Six million Sky routers exposed to takeover attacks for 17 months
About six million Sky Broadband customer routers in the UK were affected by a critical vulnerability that took more than 17 months to patch to customers.
The disclosed vulnerability is a DNS binding flaw that malicious actors could easily exploit if the user had not changed the default administrator password, or a malicious actor could brutally force credentials.
The result of the exploitation would be to compromise the customer’s home network, change the router configuration and potentially switch to other internal devices.
The DNS rebinding attack on Sky routers
DNS binding attacks are used to bypass a browser security measure called a Same Origin Policy (SOP), which prevents a site from sending requests to websites other than its own origin. This origin is usually the domain you visited in the browser.
This security measure was introduced to prevent a website from stealing cookies from another site, accessing data on other sites, or performing other cross-domain attacks.
Since the SOP focuses on the domain name rather than the IP address, the goal is to trick a browser into believing that a script was talking to the original domain, but in reality, talking to an internal IP address (127.0 .01 / 192.168.0.1).
This is where DNS Rebinding attacks come in and, when done correctly, lead to a whole host of attacks.
For the attack to work, the victim must be tricked into clicking a malicious link or visiting a malicious website. This could easily be done by a malicious actor sending phishing emails to Sky customers, social media posts, SMS with links to the malicious site.
Once the victim visits the site, an iframe is displayed and requests data from a subdomain controlled by the attacker.
After a few seconds, the server stops responding to these requests, which triggers the reinitialization of the browser connection to the domain, so a new DNS request is sent.
However, this time the server responds with the target’s IP address (192.168.0.1), which is the victim’s router.
Since the browser thinks it is still communicating with the originating domain, it will allow the remote website’s script to send requests to the router’s internal IP address (192.168.0.1).
Using this vulnerability, researchers created a PoC exploit that could perform various malicious activities on the router, including:
- Log in as administrator with default credentials (user: admin – password: sky)
- Change the administrator password (required to enable remote management)
- Collect and display the SSID name and WPA2 password
- Enable remote management
A demonstration of this exploit can be seen in the video below created by PenTestPartners as part of their report.
This PoC works on the following router models, which correspond to approximately six million users:
- Sky Hub 3, 3.5 and Booster 3 (ER110, ER115, EE120)
- Sky Hub 2 and booster 2 (SR102, SB601)
- Celestial Center (SR101)
- Sky Hub 4 and Booster 4 (SR203, SE210) – limited impact due to shipping with random passwords
Fix took 17 months to deploy
The PenTestPartners team reported on their findings on May 11, 2020, and Sky acknowledged the issue and set a date for November 2020.
This was above the standard 90 days for vulnerability disclosure, but researchers accepted it without objection since the ISP was facing unusual traffic loads due to the COVID-19 lockdown.
The repair fix never arrived and Sky eventually revised the plan, promising to repair 50% of affected models by May 2021, which was accomplished.
With the other half still vulnerable, and PenTestPartners believing Sky was not acting with much urgency, researchers contacted the press in August to exert additional pressure.
Finally, on October 22, 2021, Sky sent an email to say that Sky had fixed 99% of all vulnerable routers via an update.
It had been over 17 months since the initial disclosure, leaving users vulnerable to DNS rebinding attacks during a time when many were working from home.