back to article Infosec bods: After more than a year, Sky gets round to squashing hijacking bug in 6m home broadband routers

Sky has fixed a flaw in six million of its home broadband routers, and it only took the British broadcaster'n'telecoms giant a year to do so, infosec researchers have said. We're told that the vulnerability could be exploited by tricking a subscriber into viewing a malicious webpage. If an attack was successful, their router …

  1. Mike 137 Silver badge

    Oh, ther joys of running unverified code ...

    "luring people to a webpage that uses JavaScript to cause the browser to first use an attacker-controlled DNS server [...] the browser starts talking to the router as if it's the remote server, and the JavaScript on the page can access the router's web configuration panel"

    When will we finally catch on (after more than three decades now) that running unverified code from unknown sources is not a brilliant idea?

    1. Warm Braw

      Re: Oh, ther joys of running unverified code ...

      Given that almost all the software that's written these days contains swathes of unverified code from unknown sources we need to get better at managing the consequences.

      In this particular case, the fundamental flaw would seem to be that the Sky router has well-known access credentials on the assumption that everyone and everything on the LAN side can be trusted. That would seem to be poor reasoning as it means any person or any code with access to the local network can reconfigure the router.

      Software protection mechanisms historically were there to deal with accidental programming errors: they need to be more robust in the face of deliberate malevolence. Knowing the source of code doesn't tell you much - it's easily disguised. And exactly what is 'verified' code? Do you run some sort of static analyzer? Do you have it reviewed by GCHQ? To the extent there is an answer, it's that we need to trust all code less, but there is a price to be paid in lack of convenience, which is where manufacturers, in particular, start to get cold feet.

      1. gryphon

        Re: Oh, ther joys of running unverified code ...

        Even BT is slightly better in this regard which is unusual.

        Default admin password on the latest home hub is about 12 characters semi-complex.

        i.e. Numbers, caps, lowercase but no special characters as far as I remember

        1. Al fazed

          Re: Oh, ther joys of running unverified code ...

          And you can't change the default password in another, very widely distributed home router, one which I am still waiting on the ISP's advice on how it can be changed, if at all.


      2. Doctor Syntax Silver badge

        Re: Oh, ther joys of running unverified code ...

        "Given that almost all the software that's written these days contains swathes of unverified code from unknown sources we need to get better at managing the consequences."

        We also need to get better at not containing swathes of unverified code from unknown sources. The two approaches are complementary.

        Does your website (a) complain or (b) fail to do anything at all when it finds a visitor running NoScript? If so, you're part of the problem.

    2. Al fazed

      Re: Oh, ther joys of running unverified code ...

      The fact that any User can write html via a WordPress/GoDaddy/et/al App, without having any knowledge of object oriented programming etc. is leading to a majority of business web sites - which in the main - do not work. Or in other cases are working fine, BUT in ways that the creator never intended and FFS - the "owner" is totally unaware of any unwanted activity, because they are a CEO's of small business/charity/notforprofit/educational/health organisation etc., and have many other pressing CEO type issues to deal with day to day.

      Which means that - we are going to be subjected to more and more of this zzz.zombieware.html as time goes by.

      A computer driving licence was touted once in the UK - in the days of yore, but I've heard nothing more about it.

      I mean, what is the difference between a "radio button" and a "tick box" when you are throwing together a Googledocs "form" in your tea break ? Which is of course vitally important to business knowledge and is going to be circulated amongst your actual Subscribers. You are asking them to complete said webform by clicking on the link in the eMail message .................... sent from a person who doesn't know how to "correctly" use the "form fields" provided in the eMail client and so compounds their meagre attempt at clusterfucking - and sends VIP message - from their private mobile phone eMail App.

      I could go on - but what is the point ?

      This point is that this issue is not going to go away or get any better is it ? When anyone and everyone can circulate really crap code at the drop of a hat, we'll carry on getting everything that we really really really deserve.


    3. Clausewitz 4.0

      Re: Oh, ther joys of running unverified code ...

      If European Rockets costing hundreds of millions of dollars, full of PHDs in their team, contain unverified code...

      What about a SOHO network appliance? You got the picture

    4. Mage

      Re: Oh, ther joys of running unverified code ...

      BBC and CNN webpages have served adverts with malware.

      Run Noscript, uBlockOrigin, uMatrix etc and by default block all 3rd party scripts.

      1. Anonymous Coward
        Anonymous Coward

        Re: Oh, ther joys of running unverified code ...

        > Run Noscript, uBlockOrigin, uMatrix etc and by default block all 3rd party scripts.

        Then visit the website of the UK's National Cyber Security Centre (NCSC), the org that manage the Cyber Essentials certification scheme, and get a blank page as all their webpages appear to require JavaScript , albeit not 3rd party, to show any content.

  2. Disgusted Of Tunbridge Wells Silver badge

    > change the LAN's default DNS settings

    Sky's routers don't let you change the DNS settings. Presumably they come from DHCP.

  3. Clausewitz 4.0

    US Department of Homeland Security (DHS)

    If the DHS is facing the Devil, they don't need to hire talent.

    Better to go to church and pray. But if bishops deny communion, then you have a serious problem.

    1. Steve Davies 3 Silver badge

      Re: US Department of Homeland Security (DHS)

      And don't forget to make a very, very generous contribution to the preacher's 3rd (or 4th) private jet fund while you are praying. (USA Only)

  4. Mage

    And stupid websites complain

    ALWAYS change default passwords to something about 8 to 12 characters random and written in an address book:


    "This will work reliably if the subscriber hasn't changed their router username and password from the default of admin and sky"


    Part of this is a classic attack. Even adverts on CNN & BBC webpages have served malware that scans your LAN and changes DNS settings on routers/Wifi via the Web Admin pages that have never been changed from defaults.

    Talk Talk, Virgin, BT, Vodafone, Three & more have all suffered.

    ALL Routers/WiFi are vulnerable, if they have defaults, with any browser client on any OS, unless most 3rd party javascript is blocked. Except SOME stupid websites complain you are using an "Ad blocker" when you are only doing better security than most AV software,

  5. Anonymous Coward
    Anonymous Coward

    My last 2 routers from Sky have what I assume are unique passwords

    As per the title, my current router came with the username admin, but the password is a 12 digit alphanumeric string.

    The previous router was similar but as I don't have the details for that any longer I can't say for certain what the password strength was.

    That period of time covers about 4 or 5 years for me.

    I don't know how many of these old routers are out and about but 6 million seems unlikely, a quick search tells me Sky have about 6.2 million broadband customers.

    How likely is it that 0.2 million out of 6.2 haven't had a new router given that FTTC has been rolling out and the 'older' routers didn't support that.

    When I go to my router's page to allow remote access I get this:

    'Important: If you enable Remote Management your Sky Hub default password must be changed to a very secure password.'

    If I click OK without changing the password I get this:

    'The default password must be changed before the Remote Management feature can be enabled. Select OK to change the password now. Please enable the Remote Management feature once the default password has been changed.'

    So, yes, I haven't changed my default password. I'll get abuse for that no doubt, but as it's apparently random I wasn't too bothered.

    Maybe it's calculated from the MAC address or something similar so I will probably change it now I've given it some thought.

    But the days of 'admin' and 'sky' are long gone, maybe a few left out there but I struggle to see that it would be 6 million.

    1. X5-332960073452
      Thumb Down

      Re: My last 2 routers from Sky have what I assume are unique passwords

      Every single Sky (and NowTV) routers I've used (50 - 60 in four or so years) have admin and sky (or nowtv) as the default.

      They have started to issue routers (with the 'digital voice' change over), that are admin and the Wi-Fi password.

      PS - you do know that 'remote' management is from the WAN side (internal LAN management does not require the password changing?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like