UK broadband provider, Sky, left about 6 million customers exposed to attackers who could remotely gain access to their home networks. Researchers reported the problem to Sky Broadband in May 2020, but did not receive an update for almost 18 months.
The flaw could have affected customers who had not changed the default admin password on their routers. Additionally, non-default credentials could have been brute-forced – although it is believed that the vulnerability has now been fixed.
The affected model numbers are: Sky Hub 3 (ER110), Sky Hub 3.5 (ER115), Booster 3 (EE120), Sky Hub (SR101), Sky Hub 4 (SR203) and Booster 4 (SE210).
While the last two router models were also affected by the weakness, they come with a random admin password, making them tougher to attack but also leaving them open to brute-forcing attacks. DNS rebinding is a technique that turns a victim’s browser into a proxy for attacking private networks. This tactic has been used before, and on an even greater scale: it was used in a two-step proof-of-concept exploit, demonstrated by researchers in January 2020, gaining remote access to a compromised spectrum analyser.
Multiple cable modems used by ISPs to provide broadband into homes were found to have the critical vulnerability in their underlying reference architecture – a vulnerability that would allow an attacker to get full remote control of the device. Researchers explained that the DNS rebinding technique allows an attacker to bypass the “same-origin” policy: a defence technique in web browsers that permits scripts contained in a web page to access data in a second web page, but only if both web pages have the same origin. This prevents web applications from interacting with different domains without the user’s consent.
The exploit, which would have allowed an attacker to reconfigure a victim’s home router, could have been triggered simply by directing a user, via a phishing attack, to a malicious link. From there, the threat actor could “take over someone’s online life,” stealing passwords for banking and other sensitive sites.
Sky said: “After being alerted to the risk, we began work on finding a remedy for the problem and we can confirm that a fix has been delivered to all Sky-manufactured products.”
Researchers added: “While the coronavirus pandemic put many internet service providers under pressure, as people moved to working from home, taking well over a year to fix an easily exploited security flaw simply isn’t acceptable. The fact that so many routers are being shipped with default passwords exposed to the internet is inexcusable in 2021.”
The entire incident highlights how important it is to change passwords, where even changing to a weak password would prevent exploitation in this case.