Sky Broadband took almost 18 months to fix serious router flaw

Sky Broadband took around 18 months to fix a security flaw affecting nearly six million of its routers which could enable home networks to be remotely compromised by hackers.

According to a blog post by Pen Test Partners security researcher Rafael Fini, Sky failed to meet numerous self-imposed deadlines for fixing the issue, and although he acknowledges that at the time, COVID lockdowns were causing major challenges for ISPs such as Sky, he claims the company “did not give the patch the priority their customers deserved”.

The security firm first reported the issue in May 2020, but it wasn’t until the following May that Sky told researchers that the first 50% of affected devices had been patched. Researchers were told that the goal was to complete the rest of the rollout during Summer 2021, and in August, the firm asked BBC journalists to reach out to the ISP in order to convince them to expedite the process. It was until October 2021 when Sky notified Pen Test Partners that 99% of all routers had been updated - 17 months and 11 days since initial disclosure.

“Despite having a published vulnerability disclosure programme, Sky’s communications were particularly poor and had to be chased multiple times for responses,” Fini said. “Only after we had involved a trusted journalist was the remediation programme accelerated.”

When questioned by the BBC, Sky blamed the slow rollout of the update on the large scale of delivery, stating “we take the safety and security of our customers very seriously.”

“After being alerted to the risk, we began work on finding a remedy for the problem and we can confirm that a fix has been delivered to all Sky-manufactured products.”

The flaw in question was a DNS rebinding vulnerability that allowed hackers to use a malicious web page to take control of customers’ routers and enable remote management.

“With remote management enabled, the attacker could connect directly to the router’s web application and modify any settings, such as setup up a DMZ server or configure port forwarding, exposing the internal home network to the internet,” said Fini.

The flaw affected several Sky Hub and Booster models, particularly those that used the same default admin credentials across all units. Although the randomly-generated admin passwords used by devices such as the Sky Hub 4 could be brute-forced, Fini noted that “a custom password would significantly decrease the chances of a successful attack”.

“The home router is the gateway between consumers and their digital life,” said John Goodacre, professor of computer architectures at the University of Manchester. “DCMS are working to ensure these ‘smart’ devices are more secure, with security built in from the start through their ‘Secure by Design’ policy.”

“Together, an increased consumer awareness of cybersecurity best practices, manufacturers delivering products to be secured by default with the underlying component being secured by design, the tide will turn against the ever-increasing impacts of cybercrime across the digital world.”