Sky Broadband UK Took 18 Months to Fix Router Security Flaws
Sky Broadband has been embarrassed this morning after Pen Test Partners revealed that it had taken the ISP a whopping 18-months to fix a serious security flaw in their consumer routers, which affected the vast majority of their UK customer base and could have enabled a hacker to compromise home networks.
The vulnerability itself reflected a DNS rebinding attack (i.e. manipulating the resolution of domain names), which affected a wide array of Sky Broadband’s routers and WiFi boosters – Sky Hub 3 [Sky Q Hub] (ER110), Sky Hub 3.5 [Sky Q Hub] (ER115), Booster 3 (EE120), Sky Hub (SR101), Sky Hub 4 [Sky Broadband Hub] (SR203) and the Booster 4 (SE210).
The flaw meant that a customer’s router could be hijacked simply by visited a malicious – hacker controlled – website, although this benefitted from the fact that some of Sky’s older kit was shipped with a default username and password credentials (i.e. making access much easier).
By comparison, the latest Sky Hub 4 and Booster 4 (SR203, SE210) routers were also affected by the same DNS rebinding flaw, but as every one of those shipped with a randomly generated password then the hackers would first need to try and uncover the password via brute force (a slow and difficult task, but not impossible).
Pen Test Partners Statement
A key factor that allowed the routers to be automatically taken over using the DNS rebinding vulnerability was the default credentials used by most versions of the Sky devices. Although a brute force attack could be used to discover non-default passwords, a custom password would significantly decrease the chances of a successful attack. Few customers change their router admin passwords from the default.
We recommend that customers change the administrator password for the router web interface to mitigate this vulnerability. It is also recommended to change the network name and Wi-Fi passwords. These should be long and contain lower and upper case characters, numbers and special characters.
The routers involved have finally been patched by Sky. Their customer devices are updated automatically, though customers can check to ensure their devices are running the latest version available.
The issue was first reported and promptly acknowledged by Sky on 11th May 2020, although on 6th May 2021 – one full year later – Sky said they’d so far only been able to patch 50% of their customers routers, which finally reached 99% by late October 2021. Effectively, Sky had taken a whopping 17-18 months to develop and implement a fix for a serious security flaw, which is less than ideal.
Luckily for Sky, Pen Test Partners decided against publishing details of the vulnerability within the usually allowable timescale: “We could have published the vulnerability in an attempt to push Sky in to faster patching. However, this issue was easy to exploit and would expose millions of Sky customers. Ethically, we couldn’t publish,” said the group.
A Spokesperson for Sky said: “We take the safety and security of our customers very seriously. After being alerted to the risk, we began work on finding a remedy for the problem, and we can confirm that a fix has been delivered to all Sky-manufactured products.”
We should point out that Sky is by no means the only ISP to be affected by a DNS rebinding attack on their consumer routers. Virgin Media’s HUB 3.0 routers (ARRIS TG2492) are known to still suffer from such an issue (here) and Hyperoptic’s older ZTE routers were also hit in 2018 (here).
Mark is a professional technology writer, IT consultant and computer engineer from Dorset (England), he also founded ISPreview in 1999 and enjoys analysing the latest telecoms and broadband developments. Find me on X (Twitter), Mastodon, Facebook and Linkedin.
« EE UK Discount Full Fibre Broadband Packages for Black Friday
Latest UK ISP News
- FTTP (5530)
- BT (3518)
- Politics (2542)
- Openreach (2298)
- Business (2266)
- Building Digital UK (2247)
- FTTC (2045)
- Mobile Broadband (1977)
- Statistics (1790)
- 4G (1668)
- Virgin Media (1621)
- Ofcom Regulation (1465)
- Fibre Optic (1396)
- Wireless Internet (1391)
- FTTH (1382)
I can see how an issue like this could slip in but it is unacceptable taking this long for realistically a simple fix.
The fact that a year in it makes it seem more of a failing of their rollout rather than them not being able to build a solution.
dnsmasq can be used by having a second DHCP server on the LAN and a computer connecting to that DHCP server with directs it to an incorrect DNS server that does the rebinding of DNS but it need to be done LAN side.
It sounds so complicated but it really only means changing the DNS server IP address and gaining access to the router was via the default password of ‘sky’ on LAN only, wow it took them that long to find that vulnerability the security experts! That’s gain access to the LAN and then redirect DNS to an alternative DNS server in plain language, and an attacker would have to walk through the interface and bypass its fixed DNS server.
And also almost all ISP are vulnerable to DNS rebinding issues because DNS on port 53 UDP is unencrypted between the customers and ISP and anyone gaining access to that path can rebind the DNS to a alternative DNS server…
Sky should be extremely embarrassed and OFCOM should be asking them why, 18 months to fix a vulnerability is totally unacceptable.
is ofcom responsible for consumer device security now? god I hope it isn’t.
I would be tempted to say people like the national crime agency should be getting involved, but then I remembered they think that kids having Discord or using virtual machines means they’re a hacker.
Pretty sure that any UK gov dept responsible for cyber security would only embarrass itself.
I should be able to end my FTTP contract early due to this
Only if you suffered (got hacked) as a result. Otherwise they’ll tell you to do one.
I’m a bit confused with PTPs write-up of this. Step 3 and 5 of the POC involves making DNS requests to a malicious DNS server, how is the client being configured to use this DNS server?
It a good question just looked at the code and it doesn’t have anything in it for doing DNS redirects or changing the DNS server. Only has code for accessing the router and changing the password for the wireless, really that vulnerability is nonsense with special terms such as DNS rebinding attack, clear nonsense and sensitisation.
There are two different DNS roles here: your client device points to a DNS “resolver” or “cache”, and that in turn finds “authoritative” nameservers which contain the actual data. The latter are controlled by the domain owners. For example, the names under “google.com” are returned by Google’s authoritative nameservers.
So if you resolve a name like http://www.evil.com, the answer you get is controlled by the evil.com nameservers. If they set a short time-to-live, the answer isn’t cached for very long, and a subsequent request can return a different value.
Well, everything has its own DNS nameservers and if you have control of that nameserver(s) for the domain you don’t need to do a DNS rebind? And I still cannot see the code that does the DNS rebind in this vulnerability and I’ve looked at the code?
The DNS rebind lets the attacker write Javascript which talks to some other device – like the internal address 192.168.1.1 – which would normally not be possible due to the same-origin policy.
Sequence is roughly this:
– user clicks link which takes them to http://www.evil.com
– evil.com nameservers return 1.2.3.4 (server run by attacker) with short TTL
– http://www.evil.com returns a web page with some javascript
– DNS record expires
– javascript on the page connects again to http://www.evil.com
– evil.com nameservers return 192.168.1.1 as the address
– evil.com’s javascript is able to access the admin page of your router!
Sky routers had default admin passwords – on the (bad) assumption that somebody outside would not be able to connect to them.
Well, I’m reading the code for PoC and the IP address is in fact set to 0.0.0.0 in the javascript, and the console for the Sky router isn’t at 192.168.1.1!
They were probably too busy implementing MAP-T for Sky Italy to care about fixing this…