Sky Broadband took around 18 months to fix a security flaw affecting nearly six million of its routers which could enable home networks to be remotely compromised by hackers.
According to a blog post by Pen Test Partners security researcher Rafael Fini, Sky failed to meet numerous self-imposed deadlines for fixing the issue, and although he acknowledges that at the time, COVID lockdowns were causing major challenges for ISPs such as Sky, he claims the company “did not give the patch the priority their customers deserved”.
The security firm first reported the issue in May 2020, but it wasn’t until the following May that Sky told researchers that the first 50% of affected devices had been patched. Researchers were told that the goal was to complete the rest of the rollout during Summer 2021, and in August, the firm asked BBC journalists to reach out to the ISP in order to convince them to expedite the process. It was until October 2021 when Sky notified Pen Test Partners that 99% of all routers had been updated - 17 months and 11 days since initial disclosure.
“Despite having a published vulnerability disclosure programme, Sky’s communications were particularly poor and had to be chased multiple times for responses,” Fini said. “Only after we had involved a trusted journalist was the remediation programme accelerated.”
When questioned by the BBC, Sky blamed the slow rollout of the update on the large scale of delivery, stating “we take the safety and security of our customers very seriously.”
“After being alerted to the risk, we began work on finding a remedy for the problem and we can confirm that a fix has been delivered to all Sky-manufactured products.”
The flaw in question was a DNS rebinding vulnerability that allowed hackers to use a malicious web page to take control of customers’ routers and enable remote management.
“With remote management enabled, the attacker could connect directly to the router’s web application and modify any settings, such as setup up a DMZ server or configure port forwarding, exposing the internal home network to the internet,” said Fini.
RELATED RESOURCE
Why faster refresh cycles and modern infrastructure management are critical to business success
The connection between modern server infrastructure and business agility
The flaw affected several Sky Hub and Booster models, particularly those that used the same default admin credentials across all units. Although the randomly-generated admin passwords used by devices such as the Sky Hub 4 could be brute-forced, Fini noted that “a custom password would significantly decrease the chances of a successful attack”.
“The home router is the gateway between consumers and their digital life,” said John Goodacre, professor of computer architectures at the University of Manchester. “DCMS are working to ensure these ‘smart’ devices are more secure, with security built in from the start through their ‘Secure by Design’ policy.”
“Together, an increased consumer awareness of cybersecurity best practices, manufacturers delivering products to be secured by default with the underlying component being secured by design, the tide will turn against the ever-increasing impacts of cybercrime across the digital world.”
-
Trump's AI executive order could leave US in a 'regulatory vacuum'News Citing a "patchwork of 50 different regulatory regimes" and "ideological bias", President Trump wants rules to be set at a federal level
-
TPUs: Google's home advantageITPro Podcast How does TPU v7 stack up against Nvidia's latest chips – and can Google scale AI using only its own supply?
-
Security experts claim the CVE Program isn’t up to scratch anymore — inaccurate scores and lengthy delays mean the system needs updatedNews CVE data is vital in combating emerging threats, yet inaccurate ratings and lengthy wait times are placing enterprises at risk
-
IBM AIX users urged to patch immediately as researchers sound alarm on critical flawsNews Network administrators should patch the four IBM AIX flaws as soon as possible
-
Critical Dell Storage Manager flaws could let hackers access sensitive data – patch nowNews A trio of flaws in Dell Storage Manager has prompted a customer alert
-
Flaw in Lenovo’s customer service AI chatbot could let hackers run malicious code, breach networksNews Hackers abusing the Lenovo flaw could inject malicious code with just a single prompt
-
Industry welcomes the NCSC’s new Vulnerability Research Initiative – but does it go far enough?News The cybersecurity agency will work with external researchers to uncover potential security holes in hardware and software
-
Hackers are targeting Ivanti VPN users again – here’s what you need to knowNews Ivanti has re-patched a security flaw in its Connect Secure VPN appliances that's been exploited by a China-linked espionage group since at least the middle of March.
-
Broadcom issues urgent alert over three VMware zero-daysNews The firm says it has information to suggest all three are being exploited in the wild
-
Nakivo backup flaw still present on some systems months after firms’ ‘silent patch’, researchers claimNews Over 200 vulnerable Nakivo backup instances have been identified months after the firm silently patched a security flaw.
