New research by Broadband Genie has found that routers across the UK could be at risk from hackers and viruses because many don’t know how to manage basic security and maintenance features on Wi-Fi routers, or are even aware of why it's important.
We asked 2,205 people aged 18+ about whether they had carried out simple tasks like changing their Wi-Fi password, changing their router admin password or updating the router’s firmware.
What we discovered is that there are potentially millions of home Wi-Fi hubs left vulnerable because many people are not making use of key features in their home broadband routers..
82% of respondents have never changed their administrator password, which can be risky as the default passwords are often insecure and shared across all routers of that brand or model range. A significant number have also never updated the firmware and could be vulnerable to known security exploits.
Perhaps most concerning, 51% say they have never carried out any of the actions listed, potentially leaving them open to all manner of security and reliability issues affecting their broadband and any devices connected to the router.
We also asked respondents to give the main reason why they had not carried out any of the tasks listed.
Worryingly, 48% said they did not know why they would need to make these changes, while 34% said they didn't know how. A small percentage (6%) said they could not find clear instructions.
This suggests that as well as patching security holes and upgrading hardware when it becomes outdated, broadband ISPs should also be ensuring they offer help pitched at complete beginners, including explanations of why it is important to secure Wi-Fi routers.
Q&A with Avast Software
We spoke to Gagan Singh, SVP & GM Mobile at security firm Avast Software, about what can happen if you don't secure a home broadband router.
Broadband Genie: What are the risks from not updating your router's firmware?
Gagan Singh: It has been five years since the first well-publicised hack of a baby monitor in Texas. Since then, Internet of Things (IoT) devices have transformed our homes and workplaces, but the security of these connected devices has not been significantly improved and users are still at risk. We increasingly expect convenience and enjoyment from smart devices like smart speakers, smart doorbells or cameras, but with this rapid adoption comes a real urgency to address the complex challenge of protecting them. The first step is to ensure the gateway into the home, the router, is secure. Otherwise, it can offer cybercriminals an easy way to get into our homes and access our personal information.
The reality is that many smart devices can be compromised, including thermostats, streaming boxes, webcams and digital personal assistants all through the router – and consumers and small businesses are among the most vulnerable users. One of the more common types of attack is when cybercriminals hack thousands of IoT devices in unsuspecting households to create networks of infected devices known as botnets to perform attacks on others. We expect to see an increase in this type of criminal activity along with personal data theft and threats to physical security in 2018 and beyond.
If the latest firmware isn’t installed there could be vulnerabilities in a router that cybercriminals can exploit to access the entire network and all devices connected to it.
BBG: How important is it to change the original Wi-Fi, router administration passwords and update the router firmware?
GS: From a password security perspective, a cyber attacker can play a guessing game to access details for an individual IoT device or router. People need to be aware that poor password security for any connected device can leave them vulnerable to cyber criminals. While many people understand that safe passwords are needed on mobile, tablet or laptops, many are not aware of the dangers it poses within a connected home environment when it comes to a router, smart meter or gaming console.
There are rainbow tables (a precomputed table for reversing cryptographic hash functions, used for cracking password hashes) which include the most common passwords for certain devices. It is then up to the cybercriminal to download the common passwords for the IoT device they are trying to hack and keep going until they crack it. It as a process of elimination. In terms of danger levels, this part is easy to fix – by users changing passwords as soon as a device is installed, ensuring passwords are strong, and not re-using passwords for multiple sites or devices.
BBG: Any other comments or advice you would like to add?
GS: It is also important to install strong security software to identify if any devices connected to your home network are vulnerable. Most attacks to smart devices typically occur for two reasons: either because the person failed to update the device with the latest software version from the manufacturer, or the manufacturer didn’t provide an update, a patch, to protect from known vulnerabilities. There are very good free antivirus (AV) packages like Avast Free Antivirus that block malware, spyware and also detect weaknesses in Wi-Fi networks. If there’s a device within your network that’s vulnerable, the software will discover it. At this point, it’s important to check if an update is available to patch the issue immediately.
Wi-Fi router security basics
An insecure router can put your privacy at risk, allow an attacker to disrupt your broadband, and expose all connected devices to hackers and viruses. But there are things anybody can do to improve the security of a Wi-Fi hub.
In order to make changes to your router it is necessary to access the admin panel. We can’t provide the exact steps as it varies depending on make and model, but generally you use a web browser to connect to the router’s IP address (for example:
http://192.168.0.1), then enter a password. The instructions for your router will be found in the user manual, or perhaps on a sticker attached to the router.
Change the admin password
Admin access grants complete control over the router. On many routers the default password is very basic (often “admin”) and identical across every router from that brand or range. For that reason changing the admin password to a secure and unique phrase should be the first thing you do.
Change the Wi-Fi network name and password
The Wi-Fi network name (or SSID - Service Set Identifier) can give away the make and model of your router making it easier for an attacker to find exploits or default passwords, so change that to give them a little more of a challenge.
You should also choose a unique Wi-Fi password. Although newer routers tend to have random and reasonably secure passwords out of the box, it’s also common for the routers supplied by ISPs to have these details printed on a sticker attached to the router itself, making it easy for visitors or kids to gain access without your knowledge.
Checking connected devices
Watch for unauthorised connections by using your admin panel to view all devices currently connected to the router (both wired and wirelessly). It’s not always obvious what the connected devices are so you may need to match the MAC address to a device to confirm it’s one of yours - most routers will allow you to assign a nickname for easy identification in the future.
Firmware is the router’s operating system, and not keeping this up to date can mean you’re exposed to known security flaws. Get in the habit of checking for updates via the admin panel regularly to stay protected against the latest threats.
These are just some of the basics you need to know, for more information read our guide to Wi-Fi router security.