This was spotted and reported by a security firm, after 18 months of discovery. Sky network has now patched all the vulnerable routers and assured that no exploitations regarding this flaw were found in the meantime.
DNS Flaw Affecting Millions of Users
Internet routers are one of the critical devices in any network. As they stand as the central point of distribution, anyone with malicious intentions can leverage them for bad purposes. Thus, they should be secured to the core by both OEMs and the users. But, Sky Limited, a famous telecom and broadcaster company in the UK took 18 months to patch a flaw in its routers. As found and reported by the Pen Test Partners, over 6 million Sky routers are vulnerable to a DNS rebinding flaw. Below are the vulnerable router models;
Sky Hub 3 (ER110) Sky Hub 3.5 (ER115) Booster 3 (EE120) Sky Hub (SR101) Sky Hub 4 (SR203) Booster 4 (SE210)
Researchers said that routers with unchanged credentials, like the default admin username and password, were highly impacted. Also, the routers with non-default credentials can be brute-forced too, they warned.
The Pen Test Partners have found and reported this flaw to Sky network back in mid-2020 and gave them about 18 months to solve the issue. This is to let them cope up with the network congestion, as many have shifted onto a work-from-home basis. Talking to BBC, a Sky spokesperson said that they have patched about 99% of the vulnerable routers, which were all manufactured by them. Rest 1% of routers that are made by third-party OEMs can also be saved, with users asking Sky for a free replacement. There was no evidence found for any exploitation till now.