6M Sky Routers Left Exposed to Attack for Nearly 1.5 Years

2021-11-19 17:39

Sky, a U.K. broadband provider, left about 6 million customers' underbellies exposed to attackers who could remotely sink their fangs into their home networks: a nice, soft attack surface left that way for nearly 18 months as the company tried to fix a DNS rebinding vulnerability in customers' routers.

Pen Test Partners reported the problem to Sky Broadband - a broadband service offered by Sky UK in the United Kingdom - on May 11, 2020 and then chased Sky for a repeatedly postponed update, the security firm said in a post.

The BBC reports that another 1 percent of routers that Sky gives out aren't made by the company itself, though customers who own such routers can ask for a free replacement.

Sky didn't immediately respond to Threatpost's queries, but the company told the BBC that updating so many routers took time and that it takes the safety and security of its customers "Very seriously."

On Oct. 22, Sky told the security firm that 99 percent of the vulnerable routers had been fixed.

Sky got more sympathy out of Jake Williams, co-founder and CTO at incident response firm BreachQuest, who said that DNS rebinding vulnerabilities are tough to suss out, being "Relatively complex" and often "Difficult for developers to understand."

News URL

https://threatpost.com/6m-sky-routers-exposed-18-months/176483/

#attack #router