It has been reported that Sky have had approximately 6 million home routers open to a serious security exploit affecting a total of 6 different models. Concerns have been raised with the company as this took nearly 18 months to be addressed, however they state a fix has now been implemented for all affected devices.
Here are all the devices included in the exploit:
Sky Hub 3 (ER110)
Sky Hub 3.5 (ER115)
Booster 3 (EE120)
Sky Hub 4 (SR203)
Booster 4 (SE210)
If you find yourself with one of these devices, although the exploit has been fixed, Sky confirmed they will replace any of these devices free of charge upon request.
PenTestPartners who carried out the penetration test on the routers voiced concerns that even with the default admin credentials of the router being changed the attack was still possible with a brute force attack, as Sky had not taken the correct steps to prevent an attack of this nature.
This exploit left customers vulnerable to having their personal data stolen by malicious attackers as it would have allowed the whole router to be re-configured and passwords stolen, therefore information such as banking data was at risk.
With Sky initially being alerted of this risk on the 11th May 2020 and a fix for 99% of routers only being disclosed on the 22nd October 2021 it is unusual and strange why this took so long to implement. PenTestPartners said they gave leeway to Sky initially due to the Coronavirus Pandemic and companies being short staffed, however it wasn’t until the BBC got involved that they finally introduced the patch.
If you have any concerns regarding this issue on Sky’s behalf support can be found at https://www.sky.com/help/home
The full report from PenTestPartners can be found here https://www.pentestpartners.com/security-blog/skyfail-6-million-routers-left-exposed/
Published by Curtis Holt