Millions of Sky routers left open to hackers for 18 months

Customers’ home networks and devices could have been taken over if they visited a malicious website

Adam Smith
Friday 19 November 2021 14:24 GMT
Comments
Sky internet users have complained about issues getting online
Sky internet users have complained about issues getting online (AFP via Getty Images)

Your support helps us to tell the story

From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.

At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.

The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.

Your support makes all the difference.

Millions of Sky routers suffered from a vulnerability that would have allowed a customer’s home network to be compromised by hackers.

Researchers from Pen Test Partners discovered that a DNS rebinding error – which allows an attacker to bypass defences in web browsers – meant that users with the default administrator password were left unprotected.

The default password (admin:sky) was set for a high percentage of routers, the researchers said, but a brute force attack (where hackers systematically guess passwords via trial and error) could also target routers where the password had been changed.

The issue would have given hackers direct access to computers and devices after they navigated to a malicious website. The browser would then treat the router’s IP address as the IP of the malicious website.

The Sky Hub 3 (ER110), Sky Hub 3.5 (ER115), Booster 3 (EE120), Sky Hub (SR101), Sky Hub 4 (SR203), and Booster 4 (SE210) were all affected by the issue.

“A key factor that allowed the routers to be automatically taken over via the DNS rebinding vulnerability was the default credentials used by most versions of the Sky devices”, Pen Test Partners wrote.

“Although a brute force attack could be used to discover non-default passwords, a custom password would significantly decrease the chances of a successful attack. Few customers change their router admin passwords from the default.”

The devices are now being patched automatically by Sky, but Pen Test Partners says that it took 18 months for them to fix the issue since they were first alerted to it on 11 May 2020.

Pen Test Partners says they did not disclose the vulnerability after 90 days because “ISPs were dealing with challenges from vastly increased network loading as working from home became the new norm. We didn’t want to do anything to limit the ability of people to work from home.”

Pen Test Partners eventually contacted the BBC in August this year after allegedly chasing Sky for updates to accelerate the patch.

"While the coronavirus pandemic put many internet service providers under pressure, as people moved to working from home, taking well over a year to fix an easily exploited security flaw simply isn’t acceptable," Pen Test Partner’s Ken Munro told BBC News.

"We take the safety and security of our customers very seriously," Sky said in response. "After being alerted to the risk, we began work on finding a remedy for the problem and we can confirm that a fix has been delivered to all Sky-manufactured products."

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in