Sky broadband has finally fixed a significant flaw affecting over six million routers, more than a year after it was alerted about the flaw by Pen Test Partners.
First identified by cyber security researchers at Pen Test Partners last year, around six million routers offered by Sky broadband featured, until recently, a significant flaw that could have allowed threat actors to reconfigure a Sky home router simply by directing the user to a malicious website via a phishing email.
According to security researchers, these routers featured a DNS rebinding vulnerability that allowed malicious actors to automatically gain control over these devices, provided users did not change the default admin credentials. A hacker could perform this action by making a user visit a malicious page controlled by them.
“With remote management enabled, the attacker could connect directly to the router’s web application and modify any settings, such as setup up a DMZ server or configure port forwarding, exposing the internal home network to the internet,” they said.
The affected models were Sky Hub 3 (ER110), Sky Hub 3.5 (ER115), Booster 3 (EE120), Sky Hub (SR101), Sky Hub 4 (SR203), and Booster 4 (SE210). Any of these routers with default admin passwords could have been affected due to the security flaw. Model Sky Hub 4 (SR203) and Booster 4 (SE210) were a bit secured compared to the rest as these two devices came with a randomly generated admin password, which would have been harder to exploit by the threat actors.
The vulnerability was first discovered in May last year and Pen Test Partners promptly informed Sky about the same. Sky, though acknowledged the issue, said that it would push the updates in November 2020. After getting multiple timelines for the necessary update, Pen Test Partners followed up with Sky a year later and was informed that 50% of the affected routers were patched. The remaining 50% were targeted to be patched in the summer. Finally, on 22 October this year, researchers received a confirmation from Sky that 99% of the affected routers were updated.
“Sky did not prioritise fixing the issue, taking nearly 18 months to fully resolve it, failing to meet numerous deadlines they set themselves. Despite having a published vulnerability disclosure programme, Sky’s communications were particularly poor and had to be chased multiple times for responses. Only after we had involved a trusted journalist was the remediation programme accelerated,” Pen Test Partners said.
Sky said that an update at such a huge scale is time-consuming, however, that has now been done. “We take the safety and security of our customers very seriously. After being alerted to the risk, we began work on finding a remedy for the problem and we can confirm that a fix has been delivered to all Sky-manufactured products,” the broadband provider said.
Commenting on the news, Martin Jartelius, CSO, Outpost24 told Teiss, “Router farming, most often via CSRF attacks against default credentials and then exploitation either by redirecting traffic from the device or hijacking the device itself, have for years been a problem.
“It’s decreasing as more providers have nonstandard administration passwords which have improved the situation overall, but there are readily available frameworks for attackers who link large exploit kits on pages online, rather doing this on an opportunistic basis as users visit the sites rather than targeting an individual – a relatively unlikely attack.
“While this can hijack traffic and expose users to risk, an attacker still cannot intercept communication to for example a banking website as long as this site uses properly configured TLS, so the risk as such is quite exaggerated, but the advice at the end – change default credentials on devices you purchase – remains a very healthy set of recommendations.”