Millions of Sky customers potentially affected by router security flaw

November 24, 2021

Six million Sky broadband routers have been hit with a significant software bug that could potentially have allowed hackers to gain access to home networks, it has been revealed.

After a long 18 months, Sky managed to fix the problem but the vulnerability could have affected customers who had not changed the original password that was set on the router. Sky said an update at such scale took time.

“We take the safety and security of our customers very seriously,” Sky said. “After being alerted to the risk, we began work on finding a remedy for the problem and we can confirm that a fix has been delivered to all Sky-manufactured products.”

Affected models were:

• Sky Hub 3 (ER110)

• Sky Hub 3.5 (ER115)

• Booster 3 (EE120)

• Sky Hub (SR101)

• Sky Hub 4 (SR203)

• Booster 4 (SE210)

Although, these last two devices came with a randomly generated admin password, which would have made it harder for a hacker to exploit. In addition, about 1% of routers issued by Sky are not made by the company itself. Customers who have one can now ask for it to be replaced free of charge.

Stealing passwords

The flaw in software code, found by researcher Raf Fini, from Pen Test Partners, would have allowed a hacker to reconfigure a home router simply by directing the user to a malicious website via a phishing email.

Then they could “take over someone’s online life”, stealing vital information for banking and other websites, Pen Test Partner’s Ken Munro told BBC News. There was no evidence the flaw had been exploited but the delay fixing it was baffling, he said.

“While the coronavirus pandemic put many internet service providers under pressure, as people moved to working from home, taking well over a year to fix an easily exploited security flaw simply isn’t acceptable,” he said.

Child abuse

“Anyone with a router should change passwords from the ones set by default,” Mr Munro added. Earlier this year, It was discovered that an insecure Vodafone router with a default password may have allowed a hacker to take over a couple’s wi-fi and use it to upload illegal images of child abuse to the internet.

The couple faced a police investigation that caused massive disruption to their lives and led to mental health problems. In May, consumer watchdog Which? warned millions of routers had missed years worth of critical security updates, making them ripe for exploitation by hackers, remained in use in the UK.

Read Next