Sky Broadband took almost 18 months to fix serious router flaw

Flaw could expose user’s home network to hackers

Sky Broadband took around 18 months to fix a security flaw affecting nearly six million of its routers which could enable home networks to be remotely compromised by hackers.

According to a blog post by Pen Test Partners security researcher Rafael Fini, Sky failed to meet numerous self-imposed deadlines for fixing the issue, and although he acknowledges that at the time, COVID lockdowns were causing major challenges for ISPs such as Sky, he claims the company “did not give the patch the priority their customers deserved”.

The security firm first reported the issue in May 2020, but it wasn’t until the following May that Sky told researchers that the first 50% of affected devices had been patched. Researchers were told that the goal was to complete the rest of the rollout during Summer 2021, and in August, the firm asked BBC journalists to reach out to the ISP in order to convince them to expedite the process. It was until October 2021 when Sky notified Pen Test Partners that 99% of all routers had been updated - 17 months and 11 days since initial disclosure.

“Despite having a published vulnerability disclosure programme, Sky’s communications were particularly poor and had to be chased multiple times for responses,” Fini said. “Only after we had involved a trusted journalist was the remediation programme accelerated.” 

When questioned by the BBC, Sky blamed the slow rollout of the update on the large scale of delivery, stating “we take the safety and security of our customers very seriously.”

“After being alerted to the risk, we began work on finding a remedy for the problem and we can confirm that a fix has been delivered to all Sky-manufactured products.”

The flaw in question was a DNS rebinding vulnerability that allowed hackers to use a malicious web page to take control of customers’ routers and enable remote management.

“With remote management enabled, the attacker could connect directly to the router’s web application and modify any settings, such as setup up a DMZ server or configure port forwarding, exposing the internal home network to the internet,” said Fini.

Related Resource

Why faster refresh cycles and modern infrastructure management are critical to business success

The connection between modern server infrastructure and business agility

Title of whitepaper on background of blue and grey trapezoids with a green line diagonally down the page Free download

The flaw affected several Sky Hub and Booster models, particularly those that used the same default admin credentials across all units. Although the randomly-generated admin passwords used by devices such as the Sky Hub 4 could be brute-forced, Fini noted that “a custom password would significantly decrease the chances of a successful attack”.

“The home router is the gateway between consumers and their digital life,” said John Goodacre, professor of computer architectures at the University of Manchester. “DCMS are working to ensure these ‘smart’ devices are more secure, with security built in from the start through their ‘Secure by Design’ policy.” 

“Together, an increased consumer awareness of cybersecurity best practices, manufacturers delivering products to be secured by default with the underlying component being secured by design, the tide will turn against the ever-increasing impacts of cybercrime across the digital world.”

Featured Resources

2021 Thales cloud security study

The challenges of cloud data protection and access management in a hybrid and multi cloud world

Free download

IDC agility assessment

The competitive advantage in adaptability

Free Download

Digital transformation insights from CIOs for CIOs

Transformation pilotes, co-pilots, and engineers

Free download

What ITDMs did next - and what they should be doing now

Enable continued collaboration and communication for hybrid workers

Most Popular

What should you really be asking about your remote access software?
Sponsored

What should you really be asking about your remote access software?

17 Nov 2021
Australia film archive gets $41.9 million to digitise audiovisual heritage
digitisation

Australia film archive gets $41.9 million to digitise audiovisual heritage

6 Dec 2021
Nike to take customers into the metaverse with 'NIKELAND'
virtualisation

Nike to take customers into the metaverse with 'NIKELAND'

19 Nov 2021