Millions of Sky routers suffered from a vulnerability that would have allowed a customer’s home network to be compromised by hackers.
Researchers from Pen Test Partners discovered that a DNS rebinding error – which allows an attacker to bypass defences in web browsers – meant that users with the default administrator password were left unprotected.
The default password (admin:sky) was set for a high percentage of routers, the researchers said, but a brute force attack (where hackers systematically guess passwords via trial and error) could also target routers where the password had been changed.
The issue would have given hackers direct access to computers and devices after they navigated to a malicious website. The browser would then treat the router’s IP address as the IP of the malicious website.
The Sky Hub 3 (ER110), Sky Hub 3.5 (ER115), Booster 3 (EE120), Sky Hub (SR101), Sky Hub 4 (SR203), and Booster 4 (SE210) were all affected by the issue.
“A key factor that allowed the routers to be automatically taken over via the DNS rebinding vulnerability was the default credentials used by most versions of the Sky devices”, Pen Test Partners wrote.
“Although a brute force attack could be used to discover non-default passwords, a custom password would significantly decrease the chances of a successful attack. Few customers change their router admin passwords from the default.”
The devices are now being patched automatically by Sky, but Pen Test Partners says that it took 18 months for them to fix the issue since they were first alerted to it on 11 May 2020.
Pen Test Partners says they did not disclose the vulnerability after 90 days because “ISPs were dealing with challenges from vastly increased network loading as working from home became the new norm. We didn’t want to do anything to limit the ability of people to work from home.”
Pen Test Partners eventually contacted the BBC in August this year after allegedly chasing Sky for updates to accelerate the patch.
“While the coronavirus pandemic put many internet service providers under pressure, as people moved to working from home, taking well over a year to fix an easily exploited security flaw simply isn’t acceptable,” Pen Test Partner’s Ken Munro told BBC News.
“We take the safety and security of our customers very seriously,” Sky said in response. “After being alerted to the risk, we began work on finding a remedy for the problem and we can confirm that a fix has been delivered to all Sky-manufactured products.”