fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Six Million Sky Routers Exposed to Takeover Attacks for 17 Months

Six Million Sky Routers Exposed to Takeover Attacks for 17 Months

Around six million Sky Broadband customer routers in the UK were affected by a critical vulnerability that took over 17 months to roll out a fix to customers.

The disclosed vulnerability is a DNS rebinding flaw that threat actors could easily exploit if the user had not changed the default admin password, or a threat actor could brute-force the credentials.

The result of the exploitation would be to compromise the customer’s home network, change the router’s configuration, and potentially pivot to other internal devices.

Also Read: When to Appoint a Data Protection Officer

The DNS rebinding attack on Sky routers

DNS rebinding attacks are used to bypass a browser security measure called Same Origin Policy (SOP), which blocks a site from sending requests to websites other than its own origin. This origin is usually the domain you visited in the browser.

This security measure was introduced to block one website from stealing cookies from another site, accessing data on other sites, or performing other cross-domain attacks.

As SOP focuses on the domain name rather than the IP address, the goal is to trick a browser into thinking a script was talking to the original domain, but in reality, is talking to an internal IP address (127.0.01/192.168.0.1).

This is where DNS Rebinding attacks come into play, and when conducted properly, leads to a whole slew of attacks.

For the attack to work, the victim has to be tricked into clicking a malicious link or visiting a malicious website. This could easily be done by a threat actor sending Sky customers phishing emails, social media posts, SMS texts containing links to the malicious site.

Once the victim visits the site, an iframe would be displayed that requests data from an attacker-controlled subdomain.

This script then loads a JavaScript payload on the iframe, which performs consecutive HTTP requests to the server, with the latter responding with its IP address.

After a few seconds, the server stops responding to these requests, and this triggers the re-initiation of the browser’s connection to the domain, so a new DNS request is sent.

Also Read: 4 Things to Know When Installing CCTVs Legally

owever, this time, the server replies with the target’s IP address (192.168.0.1), which is the victim’s router.

As the browser thinks it is still communicating with the origin domain, it will allow the remote website’s script to send requests to the router’s internal IP address (192.168.0.1).

The DNS re-binding attack flow
The DNS re-binding attack flow
Source: PenTestPartners

“After the connection from the JavaScript payload to the target router was established, the attacker could communicate with the internal web server and could make requests that would change settings in the same way that would normally happen from a clients web browser,” explained PenTestPartners in their report.

Using this vulnerability, the researchers created a PoC exploit that could perform a variety of malicious activity on the router, including:

  • Log in as the administrator with default credentials (user: admin – password: sky)
  • Change the admin password (necessary to enable remote management)
  • Collect and display the SSID name and WPA2 password
  • Enable remote management

A demonstration of this exploit can be see in the video below created by PenTestPartners as part of their report.

This PoC works on the following router models, which correspond to roughly six million users:

  • Sky Hub 3, 3.5, and Booster 3 (ER110, ER115, EE120) 
  • Sky Hub 2 and booster 2 (SR102, SB601) 
  • Sky Hub (SR101)
  • Sky Hub 4 and Booster 4 (SR203, SE210) – limited impact due to shipping these with random passwords

Fix took 17 months to roll out

The PenTestPartners team reported their findings on May 11, 2020, and Sky acknowledged the issue and set a fixing date for November 2020.

That was over the standard 90 days of vulnerability disclosure, but the researchers accepted it without objection since the ISP was dealing with unusual traffic burdens from the COVID-19 lockdown.

The fixing patch never came, and Sky eventually revised the plan, promising to fix 50% of the affected models by May 2021, which was fulfilled.

With the other half still vulnerable and PenTestPartners feeling that Sky was not acting with much urgency, the researchers contacted the press in August as a way to apply additional pressure.

Eventually, on October 22, 2021, Sky emailed to say that Sky had fixed 99% of all vulnerable routers via an update.

This was over 17 months since the initial disclosure, leaving users vulnerable to DNS rebinding attacks during a period when many of them worked from home.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us