A new research reveals that approximately 6 million Sky routers were vulnerable to a DNS rebinding vulnerability that allowed a customer’s home network to be compromised from the internet. The discovery comes from Ten Pest Partners.
The researchers didn’t announce the vulnerability after 90 days, as they were aware that ISPs (Internet Service Providers) were combating a network load increases due to the pandemic’s “work from home.”
Sky Routers DNS Binding Vulnerability Explained
First of all what is DNS rebinding? This is a technique that enables an attacker to circumvent the Same-origin policy, which is a defence implemented in web browsers to prevent web applications interacting with different domains without the user’s consent.
Affected by the vulnerability were users with a default router admin password. Unfortunately, this was the case with a large number of routers. The outcome of the flaw was direct access to victims’ computers and devices, if their home network was exposed to the internet.
How can an attack be enabled? Initiating an attack involves clicking on a malicious link or visiting a malicious website.
Here are the steps required to carry out a successful attack against owners of Sky routers:
- The victim browses to the malicious website, i.e. example.com.
- This website contains an iframe, which requests data from a subdomain controlled by the attacker, i.e. example.com.
- The payload performs consecutive HTTP requests to the server. After few seconds, the malicious HTTP server stops responding to these requests.
- The browser then reinitiates connection to the domain and another DNS request is sent. This time, the malicious DNS server replies with the target’s IP address, in this case, the router attached to the clients internal network.
- The victim’s browser establishes a connection with the router.
What is mostly concerning is that Sky, the router vendor, didn’t fully address the issue for nearly 18 months.
Furthermore, despite having a published vulnerability disclosure programme, Sky’s communications were particularly poor and had to be chased multiple times for responses, the researchers shared in their report.
Only after the research team had involved a trusted journalist was the remediation programme accelerated.
What to do, if affected?
The researchers’ recommendation is changing the admin password for the router web interface as a means to mitigate the security flaw. In addition, changing the network name and Wi-Fi passwords is also recommendable.
In September 2021, CyberNews security researchers disclosed a significant number of security flaws in the default firmware and web interface app of a popular router. TP-Link AC1200 Archer C50 (v6) is a best-selling ‘Amazon’s Choice’ wifi router retails for £34.50 (~$48) in the UK, mainly sold within the European market. Unfortunately, the device is shipped with an outdated firmware version susceptible to numerous security flaws.
Not only is the router sold with vulnerable firmware but it also comes with another critical issue that concerns its web interface app. You can read more about this here: Amazon Best-Selling TP-Link Router Shipped with Vulnerable Firmware.