Sky broadband routers had major security flaw

The flaw could have enabled hackers to easily take over a home network, although it has now been fixed and there is no evidence it was ever exploited.

Sky were criticised for the delay in implementing the fix after researchers said they first alerted the provider of the problem in May 2020.

In response, Sky said providing an update at such a large scale took time.

Security flaw

A researcher from security consultancy Pen Test Partners first identified the flaw in May 2020 and alerted Sky immediately.

The vulnerability affected customers who hadn't changed their default router's admin password and could have allowed their home network to be accessed by hackers.

If a customer had clicked on a malicious link or visited a malicious website, their network could have been compromised.

The following six models were identified as vulnerable:

• Sky Hub 3 (ER110)
• Sky Hub 3.5 (ER115)
• Booster 3 (EE120)
• Sky Hub (SR101)
• Sky Hub 4 (SR203)
• Booster 4 (SE210)

However, the passwords on the Sky Hub 4 and Booster 4 were randomly generated, making them more difficult for a hacker to exploit than the passwords included with the other models.

The security flaw has now been patched by Sky across all their Sky-manufactured products.

Around 1% of customers have routers that are issued by Sky but not manufactured by the company and they can ask for a free replacement from their broadband provider.

Delay

Pen Test Partners first alerted Sky to the vulnerability in May 2020 and have been critical of the company's delay in fixing the flaw.

According to Pen Test's timeline, Sky acknowledged their concerns within a few days, but then said they would push the security upgrades to customers in November 2020, seven months after the vulnerability was identified.

50% of models had been patched by May 2021 while this figure only rose to 99% of all routers by the end of October 2021. This was almost 18 months after the initial report.

While Pen Test Partners could have published details of the vulnerability after 90 days, they opted not to due to the coronavirus crisis and a reluctance to draw attention to the flaw. Instead, they enlisted a journalist to help apply pressure to Sky.

Sky responded by saying that a large-scale update like this one took time. They added that they began working on a fix as soon as they were alerted to the risk.

Router vulnerabilities

Sky is hardly the first ISP to suffer from a router security flaw.

We've reported twice on Virgin's Super Hub 2 having issues in 2014 and 2017, plus Hyperoptic admitted in 2018 their ZTE router had been affected by a serious vulnerability.

Yet the 18-month delay in applying a fix for all their customers is embarrassing for Sky who are the second biggest ISP in the UK after BT.

It means around six million customers were left vulnerable to a serious security flaw which could have resulted in a customer's home network being compromised.

The timeline provided by Pen Test Partners takes into consideration the difficulties caused by the coronavirus outbreak and they originally thought a seven-month delay was fair given the difficult circumstances.

However, it was only a year later that 99% of routers were completely patched, and Sky's statement that such an update takes time would not have been so palatable if there was any evidence the flaw had been exploited.

One of the easiest ways to protect your home router is to change the default admin password that were vulnerable in Sky's routers.

We've got more details on that and other steps to take in our guide on how to protect your wireless router.