Six million Sky routers exposed to takeover attacks for 17 months

Gandalf_The_Grey

Level 59
Thread author
Verified
Helper
Top poster
Content Creator
Well-known
Apr 24, 2016
4,858
Around six million Sky Broadband customer routers in the UK were affected by a critical vulnerability that took over 17 months to roll out a fix to customers.

The disclosed vulnerability is a DNS rebinding flaw that threat actors could easily exploit if the user had not changed the default admin password, or a threat actor could brute-force the credentials.

The result of the exploitation would be to compromise the customer's home network, change the router's configuration, and potentially pivot to other internal devices.
Fix took 17 months to roll out

The PenTestPartners team reported their findings on May 11, 2020, and Sky acknowledged the issue and set a fixing date for November 2020.

That was over the standard 90 days of vulnerability disclosure, but the researchers accepted it without objection since the ISP was dealing with unusual traffic burdens from the COVID-19 lockdown.

The fixing patch never came, and Sky eventually revised the plan, promising to fix 50% of the affected models by May 2021, which was fulfilled.

With the other half still vulnerable and PenTestPartners feeling that Sky was not acting with much urgency, the researchers contacted the press in August as a way to apply additional pressure.

Eventually, on October 22, 2021, Sky emailed to say that Sky had fixed 99% of all vulnerable routers via an update.

This was over 17 months since the initial disclosure, leaving users vulnerable to DNS rebinding attacks during a period when many of them worked from home.