Entertainment company Sky took more than 17 months to fix a security flaw that impacted roughly six million routers belonging to its customers.
Six router models were affected by the flaw: Sky Hub 3, Sky Hub 3.5, Booster 3, Sky Hub, Sky Hub 4, and Booster 4.
“It affected users with the default router’s admin password (admin:sky), which was the case for a high percentage of routers,” wrote Pen Test Partners in a blog post.
The flaw could have exposed a victim’s home network to the internet, allowing a cyber-criminal to gain direct access to the victim’s computers and devices.
Pen Test Partners criticized Sky’s snail-paced approach to fixing the vulnerability.
“Sky did not prioritize fixing the issue, taking nearly 18 months to fully resolve it, failing to meet numerous deadlines they set themselves,” said Pen Test Partners.
They added: “Despite having a published vulnerability disclosure program, Sky’s communications were particularly poor and had to be chased multiple times for responses.”
Pen Test Partners grew so frustrated with the entertainment company’s apparent lack of action that it eventually reached out to the BBC on August 6 over the matter.
“Only after we had involved a trusted journalist was the remediation program accelerated,” wrote Pen Test Partners.
Sky said in an email on October 22 that 99% of the affected routers had been updated. The company has offered to replace affected routers free of charge for its customers.
“After being alerted to the risk, we began work on finding a remedy for the problem and we can confirm that a fix has been delivered to all Sky-manufactured products,” said Sky.
Commenting on the news, Burak Agca, security engineer at Lookout said: “This situation shows why there has never been a greater need for zero trust networking strategies to be implemented by companies.
“Understanding whether a network connection has been compromised is critical for data in transit. Zero Trust Network Access (ZTNA) and Cloud Access Security Broker (CASB) services ensure that data and resources are only presented to registered and authenticated users, depending on the type of device and location, and the level of threat exposure.”