Skip to content
Pen Test Partners did not disclose the vulnerability after 90 days because it knew ISPs were struggling with a pandemic-increased network load as work from home became the new norm.
Sky, a UK broadband provider, left about 6m customers exposed to attackers who could remotely attack their home networks: a nice, soft attack surface left that way for nearly 18 months as the company tried to fix a DNS rebinding vulnerability in customers’ routers.
Sky Broadband
Pen Test Partners reported the problem to Sky Broadband – a broadband service offered by Sky UK in the UK – on May 11, 2020 … & then chased Sky for a repeatedly postponed update, the security firm stated in a post.
The flaw could have affected customers who had not changed the default admin password on their routers. As well, non-default credentials could have been brute-forced, according to Pen Test Partners. The vulnerability has now been fixed.
Model Numbers
These are the affected model numbers:
- Sky Hub 3 (ER110)
- Sky Hub 3.5 (ER115)
- Booster 3 (EE120)
- Sky Hub (SR101)
- Sky Hub 4 (SR203)
- Booster 4 (SE210)
While the last 2 router models were also affected by the weakness, they come with a random admin password, making them tougher to attack but also leaving them prey to brute-forcing attacks.
The BBC reports that another 1% of routers that Sky gives out are not made by the company itself, though customers who own such routers can ask for a free replacement.
DNS Vulnerability Explained
DNS rebinding is a technique that turns a victim’s browser into a proxy for attacking private networks.
We’ve seen it used before, & at an even greater scale than this Sky Flop: It was used in a 2-step proof-of-concept exploit researchers demonstrated in Jan. 2020, gaining remote access to a compromised spectrum analyser.
Multiple cable modems used by ISPs to provide broadband into homes were found to have the critical vulnerability in their underlying reference architecture – a vulnerability that would allow an attacker to get full remote control of the device.
The footprint for the affected devices numbered in the 100 of millions worldwide.
Pen Test Partners
Pen Test Partners explained that the DNS rebinding technique allows an attacker to bypass the “Same-origin” policy: a defence in web browsers that permits scripts contained in a 1st web page to access data in a second web page, but only if both web pages have the same origin, thereby preventing web applications from interacting with different domains without the user’s consent.
The exploit, which would have allowed an attacker to reconfigure a victim’s home router, could have been triggered simply by directing a user, via a phishing attack, to a malicious link.
Take Over
From there, the threat player could “take over someone’s online life,” stealing passwords for banking & other sensitive sites, Pen Test Partner’s Ken Munro told BBC News.
The security firm posted a proof-of-concept video on Fri.
Pen Test Partners has not found evidence that the vulnerability has been exploited in the wild.
Why the Slowness?
Sky didn’t immediately respond to queries, but the company told the BBC that updating so many routers took time & that it takes the safety and security of its customers “very seriously.”
The BBC quoted a Sky spokesperson: “After being alerted to the risk, we began work on finding a remedy for the problem & we can confirm that a fix has been delivered to all Sky-manufactured products.”
Vulnerable Routers
As for why Pen Test Partners did not disclose its findings for so long, the firm explained that the lag, at least initially, seemed to make sense, given work slowdowns caused by the Coronavirus, followed by a Christmas change freeze, followed next by a series of deadlines missed without explanation.
Finally, in Aug., Pen Test asked the BBC to contact Sky. On Oct. 22, Sky told the security firm that 99% of the vulnerable routers had been fixed.
90 Days
Pen Test Partners said they didn’t disclose the vulnerability after 90 days because “ISPs were dealing with challenges from vastly increased network loading as working from home became the new norm. We didn’t want to do anything to limit the ability of people to work from home.”
Munro told BBC News that the foot-dragging was “baffling:” “While the coronavirus pandemic put many internet service providers under pressure, as people moved to working from home, taking well over a year to fix an easily exploited security flaw simply isn’t acceptable,” he was quoted as saying.
Problem of Default Passwords
The fact that so many routers are being shipped with default passwords exposed to the internet is “inexcusable in 2021,” John Bambenek, Principal Threat Hunter at security firm Netenrich, outlined on Fri.
“This isn’t a vulnerability or security flaw, it’s gross negligence & we should call it exactly that,” he wrote. “Knowing that they did this, it’s not surprising that it took 18 months to address.”
Rebinding Vulnerabilities
Sky got more sympathy out of Jake Williams, Co-Founder, & CTO at incident response firm Breach Quest, who stated that DNS rebinding vulnerabilities are tough to work out, being “relatively complex” & often “difficult for developers to understand.”
In an email on Fri. Williams said he does not find it surprising that Sky’s developers repeatedly missed their original timelines.
But still … 18 months? That’s “far too long to address” a flaw, regardless of how technically tough it is to understand, he commented.
“The good news is that while Pentest Partners, the firm that discovered the vulnerability, makes the exploitation look effortless, exploitation is actually a bit more complex than most vulnerabilities,” he observed.
Remote Access
He outlined, it could have been worse: “This isn’t the type of vulnerability we should be as worried about as something that truly offered full remote access to the device,” he cautioned.
That is lucky, given that most home users do not change default passwords on their routers, he noted. Still, the incident shows how important it is to change passwords, Williams concluded: “Even changing to a weak password like 123456 would prevent exploitation in this case.”
https://www.cybernewsgroup.co.uk/virtual-conference-december-2021/
