Internet service provider Sky took nearly 18 months to release a patch for a bug that affected roughly 6 million of its routers, according to security consulting firm Pen Test Partners.
This means the vast majority of Sky customers were exposed to this attack. Choose, a UK-focused price comparison provider, says that Sky has approximately 6.2 million broadband customers. Sky repeatedly missed its own deadlines for patching the vulnerability, however.
Pen Test Partners says it disclosed the flaw, which exposed Sky customers to DNS rebinding attacks that could be used to compromise their home networks, in May 2020. But Sky didn’t release a patch until May 6, 2021, and even then it only covered 50% of affected devices. A patch for another 49% shipped by Oct. 22, 2021.
“Despite having a published vulnerability disclosure program,” Pen Test Partners says, “Sky’s communications were particularly poor and had to be chased multiple times for responses. Only after we had involved a trusted journalist was the remediation program accelerated.”
In the intervening 18 months, attackers could use malicious websites to gain full control over the vulnerable routers. That control could then be exploited to expose a Sky customer’s home network to the internet so the attackers could conduct attacks directly against those devices.
“A key factor that allowed the routers to be automatically taken over using the DNS rebinding vulnerability was the default credentials used by most versions of the Sky devices,” Pen Test Partners says. “Although a brute force attack could be used to discover non-default passwords, a custom password would significantly decrease the chances of a successful attack.”
Six routers—the Sky Hub, Sky Hub 2, Sky Booster 2, Sky Hub 3, Sky Hub 3.5, and Sky Booster 3—were affected by this vulnerability. (Two other models, the Sky Hub 4 and Sky Booster 4, were also vulnerable but relied on randomized credentials that would have to be brute-forced.)
Pen Test Partners says that all of Sky’s routers should have been patched against this attack, but the ISP’s customers are encouraged to make sure they have the latest firmware installed on their devices. They should also take the time to change the devices’ credentials.
Sky didn’t immediately respond to a request for comment.
