The Most Important, Least Protected Device
Your Wi-Fi router is the digital front door to your home. Every device you own—laptops, phones, smart TVs, security cameras, and even refrigerators—connects through it. If a criminal wants to get into your house, they’ll try the door first. In the digital world,
that door is your router. A compromised router can allow attackers to monitor your internet activity, steal personal data, and even use your network to launch further attacks. Despite this, many routers are sold with a "fire and forget" mentality. They work out of the box, but the security support from the manufacturer often has a very short shelf life, sometimes as little as a few years. Unlike your phone, which constantly reminds you to update, your router’s slow slide into obsolescence is silent and invisible.
A Flawed Business Model
Why is router security so neglected? The answer lies in business incentives. In the hyper-competitive smartphone market, manufacturers like Google and Samsung now promise seven years or more of security updates, turning long-term support into a key selling point. For router manufacturers, the opposite is often true. Their business model relies on selling new hardware. There is little financial incentive to spend resources developing and pushing security patches for older devices that are already sold. In fact, a device that becomes insecure might actually encourage a customer to buy a new one. This creates a dangerous situation where millions of perfectly functional routers become vulnerable 'zombie devices' because their manufacturers have simply moved on. These devices can be hijacked to form massive botnets, like Mirai, that can disrupt internet services on a large scale.
The ISP's Locked Box
The situation becomes even more complicated with routers provided by Internet Service Providers (ISPs). A majority of households use the equipment their provider gives them. These devices are often locked down, preventing users from making configuration changes or even knowing when the firmware was last updated. While the ISP is responsible for security, they can be slow to push out critical patches, leaving customers exposed. In India, while there are growing security requirements for telecom equipment, the responsibility for timely consumer-level updates remains a grey area. The Indian Computer Emergency Response Team (CERT-In) frequently issues warnings about vulnerabilities in popular router models, but the onus is often on the user to ensure their specific device, whether self-bought or ISP-provided, is patched.
A Push for Accountability
The tide is beginning to turn, albeit slowly. Governments and consumer groups are recognizing the systemic risk posed by insecure connected devices. Regulatory efforts in the EU, US, and UK are pushing for clearer standards, including rules that mandate how long a product must be supported with security updates. The EU's Cyber Resilience Act and the US's IoT Cybersecurity Improvement Act are steps toward holding manufacturers accountable. Furthermore, some proposals specifically call for ISPs to be responsible for replacing end-of-life devices they have provided to customers. Consumer advocacy groups argue that, just like with a car or an appliance, a customer has a right to know the expected secure lifespan of a product at the point of sale.
















