Sky Broadband UK Took 18 Months to Fix Router Security Flaws

Sky Broadband has been embarrassed this morning after Pen Test Partners revealed that it had taken the ISP a whopping 18-months to fix a serious security flaw in their consumer routers, which affected the vast majority of their UK customer base and could have enabled a hacker to compromise home networks. The vulnerability itself reflected a DNS rebinding attack (i.e. manipulating the resolution of domain names), which affected a wide array of Sky Broadband‘s routers and WiFi boosters – Sky Hub 3 [Sky Q Hub] (ER110), Sky Hub 3.5 [Sky Q Hub] (ER115), Booster 3 (EE120), Sky Hub (SR101), Sky Hub 4 [Sky Broadband Hub] (SR203) and the Booster 4 (SE210). The flaw meant that a customer’s router could be hijacked simply by visited a malicious – hacker controlled – website, although this benefitted from the fact that some of Sky’s older kit was shipped with a default username and password credentials (i.e. making access much easier).

By comparison, the latest Sky Hub 4 and Booster 4 (SR203, SE210) routers were also affected by the same DNS rebinding flaw, but as every one of those shipped with a randomly generated password then the hackers would first need to try and uncover the password via brute force (a slow and difficult task, but not impossible).

Pen Test Partners Statement

A key factor that allowed the routers to be automatically taken over using the DNS rebinding vulnerability was the default credentials used by most versions of the Sky devices. Although a brute force attack could be used to discover non-default passwords, a custom password would significantly decrease the chances of a successful attack. Few customers change their router admin passwords from the default.

We recommend that customers change the administrator password for the router web interface to mitigate this vulnerability. It is also recommended to change the network name and Wi-Fi passwords. These should be long and contain lower and upper case characters, numbers and special characters.

The routers involved have finally been patched by Sky. Their customer devices are updated automatically, though customers can check to ensure their devices are running the latest version available.

The issue was first reported and promptly acknowledged by Sky on 11th May 2020, although on 6th May 2021 – one full year later – Sky said they’d so far only been able to patch 50% of their customers routers, which finally reached 99% by late October 2021. Effectively, Sky had taken a whopping 17-18 months to develop and implement a fix for a serious security flaw, which is less than ideal.

Luckily for Sky, Pen Test Partners decided against publishing details of the vulnerability within the usually allowable timescale: “We could have published the vulnerability in an attempt to push Sky in to faster patching. However, this issue was easy to exploit and would expose millions of Sky customers. Ethically, we couldn’t publish,” said the group.

A Spokesperson for Sky said: “We take the safety and security of our customers very seriously. After being alerted to the risk, we began work on finding a remedy for the problem, and we can confirm that a fix has been delivered to all Sky-manufactured products.” We should point out that Sky is by no means the only ISP to be affected by a DNS rebinding attack on their consumer routers. Virgin Media‘s HUB 3.0 routers (ARRIS TG2492) are known to still suffer from such an issue (here) and Hyperoptic‘s older ZTE routers were also hit in 2018 (here).

Leave a Comment13 ResponsesJavascript must be enabled to post (most browsers do this automatically)
Privacy Notice: Please note that news comments are anonymous, which means that we do NOT require you to enter any real personal details to post a message.

By clicking to submit a post you agree to storing your comment content, display name, IP, email and / or website details in our database, for as long as the post remains live.

Only the submitted name and comment will be displayed in public, while the rest will be kept private (we will never share this outside of ISPreview, regardless of whether the data is real or fake). This comment system uses submitted IP, email and website address data to spot abuse and spammers. All data is transferred via an encrypted (https secure) session.

NOTE 1: Sometimes your comment might not appear immediately due to site cache (this is cleared every few hours) or it may be caught by automated moderation / anti-spam.

NOTE 2: Comments that break our rules, spam, troll or post via known fake IP/proxy servers may be blocked or removed.

Leave a Reply

Your email address will not be published. Required fields are marked *