If you were an earlyish adopter of Sky Broadband in the UK, it’s quite likely that you received the white ‘Sky’ router – this is in fact a rebadged Netgear DG834GT which is an awesome little router when it doesn’t have Sky’s crappy and insecure firmware on it!

There are a number of problems I’ve identified with Sky’s firmware:

  • It hides the username and password from you so you’re unable to switch the Netgear box for a different one, should you want to.
  • Multiple VPN connections don’t work (eg you have two PCs and want to connect them both to your office VPN)
  • Most importantly – Security concerns. (see below – apparently these were already known about, just never documented properly from my searches)

There are also a bunch of benefits in using a custom (or standard) firmware:

  • Faster speeds
  • Wake On LAN
  • Remote Admin via web, telnet and SSH
  • No-IP support
  • WPA2 support
  • Loads of other stuff

So, that security concern. First of all, Sky are able to tap into your router and wipe it back to ‘factory’ settings, as well as upgrade the firmware - I find this quite worrying and found out by accident. I’d set up a bunch of custom options such as renaming the wireless SSID from SKY123456 to something I made up, as well as setting up fixed DHCP leases etc. I get a call from my girlfriend, saying she can’t connect to the internet after our broadband went down and she phoned Sky for help. Turns out they whacked down their latest firmware update, wiping my settings (including custom SSID) in the process!

Secondly, it is possible to calculate the default Sky router WPA key by simply knowing the router MAC address, which you can get from a tool like NetStumbler in a matter of seconds. You can spot a standard Sky router a mile off with a daft SSID name like SKY45678. Armed with the MAC, use the username & password tool below and it’ll give you the WPA key. Very dodgy! (FYI the Netgear router will have a MAC starting with 00184D)

Following learning these two pieces of information, I set out to remove their (IMO) insecure firmware, and replace it with something I know they won’t be able to access. Say hello to the DGTeam custom firmware :-)

Here’s what you need to do to get it loaded:

  1. Get your username and password for your Sky router – you can do that from here – https://www.cm9.net/skypass/. I find the fact that theMAC address/WPA key algorithm is freely available on the net slightly worrying, but that’s probably beyond the scope of this article.
  2. Download the Netgear DG834 Recovery Utility
  3. Download the latest DGTeam DG834GT Custom Firmware
  4. Unpack the recovery utility somewhere, and stick the .img file you downloaded from DGTeam into the same folder.
  5. Put your router into Kernel mode – pull the power, stick a pin in the reset hole on the back and power it back up. The power and orange tick next to it will flash alternately if you’ve done it correctly.
  6. Load the recovery tool. NB – this bluescreened my Vista box and I had to use my XP one to get it to work! (it’s probably because the network stack in Vista is massively different to the XP one, and the tool is quite old and stupid, but I can’t be bothered to spend any time investigating it. Just find an XP box :-) )
  7. Select the NIC that is connected to the router (must be wired). Click next/ok a few times and it’ll find the router and start the upgrade. Now is not a good time to turn your PC off, find yourself amidst a powercut, or pull out the network cable from your PC.
  8. Let it finish and connect the web browser to your router IP – the Sky default is 192.168.0.1 – if you’ve changed it that will be retained post firmware flash.
  9. I was lucky here and it had retained my Sky username and password as well as wireless settings without me doing anything, I can’t vouch for anyone else though. All I had to do was click connect.
  10. Check out the faster connection speed, I jumped from 3900ish to 4128 – not bad!
  11. RENAME YOUR SSID AND CHANGE THE ROUTER USERNAME/PASSWORD!

Hopefully you’ve found this useful. I am amazed that Sky have been so stupid in using such a weak MAC address/WPA key algorithm, but at least by removing their dodgy firmware you can go some way to removing yourself from the security vulnerability of having anyone access your wifi network!

 

Disclaimer: Any info provided here is for research purposes only, and should not be used to aid in hacking your neighbour’s (or anyones) wifi router. Additionally, if you happen to brick your router in attempting the upgrade, it’s not my fault and I probably can’t help you fix it, but at least you have the recovery tool already downloaded. Additionally, it’s against the Sky T&Cs to reflash the firmware and apparently risk getting booted off Sky Broadband. You have been warned.