A new survey of 3,045 UK internet users, which was conducted by Broadband Genie between 1st January and 26th April 2024, has revealed that 89% of respondents have never updated the firmware of their home router and 86% have never changed the device’s administrator password (falling to 72% for those who have never changed their WiFi password).
The survey also found that 75% have never checked to see what or who is linked to their router and 52% have never changed or updated any of their router’s settings (this is up from 48% in 2022). The study goes on to claim that leaving the router set to its default password “allows hackers to easily identify which make and model of router the target is using,” although a lot of ISPs these days supply long randomised passwords that have no specific structure for identification.
In addition, routers that have been supplied (bundled) by your ISP are often setup to auto-update their firmware, which means that the customer doesn’t need to perform any specific actions in order to ensure that their device is kept up-to-date. But it’s still wise to check with your broadband provider and confirm what their policy is.
The main exception tends to be third-party devices, such as those purchased separately, which often do require a manual action to check for recent firmware. But one issue here is that not all device manufacturers make such firmware updates accessible or easy to find, while others may only offer very limited support and could thus risk leaving security vulnerabilities unpatched – sometimes even on relatively modern kit.
As part of this study the comparison site also asked respondents, specifically those who had never changed their router’s factory settings, why they had never done so. The majority (75%) said they didn’t understand why they would need to.
The fact that your router is often the single most important device in your home network for security should be incentive enough to ensure that you’ve set a strong password and not simply used the one supplied by your ISP, which may or may not be effective or properly randomised. The rule is to never assume it’s going to be secure out of the box. Clearly more effort needs to be put into raising awareness about such issues.
At this point it’s worth noting that the Government’s Product Security and Telecommunications Infrastructure Act (PSTI), which came into effect on 29th April 2024 (here), included their new Secure by Design policy. This introduced tougher security standards for device makers and the ability to hit those that fail to comply (both retailers and manufacturers) with financial penalties.
Some examples of the changes include banning easily guessable default passwords (“admin“, “123456” etc.), as well as prompting users to change the default password, not to mention improved support for security issues and a requirement for related network products to state how long they will be supported by vital security patches (firmware updates) etc.
Some of the Improved Security Protections
➤ Common or easily guessable passwords like ‘admin’ or ‘12345’ will be banned to prevent vulnerabilities and hacking.
➤ Manufacturers will have to publish contact details so bugs and issues can be reported and dealt with.
➤ Manufacturers and retailers will have to be open with consumers on the minimum time they can expect to receive important security updates.
The changes touched everything from consumer broadband routers to Smartphones, TVs, game consoles, internet-connected fridges and smart doorbells etc.