IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Sky Broadband took almost 18 months to fix serious router flaw

Flaw could expose user’s home network to hackers

Sky Broadband took around 18 months to fix a security flaw affecting nearly six million of its routers which could enable home networks to be remotely compromised by hackers.

According to a blog post by Pen Test Partners security researcher Rafael Fini, Sky failed to meet numerous self-imposed deadlines for fixing the issue, and although he acknowledges that at the time, COVID lockdowns were causing major challenges for ISPs such as Sky, he claims the company “did not give the patch the priority their customers deserved”.

The security firm first reported the issue in May 2020, but it wasn’t until the following May that Sky told researchers that the first 50% of affected devices had been patched. Researchers were told that the goal was to complete the rest of the rollout during Summer 2021, and in August, the firm asked BBC journalists to reach out to the ISP in order to convince them to expedite the process. It was until October 2021 when Sky notified Pen Test Partners that 99% of all routers had been updated - 17 months and 11 days since initial disclosure.

“Despite having a published vulnerability disclosure programme, Sky’s communications were particularly poor and had to be chased multiple times for responses,” Fini said. “Only after we had involved a trusted journalist was the remediation programme accelerated.” 

When questioned by the BBC, Sky blamed the slow rollout of the update on the large scale of delivery, stating “we take the safety and security of our customers very seriously.”

“After being alerted to the risk, we began work on finding a remedy for the problem and we can confirm that a fix has been delivered to all Sky-manufactured products.”

The flaw in question was a DNS rebinding vulnerability that allowed hackers to use a malicious web page to take control of customers’ routers and enable remote management.

“With remote management enabled, the attacker could connect directly to the router’s web application and modify any settings, such as setup up a DMZ server or configure port forwarding, exposing the internal home network to the internet,” said Fini.

Related Resource

Why faster refresh cycles and modern infrastructure management are critical to business success

The connection between modern server infrastructure and business agility

Title of whitepaper on background of blue and grey trapezoids with a green line diagonally down the page Free download

The flaw affected several Sky Hub and Booster models, particularly those that used the same default admin credentials across all units. Although the randomly-generated admin passwords used by devices such as the Sky Hub 4 could be brute-forced, Fini noted that “a custom password would significantly decrease the chances of a successful attack”.

“The home router is the gateway between consumers and their digital life,” said John Goodacre, professor of computer architectures at the University of Manchester. “DCMS are working to ensure these ‘smart’ devices are more secure, with security built in from the start through their ‘Secure by Design’ policy.” 

“Together, an increased consumer awareness of cybersecurity best practices, manufacturers delivering products to be secured by default with the underlying component being secured by design, the tide will turn against the ever-increasing impacts of cybercrime across the digital world.”

Featured Resources

Three ways manual coding is killing your business productivity

...and how you can fix it

Free Download

Goodbye broadcasts, hello conversations

Drive conversations across the funnel with the WhatsApp Business Platform

Free Download

Winning with multi-cloud

How to drive a competitive advantage and overcome data integration challenges

Free Download

Talking to a business should feel like messaging a friend

Managing customer conversations at scale with the WhatsApp Business Platform

Free Download

Most Popular

How to secure your hybrid workforce
Advertisement Feature

How to secure your hybrid workforce

23 Sep 2022
What your hybrid workforce needs from their laptops
Advertisement Feature

What your hybrid workforce needs from their laptops

21 Sep 2022
BT and Cisco partner to help businesses responsibly dispose of unwanted IT equipment

BT and Cisco partner to help businesses responsibly dispose of unwanted IT equipment

5 Oct 2022