A security company has revealed that millions of Sky routers had a software bug that wasn’t addressed and fixed for 18 months.
According to Pen Test Partners, six million Sky routers had this security flaw.
Any Sky internet customers who hadn’t updated their router’s default admin password could have been at risk, with hackers having the capability to potentially take over their home network. There is no evidence that cybercriminals had found and exploited this flaw, but questions are still being asked.
Sky say problem is fixed, but why did it take 18 months to do it?
Speaking about the problem, Sky told the BBC that updates at such scale took time. Yet, it wouldn’t have taken 18 months to email affected customers asking them to change their passwords.
Sky said: “We take the safety and security of our customers very seriously.
“After being alerted to the risk, we began work on finding a remedy for the problem and we can confirm that a fix has been delivered to all Sky-manufactured products.”
Customers with the following router models were affected:
- Sky Hub 3 (ER110)
- Sky Hub 3.5 (ER115)
- Booster 3 (EE120)
- Sky Hub (SR101)
- Sky Hub 4 (SR203)
- Booster 4 (SE210)
Thankfully, the Sky Hub 4 and Booster 4 models both went into homes with randomly generated admin passwords rather than a default, meaning cybercriminals would have had a tougher time hacking these.
What problems could the security flaw have led to?
Pen Test Partners said hackers would have been able to reconfigure a router by directing users to a malicious website using a phishing email. From there, they could steal passwords for banking platforms and other financial services used by the Sky customer.
Faf Fini, a researcher at Pen Test Partners, also wondered why it had taken so long to fix the issue.
Fini said: “While the coronavirus pandemic put many internet service providers under pressure, as people moved to working from home, taking well over a year to fix an easily exploited security flaw simply isn’t acceptable.”
Similar issues have previously led to serious allegations
Earlier this year, another BBC report highlighted the case of a couple who faced a police investigation after child abuse images had been uploaded online from their IP address. They were only cleared after a check of their devices showed they hadn’t originated from either of them.