Your Old Router Is Becoming the Internet’s Favorite Crime Scene

Routers are the front doors of digital life. They connect laptops, phones, cameras, smart TVs, game consoles, baby monitors, and now a growing pile of internet-linked household gadgets. Yet they are treated like wallpaper. Once the Wi-Fi works, most people never log in again. That habit has created a huge, soft target. Security agencies in several countries have warned for years that old and unpatched routers are being folded into botnets, used as footholds for espionage, or exploited to redirect traffic and steal data. In the United States, the FBI has repeatedly warned about compromised home and office routers. Britain’s National Cyber Security Centre has done the same. This is not fringe panic. It is a well-established weakness hiding in plain sight.

The evidence is not subtle. In 2018, the VPNFilter malware infected hundreds of thousands of networking devices worldwide, including routers used in homes and small businesses. Cisco researchers tied the campaign to a sophisticated operation, and the FBI later urged people to reboot affected devices while broader disruption efforts unfolded. Rebooting was only a temporary fix. The bigger lesson was brutal: everyday internet hardware had been quietly weaponized at scale. Years before that, the Mirai botnet showed what happens when insecure connected devices are left exposed. It helped knock major online services offline in 2016 by marshaling a huge army of compromised devices. Mirai became famous for abusing weak default passwords on cameras and other gadgets, but the wider point still stands. Cheap, neglected internet hardware can be turned into attack infrastructure.

Since then, the problem has not gone away. It has grown up. Attackers do not always need exotic exploits. Sometimes they use default login credentials that owners never changed. Sometimes they use known vulnerabilities in old firmware that vendors patched long ago, assuming anyone bothered to install the update. Sometimes there is no patch at all because the device has reached end of life and the manufacturer has effectively walked away. Consumer group Which? in the UK and the Internet Society have both highlighted a basic but disturbing reality: many connected devices are sold with weak support promises, unclear update lifespans, or security features that ordinary buyers are never taught to use.

This is where the market has failed, and it has failed badly. Consumers are told to be more responsible online, but they are sold products that make responsibility unrealistic. Router settings are often buried behind clumsy interfaces. Security updates may require manual installation. Support pages are difficult to find. End-of-life notices are obscure. Some internet providers ship hardware that customers barely understand and cannot easily replace. That is not user error in the ordinary sense. That is an industry design choice. The system assumes neglect and then acts shocked when criminals exploit it.

Small businesses are especially exposed. They often run on consumer-grade or aging office networking gear because it is cheap and familiar. They may not have dedicated IT staff. They may use the same router for years while storing payroll records, customer data, and payment information behind it. When that device is compromised, the damage can spread quietly. Criminals can intercept traffic, plant malware, recruit the device into a botnet, or use it as a pivot point into more valuable systems. The U.S. Cybersecurity and Infrastructure Security Agency has repeatedly warned that edge devices such as routers and firewalls are attractive targets because they sit at the boundary of networks and are often poorly monitored.

There is also a national security angle that deserves more public attention. State-backed groups do not only chase giant defense contractors or intelligence agencies. They often exploit common internet-facing hardware because it is efficient and scalable. In recent years, Western governments have issued joint advisories about espionage groups targeting routers, firewalls, and VPN appliances made by major vendors. The point is not that every old router is under active state surveillance. That would be reckless to claim. The point is that these devices are recognized strategic targets because compromising them can offer stealth, persistence, and access. That should alarm anyone who thinks only high-profile institutions matter.

The consequences hit ordinary people first. A hijacked router can slow connections, push users toward fake websites through malicious DNS changes, expose browsing traffic, or leave smart home devices open to abuse. In a family home, that can mean children’s devices, work laptops, and private communications all sharing the same poisoned gateway. In a clinic, shop, or local office, it can mean real business disruption and costly recovery. Cybersecurity is often sold as an abstract war in the cloud. In reality, it can begin with one outdated plastic box sitting next to a television.

There are fixes, and they are not mysterious. The first is brutally simple: replace old routers before they fail, not after. If a device no longer receives security updates, it should be treated as unsafe internet infrastructure, not as a bargain. Buyers should favor vendors that clearly state update policies. The second is to change default administrator passwords and disable remote management unless it is truly needed. The third is to install firmware updates promptly, whether the device came from a store shelf or an internet service provider. Agencies like CISA and the NCSC also recommend disabling unused features, using strong Wi-Fi encryption, and restarting devices when there is a credible active threat, though a restart alone is never enough if the underlying weakness remains.

But individual action is not enough. Regulators and manufacturers need to stop pretending that security is an optional premium feature. Some progress is finally visible. The UK’s Product Security and Telecommunications Infrastructure Act targets insecure default passwords and other basic failures in connected products. The European Union’s Cyber Resilience Act aims to push security obligations onto manufacturers. Those moves matter because the current model is upside down. Consumers should not need expert-level vigilance to own basic internet equipment safely.

The old fantasy of cybersecurity says danger arrives through a single reckless click. Sometimes it does. But the more uncomfortable reality is that risk is often built into the devices people are told to trust and then forget. The router in the corner is not boring infrastructure anymore. It is contested ground. And every year we keep treating it like an appliance instead of a security device, we hand criminals one more easy victory.