Security News > 2021 > November > Infosec bods: After more than a year, Sky gets round to squashing hijacking bug in 6m home broadband routers

Infosec bods: After more than a year, Sky gets round to squashing hijacking bug in 6m home broadband routers
2021-11-23 07:31

Sky has fixed a flaw in six million of its home broadband routers, and it only took the British broadcaster'n'telecoms giant a year to do so, infosec researchers have said.

If an attack was successful, their router would fall under the attacker's control, allowing the crook to open up ports to access other devices on the local network, change the LAN's default DNS settings to redirect browsers to malicious sites, reconfigure the gateway, and cause other general mischief and irritation.

Last year, SADDNS showed it was possible to figure out the UDP port, reducing the attack complexity and prompting various patches.

In a flash notice [PDF] the FBI has warned that criminals have been able to hijack FatPipe VPN devices using a zero-day bug since May. The Feds said they had conducted forensic analysis into an attack and found the exploited vulnerability in all FatPipe WARP, MPVPN, and IPVPN device firmware prior to the latest versions, 10.1.2r60p93 and 10.2.2r44p1.

An attacker could use the security hole to upload a web shell on the equipment that would provide root access to the device.

Finding out if you're one of the victims could be tricky since the attackers frequently used cleanup scripts to hide evidence of their activities.


News URL

https://go.theregister.com/feed/www.theregister.com/2021/11/23/in_brief_security/