UK ISP Sky has left 6 million routers vulnerable to attack for almost 18 months


According to security consultancy Pen Test Partners, internet service provider Sky took nearly 18 months to release a fix for a bug that was affecting around 6 million of its routers.

This means that the vast majority of Sky customers have been exposed to this attack. Choose, a UK-focused price comparison provider, says Sky has around 6.2 million broadband customers. However, Sky repeatedly missed its own deadline to fix the vulnerability.

Pen Test Partners claims to have disclosed the flaw, which exposed Sky customers to DNS binding attacks that could be used to compromise their home networks, in May 2020. But Sky did not release a patch until May 6, 2021, and even then, covered 50% of affected devices. A fix for an additional 49% will ship by October 22, 2021.

“Despite the publication of a vulnerability disclosure program,” says Pen Test Partners, “Sky’s communications were particularly poor and had to be repeatedly searched for answers. reporter trusted that the correction program has accelerated. “

Over the next 18 months, attackers were able to use malicious websites to gain full control over vulnerable routers. This control could then be exploited to expose a Sky customer’s home network to the internet so that attackers can carry out attacks directly against those devices.

“A key factor that allowed routers to be automatically supported using the DNS binding vulnerability was the default credentials used by most versions of Sky devices,” says Pen Test Partners. “Although a brute force attack can be used to discover passwords other than the default ones, a personalized password would greatly reduce the chances of a successful attack. “

Six routers, Sky Hub, Sky Hub 2, Sky Booster 2, Sky Hub 3, Sky Hub 3.5, and Sky Booster 3, have been affected by this vulnerability. (Two other models, the Sky Hub 4 and Sky Booster 4, were also vulnerable but relied on random credentials that should be brutally forced.)

Recommended by our editors

Pen Test Partners claims that all Sky routers should have been patched against this attack, but ISP customers are encouraged to ensure they have the latest firmware installed on their devices. They should also take the time to change device credentials.

Sky did not immediately respond to a request for comment.

Security Watch newsletter for our top privacy and security stories delivered right to your inbox.","first_published_at":"2021-09-30T21:22:09.000000Z","published_at":"2021-09-30T21:22:09.000000Z","last_published_at":"2021-09-30T21:22:03.000000Z","created_at":null,"updated_at":"2021-09-30T21:22:09.000000Z"})" x-show="showEmailSignUp()" class="rounded bg-gray-lightest text-center md:px-32 md:py-8 p-4 font-brand mt-8 container-xs">
Do you like what you read ?

Sign up for Security watch newsletter for our best privacy and security stories delivered straight to your inbox.

This newsletter may contain advertising, offers or affiliate links. Signing up for a newsletter indicates your consent to our terms of use and privacy policy. You can unsubscribe from newsletters at any time.


Comments are closed.