Home routers named ‘Europe’s forgotten internet security risk’

New study says home routers have escaped the scrutiny applied to 5G networks despite carrying 93 per cent of European internet traffic and sitting at the centre of the digital sovereignty debate

Home routers represent one of Europe’s biggest overlooked security risks, researchers have warned.

A new study suggests the devices, which connect homes and businesses to the internet, have become a major blind spot in Europe’s digital sovereignty debate.

Unlike 5G networks, which are run by licensed telecoms operators and subject to national-security scrutiny in Europe, home routers have largely escaped attention despite sitting at the gateway to millions of homes and businesses.

A compromised router can give attackers a route into everything connected to it, from work emails and banking passwords to CCTV footage, family photos and live baby-monitor feeds.

Experts warn that more than half of Europe’s routers and repeaters are supplied by companies based outside the EU.

Chinese manufacturers including ZTE, Huawei, TP-Link, Xiaomi and Tenda are said to account for about 37 per cent of the total EU home networking market, with the rest split between European firms and other non-EU suppliers.

According to the Sovereignty Alliance for European Network Technology, known as SAFENet, the Innovate Europe Foundation and Berlin consultancy iconomy, it gives companies theoretical access to an estimated 95 million European households.

Its report, ‘The Hidden Backbone of Digital Sovereignty: Why Europe Must Care About Internet Routers’, describes routers as the “literal first and last hardware hop of European digital activity” and says they operate largely outside the EU’s sovereignty and supply-chain security framework despite sitting at the heart of the continent’s digital infrastructure.

“While Europe legislated for cloud sovereignty and semiconductor supply chains, the literal first and last hardware hop of European digital activity became a critical supply chain blind spot,” it says.

“Installed in hundreds of millions of European homes and businesses and supplied directly by ISPs with no consumer choice over the manufacturer, these devices sit unscrutinized at the heart of Europe’s digital infrastructure.

“Trusted by default and invisible in practice, they are a potential Trojan horse that no coordinated supply chain security framework currently addresses.”

Most routers have a password to stop the wi-fi network being accessed locally or used by passers-by, neighbours or anyone else within range.

But a strong password does not protect the router itself from security flaws, weak firmware, compromised updates or remote-management systems that can be hacked remotely.

If a router is compromised, traffic passing through it can potentially be inspected, copied or redirected, while the device itself can also be hijacked and used in larger cyberattacks.

The study, published yesterday, argues that Europe already has tools for dealing with high-risk suppliers in other technology sectors but has not applied the same thinking to routers.

It says: “Compromised routers are the primary building block of botnets, large networks of hijacked devices used to launch Distributed Denial of Service attacks, distribute malware, and conduct large-scale credential theft.”

The report also warns that a weakness in one manufacturer’s equipment can quickly become a mass problem across Europe.

SAFENet said router security had been pushed out of the European debate by larger and more visible technology issues.

It said: “Router security and sovereignty has been – and continues to be – crowded out of the European debate and regulation by larger, more visible challenges. It is time to close this gap.”

The alliance is now calling for four measures including clearer labelling of country of origin and legal jurisdiction for network devices, changes to public procurement, stronger supply-chain governance and support for European industrial capacity.

READ MORE: Is Europe regulating the future or forgetting to build it? The hidden flaw in digital sovereignty. As Europe builds on the GDPR and AI Act, the next frontier lies beyond rulebooks and penalties, writes Vendan Kumararajah, who argues that digital sovereignty will endure only if governance, legitimacy and distortion detection are engineered directly into the architecture of AI systems themselves, rather than imposed from outside through compliance alone.

Do you have news to share or expertise to contribute? The European welcomes insights from business leaders and sector specialists. Get in touch with our editorial team to find out more.

_{Main image: Photo by Pascal via Pexels}