Significant Security Flaw Left 6 Million Sky Routers Customers Exposed

Last updated November 19, 2021
Written by:
Lore Apostol
Lore Apostol
Infosec Writer & Editor

A major flaw in Sky broadband routers affected some 6 million customers who were left exposed to the remote compromise of their home networks. Even though the issue was reported as soon as it was discovered, the company took 18 months to fix it, leaving its clients endangered all this time. The researchers decided not to disclose their findings after the standard 90 days since users working from home would have been affected.

In May 2020, researchers discovered a DNS rebinding vulnerability in the Sky routers that allowed an attacker to bypass the same-origin policy, a browser feature that prevents web apps from interacting with domains without user consent. This flaw affected users who didn't change the default router's admin password (which, sadly, was the case for a great number of routers). However, brute-forcing non-default credentials was also an option.

source: PenTestPartners

The attack unraveled when a user opened a compromised link or visited a website operated by the actors that contained an iframe requesting data from a subdomain under the actor's control. In this request, a malicious DNS server responded with the correct IP address of the compromised server, loading a JavaScript payload in the iframe, which sent consecutive HTTP requests to the server.

The malicious HTTP server stopped responding after a few seconds, so the browser then sent another DNS request, but now the malicious DNS server replied with the victim's IP address - the client's router. As a result, the user's browser treated the router's IP address (192.168.0.1) as the subdomain's IP and dangerously gave the iframe control over the router.

After the payload connection to the target router was established, the attacker could connect directly to the router’s web application and do things like setting up a DMZ server or configuring port forwarding to expose the user network.

This security flaw affected the following models: Sky Hub 3, 3.5 and Booster 3 (ER110, ER115, EE120), Sky Hub 2 and Booster 2 (SR102, SB601), Sky Hub (SR101), and Sky Hub 4 and Booster 4 (SR203, SE210).

This month, a new malware written in the open-source programming language Golang (Go) was discovered to have 33 exploits ready to be deployed targeting vulnerabilities found in millions of routers and IoT devices. Also, in October, Cisco Talos discovered multiple vulnerabilities in the ZTE MF971R LTE portable router.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: