IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Sky Broadband took almost 18 months to fix serious router flaw

Flaw could expose user’s home network to hackers

Sky Broadband took around 18 months to fix a security flaw affecting nearly six million of its routers which could enable home networks to be remotely compromised by hackers.

According to a blog post by Pen Test Partners security researcher Rafael Fini, Sky failed to meet numerous self-imposed deadlines for fixing the issue, and although he acknowledges that at the time, COVID lockdowns were causing major challenges for ISPs such as Sky, he claims the company “did not give the patch the priority their customers deserved”.

The security firm first reported the issue in May 2020, but it wasn’t until the following May that Sky told researchers that the first 50% of affected devices had been patched. Researchers were told that the goal was to complete the rest of the rollout during Summer 2021, and in August, the firm asked BBC journalists to reach out to the ISP in order to convince them to expedite the process. It was until October 2021 when Sky notified Pen Test Partners that 99% of all routers had been updated - 17 months and 11 days since initial disclosure.

“Despite having a published vulnerability disclosure programme, Sky’s communications were particularly poor and had to be chased multiple times for responses,” Fini said. “Only after we had involved a trusted journalist was the remediation programme accelerated.” 

When questioned by the BBC, Sky blamed the slow rollout of the update on the large scale of delivery, stating “we take the safety and security of our customers very seriously.”

“After being alerted to the risk, we began work on finding a remedy for the problem and we can confirm that a fix has been delivered to all Sky-manufactured products.”

The flaw in question was a DNS rebinding vulnerability that allowed hackers to use a malicious web page to take control of customers’ routers and enable remote management.

“With remote management enabled, the attacker could connect directly to the router’s web application and modify any settings, such as setup up a DMZ server or configure port forwarding, exposing the internal home network to the internet,” said Fini.

Related Resource

Why faster refresh cycles and modern infrastructure management are critical to business success

The connection between modern server infrastructure and business agility

Title of whitepaper on background of blue and grey trapezoids with a green line diagonally down the page Free download

The flaw affected several Sky Hub and Booster models, particularly those that used the same default admin credentials across all units. Although the randomly-generated admin passwords used by devices such as the Sky Hub 4 could be brute-forced, Fini noted that “a custom password would significantly decrease the chances of a successful attack”.

“The home router is the gateway between consumers and their digital life,” said John Goodacre, professor of computer architectures at the University of Manchester. “DCMS are working to ensure these ‘smart’ devices are more secure, with security built in from the start through their ‘Secure by Design’ policy.” 

“Together, an increased consumer awareness of cybersecurity best practices, manufacturers delivering products to be secured by default with the underlying component being secured by design, the tide will turn against the ever-increasing impacts of cybercrime across the digital world.”

Featured Resources

Activation playbook: Deliver data that powers impactful, game-changing campaigns

Bringing together data and technology to drive better business outcomes

Free Download

In unpredictable times, a data strategy is key

Data processes are crucial to guide decisions and drive business growth

Free Download

Achieving resiliency with Everything-as-a-Service (XAAS)

Transforming the enterprise IT landscape

Free Download

What is contextual analytics?

Creating more customer value in HR software applications

Free Download

Most Popular

16 ways to speed up your laptop

16 ways to speed up your laptop

13 May 2022
Preparing for the 3G sunset
Network & Internet

Preparing for the 3G sunset

18 May 2022
(ISC)2 launches free scheme to get 100,000 UK citizens into cyber security
Careers & training

(ISC)2 launches free scheme to get 100,000 UK citizens into cyber security

17 May 2022