Incident: Sky Routers Vulnerable to Hacker Takeover Due to Software Bug

Published Date: 2021-11-19

Postmortem Analysis
Timeline 1. The software failure incident with the six million Sky routers happened around 18 months before the article was published on November 19, 2021 [121149]. Therefore, the software failure incident with the Sky routers likely occurred around May 2020.
System 1. Sky routers (Sky Hub 3 (ER110), Sky Hub 3.5 (ER115), Booster 3 (EE120), Sky Hub (SR101), Sky Hub 4 (SR203), Booster 4 (SE210)) [121149]
Responsible Organization 1. Sky - The software failure incident was caused by a significant software bug in about six million Sky routers [121149].
Impacted Organization 1. Customers who had not changed the default admin password on the affected Sky routers [121149]
Software Causes 1. The software cause of the failure incident was a significant software bug in about six million Sky routers that could have allowed hackers to take over home networks [121149].
Non-software Causes 1. Lack of changing default admin passwords on the affected Sky routers [121149] 2. Insecure default passwords on the Vodafone router discovered earlier by BBC News [121149]
Impacts 1. The software failure incident with the Sky routers potentially exposed about six million users to the risk of hackers taking over their home networks, leading to a significant security threat [121149]. 2. The vulnerability in the routers could have allowed hackers to reconfigure the devices by directing users to malicious websites through phishing emails, potentially leading to the theft of sensitive information such as banking passwords [121149]. 3. The delay in addressing the software bug, which took Sky 18 months to fix, raised concerns about the security practices and response time of the company, especially in the context of the increasing reliance on home networks due to the COVID-19 pandemic [121149]. 4. The incident highlighted the importance of changing default passwords on routers to enhance security and prevent potential exploitation by malicious actors [121149]. 5. The article also referenced a separate incident involving an insecure Vodafone router with a default password that allowed unauthorized access, leading to the uploading of illegal images of child abuse by a stranger, resulting in a police investigation and significant disruptions for the affected couple [121149].
Preventions 1. Implementing strong default admin passwords for all router models could have prevented the software failure incident [121149]. 2. Conducting regular security audits and vulnerability assessments on the router software to identify and address potential flaws promptly could have prevented the incident [121149]. 3. Providing timely software updates and patches to address known vulnerabilities could have prevented the exploitation of the software bug by hackers [121149].
Fixes 1. Changing the default admin password on the affected Sky routers could fix the software failure incident [121149]. 2. Implementing a fix delivered by Sky to all Sky-manufactured products could address the software bug [121149]. 3. Requesting a replacement for routers not manufactured by Sky, which are a small percentage of the total, could also resolve the issue [121149].
References 1. Security company revealing the software bug affecting six million Sky routers [Article 121149] 2. Researcher Raf Fini from Pen Test Partners who found the flaw in the software code [Article 121149] 3. Ken Munro from Pen Test Partners providing insights on the security flaw and its implications [Article 121149] 4. BBC News reporting on the incident and providing additional details and context [Article 121149]

Software Taxonomy of Faults

Category Option Rationale
Recurring one_organization, multiple_organization (a) The software failure incident having happened again at one_organization: The article [121149] reports that Sky had a significant software bug in about six million routers that could have allowed hackers to take over home networks. This incident highlights a security flaw that could have serious consequences for users if exploited. Sky took 18 months to address this vulnerability, indicating a delay in fixing the issue within their own products. (b) The software failure incident having happened again at multiple_organization: The article [121149] mentions an earlier incident involving an insecure Vodafone router with a default password that allowed a stranger to take over a couple's Wi-Fi. This incident, although not directly related to the Sky router vulnerability, shows a similar pattern of security flaws in routers across different organizations, indicating a broader issue in the industry regarding default password vulnerabilities.
Phase (Design/Operation) design (a) The software failure incident in the article was related to the design phase. The security flaw in the Sky routers was due to a software bug that could have been exploited by hackers. The flaw in the software code allowed a hacker to reconfigure a home router simply by directing the user to a malicious website via a phishing email, potentially leading to the theft of passwords for banking and other websites [121149]. (b) The software failure incident was not directly related to the operation phase or misuse of the system.
Boundary (Internal/External) within_system (a) The software failure incident related to the Sky routers having a serious security flaw can be categorized as within_system. The vulnerability in the software code that could have allowed hackers to take over home networks was a result of a software bug within the system itself. The delay in fixing the flaw by Sky was also highlighted as an internal issue, with the article mentioning that it took Sky 18 months to address the problem despite being alerted to the risk [121149].
Nature (Human/Non-human) non-human_actions, human_actions (a) The software failure incident in the article was primarily due to non-human actions, specifically a software bug in the Sky routers that could have been exploited by hackers [121149]. (b) However, human actions also played a role in exacerbating the situation as the delay in fixing the software bug by Sky took 18 months, which was considered unacceptable by security researchers [121149]. Additionally, the article mentions the importance of users changing default passwords to prevent exploitation by hackers, highlighting the significance of human actions in ensuring cybersecurity [121149].
Dimension (Hardware/Software) hardware, software (a) The software failure incident reported in the article [121149] was due to contributing factors originating in hardware. The article mentions that about six million Sky routers had a significant software bug that could have allowed hackers to take over home networks. The vulnerability stemmed from a flaw in the software code of the routers, which could be exploited by directing users to a malicious website via a phishing email. This flaw in the software code was discovered by a researcher, indicating that the root cause of the failure was related to the hardware (routers) themselves. (b) The software failure incident reported in the article [121149] was also due to contributing factors originating in software. The article highlights that the software bug in the Sky routers allowed hackers to reconfigure the routers and potentially take over users' online lives by stealing passwords for banking and other websites. The delay in fixing this software vulnerability was criticized, indicating that the software flaw was a significant factor in the failure incident. The need for users to change default passwords also points to a software-related issue in ensuring the security of the routers.
Objective (Malicious/Non-malicious) malicious (a) The software failure incident reported in the article is malicious in nature. The security flaw in the Sky routers was a software bug that could have been exploited by hackers to take over home networks. The vulnerability could have allowed hackers to reconfigure a home router by directing the user to a malicious website via a phishing email, potentially leading to the theft of passwords for banking and other websites [121149].
Intent (Poor/Accidental Decisions) poor_decisions (a) The intent of the software failure incident was poor_decisions as the software bug in the Sky routers was a result of a vulnerability in the software code that could have allowed hackers to take over home networks. The delay in fixing the vulnerability, which took Sky 18 months to address, was criticized as unacceptable by security researchers. The delay in addressing the easily exploitable security flaw was attributed to poor decision-making, especially considering the potential risks involved in allowing hackers to reconfigure routers and potentially steal sensitive information like banking passwords [121149].
Capability (Incompetence/Accidental) development_incompetence, accidental (a) The software failure incident related to development incompetence is evident in the article. The security flaw in the Sky routers, which could have been exploited by hackers, was due to a software bug that took Sky 18 months to address. The delay in fixing the vulnerability, which could have allowed hackers to take over home networks, was criticized by researchers as unacceptable. Despite being alerted to the risk, Sky took a significant amount of time to provide a fix, indicating a lack of prompt action and potentially showcasing a level of development incompetence in addressing critical security issues [121149]. (b) The accidental aspect of the software failure incident is also highlighted in the article. The flaw in the software code that allowed a hacker to reconfigure a home router by directing the user to a malicious website via a phishing email was discovered by a researcher. This accidental vulnerability could have led to serious consequences, such as stealing passwords for banking and other websites. The delay in fixing this flaw was described as baffling, indicating that the introduction of such a vulnerability may have been accidental, but the failure to promptly address it was a significant issue [121149].
Duration temporary (a) The software failure incident in the article was temporary. The article mentions that there was a significant software bug in about six million Sky routers that could have allowed hackers to take over home networks. However, the problem has been fixed by Sky after being alerted to the risk, and a remedy has been delivered to all affected Sky-manufactured products [121149]. (b) The software failure incident was also temporary as it took Sky 18 months to address the vulnerability in the routers. The delay in fixing the easily exploited security flaw was criticized, indicating that the failure was not permanent but rather due to certain circumstances that led to the delay in addressing the issue [121149].
Behaviour omission, value, other (a) crash: The article does not mention a crash as the behavior of the software failure incident. (b) omission: The software failure incident in the article is related to a serious security flaw in Sky routers that could have allowed hackers to take over home networks. This flaw was due to a software bug that could have been exploited by hackers, potentially leading to the omission of the router's intended security functions [121149]. (c) timing: The article does not mention timing as the behavior of the software failure incident. (d) value: The software failure incident in the article is related to a vulnerability in the software code of Sky routers that could have allowed hackers to reconfigure a home router and potentially steal passwords for banking and other websites. This indicates a failure in the system performing its intended functions incorrectly, leading to a breach of security and privacy [121149]. (e) byzantine: The article does not mention a byzantine behavior as the behavior of the software failure incident. (f) other: The software failure incident in the article also highlights the delay in fixing the software bug, which allowed the vulnerability to persist for 18 months before being addressed by Sky. This delay in addressing a critical security flaw could be considered as a failure in the system's response and mitigation process, which does not fit into the other categories mentioned [121149].

IoT System Layer

Layer Option Rationale
Perception None None
Communication None None
Application None None

Other Details

Category Option Rationale
Consequence property, theoretical_consequence The consequence of the software failure incident reported in the article [121149] was primarily related to potential harm and property impact due to the security flaw in the Sky routers. The vulnerability could have allowed hackers to take over home networks, potentially leading to stealing passwords for banking and other websites, as well as taking over someone's online life. While there was no evidence that the flaw had been exploited, the delay in fixing it was criticized as unacceptable. Additionally, the article mentioned a previous incident involving an insecure Vodafone router with a default password that allowed a stranger to take over a couple's Wi-Fi, leading to the uploading of illegal images of child abuse and causing significant disruption to the couple's lives and mental health.
Domain information, finance, government (a) The software failure incident reported in the article [121149] is related to the information industry. The Sky routers, which had a serious security flaw due to a software bug, are essential for providing internet connectivity and facilitating the distribution of information to users. The vulnerability in the routers could have allowed hackers to take over home networks, potentially compromising the security and privacy of the users' information. (h) The incident also has implications for the finance industry. The security flaw in the Sky routers could have enabled hackers to steal passwords for banking websites and other financial platforms, posing a significant risk to the security of financial information and transactions. (l) Furthermore, the government sector is indirectly impacted by this software failure incident. Ensuring the security of internet infrastructure and home networks is crucial for maintaining national cybersecurity and protecting citizens from potential cyber threats. The delay in addressing the software bug in the routers could have exposed individuals to risks related to privacy and security, which are areas of concern for government agencies involved in cybersecurity and data protection.

Sources

Back to List