weak default passwords that allow cybercriminals unlimited access to a router from anywhere, a lack of firmware updates and a local network vulnerability issue with EE Brightbox 2 giving potential hackers full control of the router to install malware or malicious spyware.

In response, Virgin Media have openly rejected Which?’s report conclusions; saying that 9 out of 10 customers are using their latest router models and are benefiting from regular router security updates. This sentiment was mirrored by BT Group (owners of EE), TalkTalk and Vodafone who announced that the HHG2500 device included in the Which? report has not been supplied since August 2019.

Devices with weak default passwords: TalkTalk HG635, TalkTalk HG523a, TalkTalk HG533, Virgin Media Super Hub 2, Vodafone HHG2500, Sky SR101 and Sky SR102.

Routers affected by lack of updates: Virgin Media Super Hub, Virgin Media Super Hub 2, Sky SR101, Sky SR102, TalkTalk HG523a, TalkTalk HG533 and TalkTalk HG635.

Routers that passed the Which? security tests: BT Home Hub 3B, BT Home Hub 4A, BT Home Hub 5B and Plusnet Hub Zero 2704N


BT to charge for unrecycled broadband routers

New customers will face a fine of up to £50 if they decline to return their BT router at the end of the contract, British Telecom have announced.

BT operates a scheme to recycle old routers, which will soon become compulsory, in an effort to reduce electrical waste and cut the volume of unrecycled broadband routers being sent to landfill.

Customers may voluntarily return their old router by following the instructions published here.

Entry-level Broadband routers from many major providers are locked to a single Internet Service Provider (ISP), which often causes spare routers to pile up in cupboards when customers switch broadband supplier.

The move follows a pattern of UK companies trying to bolster their green credentials, in the wake of Extinction Rebellion and other environmental movements gathering increased public support.

As subsidiaries, the BBC reports that the scheme will also ‘eventually’ apply to EE and Plusnet broadband customers.

Increasing numbers of local councils in the UK now offer direct recycling of small electrical items, reflecting a noticeable rise in the value of copper and other useful materials – giving home users few excuses not to attempt to recycle their old router.

 

For IT support & expertise – please contact our team today.


Lineal’s Ian awarded Certified DrayTek Network Admin

Lineal’s Ian Meredith has been awarded DrayTek Certified Network Admin Certificate, adding an additional qualification to Lineal’s networking experience.

DrayTek’s ‘Dray School’ requires network engineers to pass a series of advanced network and security configuration tests using DrayTek devices, routers and access points, including best practice for firewall settings, fault-finding and other detailed network tasks.

DrayTek’s business-grade Router range have won praise from across the IT Support sector recent years, with the provider winning a PC PRO Technology Excellence Award for five successive years (2014-18). DrayTek router models have proved highly popular with businesses, with intelligent features such as 4G fail-over increasingly in demand for business continuity requirements.

As a part of the 2-day examination procedure, each engineer’s router is attached to a testing network which judges whether the engineer has managed the device correctly, and automatically passes or fails based on a series of security checks.

Well done Ian!

 

For Networking and Security Expertise, contact Lineal today.


WPA3 Wi-Fi Introduced

The Wi-Fi Alliance has formally announced the introduction of the WPA3 security protocol, the next generation of wireless security to protect routers and networks.

The new security standard follows hot on the heels of last year’s breach of the existing WPA2 standard, which has been in use since 2004.

WPA3, released in both ‘personal’ and ‘enterprise’ with extra protections, is expected to fix a number of deficiencies in the older WiFi protocol, including:

  • Captured encrypted data cannot be decrypted by a later breach of the password – in order to access data, a hacker must have both the password and data at point of transmission.
  • Encryption of data will be individualised, such that snooping on other devices across less secure Wi-Fi networks will be made more difficult.
  • Extra protections against password brute-forcing and ‘dictionary’ style attacks, dramatically increasingly the time cost of bulk guessing a password successfully.
  • Smart devices with no screen, including many Internet-of-things (IoT) technologies, will be administered via a smartphone screen during Wi-Fi setup.

To most end-users, the experience of entering a Wi-Fi key will feel virtually identical. WPA3 isn’t expected to actually be implemented until 2019, and is predicted to gradually replace the existing WPA2 standard on all Wi-Fi certified devices. WPA2 will continue to function, but will be steadily phased out.

Nevertheless, expect to see major manufacturers rushing to ensure their own products are stamped with the very latest security ‘WPA3 Ready’ branding.

For networking and cybersecurity expertise, please contact Lineal today.


DrayTek Vigor Firmware Warning

At time of writing, Lineal technical support staff are currently updating DrayTek Vigor firmware for all clients with known DrayTek equipment.


Enterprise Router provider DrayTek has called for urgent firmware updates, following discovery of a security vulnerability.

20 different business router models from DrayTek’s Vigor range are known to be affected by the security flaw, known as DNS hijacking, which may allow a third-party to alter DNS settings by issuing commands to a dormant session of the web-based DrayTek router control interface.

The unwelcome news marks the first major security flaw to befall the acclaimed networking equipment brand for some time – and comes less than a year since DrayTek won PC PRO’s ‘Best Router Brand Award’ for 2017.

A Vigor router showing IP number 38.134.121.95 is reported to be a likely indicator of compromise, and affected routers may exhibit unusual network behaviours.

DrayTek’s official guidance warns that this is likely to be only a preparatory ‘phase 1’ of any like cyber-attack by criminals, preparing re-direction of web traffic to compromised web pages which might capture unsuspecting users’ passwords or other sensitive information.

As a general security precaution, it’s always worth logging out of web-portals and other accounts not being used (including your email, social media, bank account and device itself… or indeed your router’s configuration panel.)

If you have a DrayTek Vigor router not covered by a Lineal Support Agreement with us, please get in touch for guidance.

Please check back for updates