article featured image


6M Sky routers have been left exposed to cyberattacks for almost 18 months, that meaning a year and a half while the company was trying to remediate a DNS rebinding flaw in the routers of the customers. Sky is a UK-based provider of broadband, Sky Broadband being a service employed by Sky UK.

Pen Test Partners, a pen testing company offering cybersecurity solutions, announced to Sky Broadband about this issue, as they also stated in the post they wrote about this topic. On the 11th of May 2020, they reported the found issue to Sky and then continuously reached to the company for updates which apparently were constantly postponed.

It seems that customers who hadn’t made changes to their router default admin passwords could have been impacted by this vulnerability and non-default credentials could have been targeted by cybercriminals in brute force attacks. The status of the vulnerability now indicates that it was remediated.

The DNS Rebinding Vulnerability: More Details

DNS rebinding is basically a method through which cybercriminals target private networks by changing the targeted browser into a proxy. According to the Pest Test Partners report, through these techniques threat actors manage to make the “same-origin policy” be bypassed. What is this policy about? A web browser defense that allows first web page scripts to get access to second web page information. This can happen only if the two pages under discussion share the same origin. This way, web apps cannot interact with various domains if the user does not permit this.

The vulnerability in the routers would have let a hacker perform a home router reconfiguration and what could have triggered it would have been the simple luring of a user to access a malicious link in a phishing cyberattack.

The researchers declared for BBC News that what could have happened next was that hackers could have “taken over someone’s online life”, performing banking and various websites credentials theft.

What Router Models Were Impacted?

The same report also underlined the routers that were impacted by this vulnerability, these being: Sky Hub 3, 3.5 and Booster 3 (ER110, ER115, EE120) Sky Hub 2, and booster 2 (SR102, SB601) Sky Hub (SR101).

What Sky Enterprise Said About It?

A Sky spokesperson declared to BBC that

After being alerted to the risk, we began work on finding a remedy for the problem and we can confirm that a fix has been delivered to all Sky-manufactured products.


Default Passwords Pose a Risk

Default router passwords seem to pose a real security risk, being a clear path for cybercriminals to conduct cyberattacks where they engage in credentials theft.

A key factor that allowed the routers to be automatically taken over using the DNS rebinding vulnerability was the default credentials used by most versions of the Sky devices. Although a brute force attack could be used to discover non-default passwords, a custom password would significantly decrease the chances of a successful attack. Few customers change their router admin passwords from the default.


Jake Williams, the BreachQuest CTO, said to ThreatPost, that even the problem was complex, 18 months was a long time to address though. He also underlined the importance of making sure that default passwords are changed.

This isn’t the type of vulnerability we should be as worried about as something that truly offered full remote access to the device. (…) That’s a stroke of luck, given that most home users don’t change default passwords on their routers. (…) Still, the incident shows how important it is to change passwords. Even changing to a weak password like 123456 would prevent exploitation in this case.


Why Hasn’t the Disclosure Come Earlier?

Pent Test Partners explained in their report that the initial disclosure was planned to happen during the first Covid lockdown. However, since work from home had increased at that time, ISPs were facing big network loading and the researchers wouldn’t want to say anything that might have impacted people working from home, so the target date was planned for November 2020.

They kept chasing the company for updates, the answers indicating a long process of patching. Eventually, the experts asked BBC to contact Sky about this in order to make a patch happen faster since it seemed that the company was taking too long to address the issue, missing the established timelines due to various reasons, as explained in their report mentioned above. On October 22 Sky announced to the experts that a percentage of 99 % of the routers containing this vulnerability was patched.

How Can Heimdal™ Help?

Once a patch is released, you should make sure that you deploy it in your organization as soon as possible to enforce its benefits. That is how a Patch and Asset Management Tool can help you with this. Our tool supports various patches: from Microsoft to third-party and proprietary ones, and what makes the difference is the shortest vendor-to-end-user waiting time, thus meaning that in less than 4 hours you have the repackaged and tested patch ready to be deployed in your Heimdal™ cloud. And with more and more employees working from home, an automated Patch and Management solution becomes vital for any organization.

Did you enjoy this article? Follow us on LinkedInTwitterFacebookYoutube, or Instagram to keep up to date with everything we post!

Author Profile

Andra Andrioaie

Security Enthusiast

linkedin icon

Hi! My name is Andra and I am a passionate writer interested in a variety of topics. I am curious about the cybersecurity world and what I want to achieve through what I write is to keep you curious too!