» ISP News » 

Sky Broadband UK Took 18 Months to Fix Router Security Flaws

Friday, November 19th, 2021 (12:01 pm) - Score 4,224
sky broadband router SR203

Sky Broadband has been embarrassed this morning after Pen Test Partners revealed that it had taken the ISP a whopping 18-months to fix a serious security flaw in their consumer routers, which affected the vast majority of their UK customer base and could have enabled a hacker to compromise home networks.

The vulnerability itself reflected a DNS rebinding attack (i.e. manipulating the resolution of domain names), which affected a wide array of Sky Broadband’s routers and WiFi boosters – Sky Hub 3 [Sky Q Hub] (ER110), Sky Hub 3.5 [Sky Q Hub] (ER115), Booster 3 (EE120), Sky Hub (SR101), Sky Hub 4 [Sky Broadband Hub] (SR203) and the Booster 4 (SE210).

The flaw meant that a customer’s router could be hijacked simply by visited a malicious – hacker controlled – website, although this benefitted from the fact that some of Sky’s older kit was shipped with a default username and password credentials (i.e. making access much easier).

By comparison, the latest Sky Hub 4 and Booster 4 (SR203, SE210) routers were also affected by the same DNS rebinding flaw, but as every one of those shipped with a randomly generated password then the hackers would first need to try and uncover the password via brute force (a slow and difficult task, but not impossible).

Pen Test Partners Statement

A key factor that allowed the routers to be automatically taken over using the DNS rebinding vulnerability was the default credentials used by most versions of the Sky devices. Although a brute force attack could be used to discover non-default passwords, a custom password would significantly decrease the chances of a successful attack. Few customers change their router admin passwords from the default.

We recommend that customers change the administrator password for the router web interface to mitigate this vulnerability. It is also recommended to change the network name and Wi-Fi passwords. These should be long and contain lower and upper case characters, numbers and special characters.

The routers involved have finally been patched by Sky. Their customer devices are updated automatically, though customers can check to ensure their devices are running the latest version available.

The issue was first reported and promptly acknowledged by Sky on 11th May 2020, although on 6th May 2021 – one full year later – Sky said they’d so far only been able to patch 50% of their customers routers, which finally reached 99% by late October 2021. Effectively, Sky had taken a whopping 17-18 months to develop and implement a fix for a serious security flaw, which is less than ideal.

Luckily for Sky, Pen Test Partners decided against publishing details of the vulnerability within the usually allowable timescale: “We could have published the vulnerability in an attempt to push Sky in to faster patching. However, this issue was easy to exploit and would expose millions of Sky customers. Ethically, we couldn’t publish,” said the group.

A Spokesperson for Sky said: “We take the safety and security of our customers very seriously. After being alerted to the risk, we began work on finding a remedy for the problem, and we can confirm that a fix has been delivered to all Sky-manufactured products.”

We should point out that Sky is by no means the only ISP to be affected by a DNS rebinding attack on their consumer routers. Virgin Media’s HUB 3.0 routers (ARRIS TG2492) are known to still suffer from such an issue (here) and Hyperoptic’s older ZTE routers were also hit in 2018 (here).

Share with Twitter
Share with Linkedin
Share with Facebook
Share with Reddit
Share with Pinterest
By Mark Jackson
Mark is a professional technology writer, IT consultant and computer engineer from Dorset (England), he also founded ISPreview in 1999 and enjoys analysing the latest telecoms and broadband developments. Find me on Twitter, , Facebook and Linkedin.
Leave a Comment
13 Responses
  1. Connor says:

    I can see how an issue like this could slip in but it is unacceptable taking this long for realistically a simple fix.

    The fact that a year in it makes it seem more of a failing of their rollout rather than them not being able to build a solution.

  2. Mark says:

    dnsmasq can be used by having a second DHCP server on the LAN and a computer connecting to that DHCP server with directs it to an incorrect DNS server that does the rebinding of DNS but it need to be done LAN side.

    It sounds so complicated but it really only means changing the DNS server IP address and gaining access to the router was via the default password of ‘sky’ on LAN only, wow it took them that long to find that vulnerability the security experts! That’s gain access to the LAN and then redirect DNS to an alternative DNS server in plain language, and an attacker would have to walk through the interface and bypass its fixed DNS server.

    And also almost all ISP are vulnerable to DNS rebinding issues because DNS on port 53 UDP is unencrypted between the customers and ISP and anyone gaining access to that path can rebind the DNS to a alternative DNS server…

  3. MrTruth says:

    Sky should be extremely embarrassed and OFCOM should be asking them why, 18 months to fix a vulnerability is totally unacceptable.

    1. El Guapo says:

      is ofcom responsible for consumer device security now? god I hope it isn’t.

      I would be tempted to say people like the national crime agency should be getting involved, but then I remembered they think that kids having Discord or using virtual machines means they’re a hacker.

      Pretty sure that any UK gov dept responsible for cyber security would only embarrass itself.

  4. Jack says:

    I should be able to end my FTTP contract early due to this

    1. Steve says:

      Only if you suffered (got hacked) as a result. Otherwise they’ll tell you to do one.

  5. Jonny says:

    I’m a bit confused with PTPs write-up of this. Step 3 and 5 of the POC involves making DNS requests to a malicious DNS server, how is the client being configured to use this DNS server?

    1. Mark says:

      It a good question just looked at the code and it doesn’t have anything in it for doing DNS redirects or changing the DNS server. Only has code for accessing the router and changing the password for the wireless, really that vulnerability is nonsense with special terms such as DNS rebinding attack, clear nonsense and sensitisation.

    2. NE555 says:

      There are two different DNS roles here: your client device points to a DNS “resolver” or “cache”, and that in turn finds “authoritative” nameservers which contain the actual data. The latter are controlled by the domain owners. For example, the names under “google.com” are returned by Google’s authoritative nameservers.

      So if you resolve a name like http://www.evil.com, the answer you get is controlled by the evil.com nameservers. If they set a short time-to-live, the answer isn’t cached for very long, and a subsequent request can return a different value.

    3. Mark says:

      Well, everything has its own DNS nameservers and if you have control of that nameserver(s) for the domain you don’t need to do a DNS rebind? And I still cannot see the code that does the DNS rebind in this vulnerability and I’ve looked at the code?

    4. NE555 says:

      The DNS rebind lets the attacker write Javascript which talks to some other device – like the internal address – which would normally not be possible due to the same-origin policy.

      Sequence is roughly this:
      – user clicks link which takes them to http://www.evil.com
      – evil.com nameservers return (server run by attacker) with short TTL
      http://www.evil.com returns a web page with some javascript
      – DNS record expires
      – javascript on the page connects again to http://www.evil.com
      – evil.com nameservers return as the address
      – evil.com’s javascript is able to access the admin page of your router!

      Sky routers had default admin passwords – on the (bad) assumption that somebody outside would not be able to connect to them.

    5. Mark says:

      Well, I’m reading the code for PoC and the IP address is in fact set to in the javascript, and the console for the Sky router isn’t at!

  6. sebbb says:

    They were probably too busy implementing MAP-T for Sky Italy to care about fixing this…

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Comments RSS Feed

Javascript must be enabled to post (most browsers do this automatically)

Privacy Notice: Please note that news comments are anonymous, which means that we do NOT require you to enter any real personal details to post a message. By clicking to submit a post you agree to storing your comment content, display name, IP, email and / or website details in our database, for as long as the post remains live.

Only the submitted name and comment will be displayed in public, while the rest will be kept private (we will never share this outside of ISPreview, regardless of whether the data is real or fake). This comment system uses submitted IP, email and website address data to spot abuse and spammers. All data is transferred via an encrypted (https secure) session.

NOTE 1: Sometimes your comment might not appear immediately due to site cache (this is cleared every few hours) or it may be caught by automated moderation / anti-spam.

NOTE 2: Comments that break our rules, spam, troll or post via known fake IP/proxy servers may be blocked or removed.
Cheapest Ultrafast ISPs
  • Vodafone £23.50 (*26.50)
    Speed: 100Mbps, Unlimited
    Gift: None
  • Gigaclear £24.00 (*49.00)
    Speed: 300Mbps, Unlimited
    Gift: None
  • Hyperoptic £25.00 (*35.00)
    Speed: 150Mbps, Unlimited
    Gift: Promo Code: ROKUGIFT
  • Community Fibre £27.50 (*32.50)
    Speed: 200Mbps, Unlimited
    Gift: First 6 Months Free
  • Virgin Media £28.00 (*52.00)
    Speed: 108Mbps, Unlimited
    Gift: None
Large Availability | View All
Cheapest Superfast ISPs
  • Vodafone £19.50 (*22.50)
    Speed 38Mbps, Unlimited
    Gift: None
  • NOW £20.00 (*32.00)
    Speed 36Mbps, Unlimited
    Gift: None
  • Hyperoptic £20.00 (*25.00)
    Speed 50Mbps, Unlimited
    Gift: Promo Code: ROKUGIFT
  • TalkTalk £21.00 (*29.95)
    Speed 38Mbps, Unlimited
    Gift: None
  • Shell Energy £21.99 (*30.99)
    Speed 35Mbps, Unlimited
    Gift: None
Large Availability | View All
The Top 20 Category Tags
  1. FTTP (3669)
  2. BT (3044)
  3. Politics (1975)
  4. Building Digital UK (1945)
  5. FTTC (1897)
  6. Openreach (1862)
  7. Business (1717)
  8. Mobile Broadband (1501)
  9. Statistics (1430)
  10. FTTH (1367)
  11. 4G (1295)
  12. Virgin Media (1196)
  13. Fibre Optic (1184)
  14. Wireless Internet (1176)
  15. Ofcom Regulation (1167)
  16. Vodafone (859)
  17. EE (845)
  18. 5G (792)
  19. TalkTalk (781)
  20. Sky Broadband (757)
Helpful ISP Guides and Tips

Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved - Terms , Privacy and Cookie Policy , Links , Website Rules , Contact