Millions of Sky routers were afflicted by a vulnerability that would have allowed a customer’s home network to be compromised by hackers.
Researchers at Pen Test Partners found that a DNS rebinding error — which allows an attacker to bypass security in a web browser — meant that users with the default administrator password were left vulnerable.
The default password (admin: akash) was set for a high percentage of routers, the researchers said, but a brute force attack (where hackers systematically guessed passwords through trial and error) targeted routers as well. where the password was changed.
The issue may have given hackers direct access to computers and devices after navigating to a malicious website. The browser will then treat the router’s IP address as the IP of the malicious website.
Sky Hub 3 (ER110), Sky Hub 3.5 (ER115), Booster 3 (EE120), Sky Hub (SR101), Sky Hub 4 (SR203), and Booster 4 (SE210) were all affected by this problem.
“A key factor that allowed routers to automatically take through the DNS rebinding vulnerability was the default credentials used by most versions of Sky devices”, Written by Pen Test Partners,
“Although a brute force attack can be used to find non-default passwords, a custom password will significantly reduce the chances of a successful attack. Some customers change their router administrator password from the default one.”
The devices are now being automatically patched by Sky, but Pen Test Partners say it took them 18 months to fix the issue since they were first notified about it on 11 May 2020.
Pen Test Partners say they did not disclose the vulnerability after 90 days because “ISPs were facing challenges from excessively increased network loading as work from home became the new norm. We are looking for people to work from home.” Didn’t want to do anything to limit the potential.
Pen Test Partners finally contacted the BBC in August this year after allegedly chasing Sky for an update to speed up the patch.
Ken Munro, Pen Test Partner, said, “While the coronavirus pandemic put many Internet service providers under pressure as people moved to work from home, it took more than a year to fix an easily exploited security flaw. Taking is not acceptable.” BBC News,
“We take the safety and security of our customers very seriously,” Sky said in response. “After being alerted to the risk, we began work on finding a solution for the problem and we can confirm that a fix has been given to all Sky-manufactured products.”
Credit: www.independent.co.uk /