Around six million Sky Broadband customer routers in the UK were affected by a critical vulnerability that took over 17 months to roll out a fix to customers.
The disclosed vulnerability is a DNS rebinding flaw that threat actors could easily exploit if the user had not changed the default admin password, or a threat actor could brute-force the credentials.
The result of the exploitation would be to compromise the customer’s home network, change the router’s configuration, and potentially pivot to other internal devices.
The DNS rebinding attack on Sky routers
DNS rebinding attacks are used to bypass a browser security measure called Same Origin Policy (SOP), which blocks a site from sending requests to websites other than its own origin. This origin is usually the domain you visited in the browser.
This security measure was introduced to block one website from stealing cookies from another site, accessing data on other sites, or performing other cross-domain attacks.
As SOP focuses on the domain name rather than the IP address, the goal is to trick a browser into thinking a script was talking to the original domain, but in reality, is talking to an internal IP address (127.0.01/192.168.0.1).
This is where DNS Rebinding attacks come into play, and when conducted properly, leads to a whole slew of attacks.
For the attack to work, the victim has to be tricked into clicking a malicious link or visiting a malicious website. This could easily be done by a threat actor sending Sky customers phishing emails, social media posts, SMS texts containing links to the malicious site.
Once the victim visits the site, an iframe would be displayed that requests data from an attacker-controlled subdomain.