Major Security Holes Found at the Big Six UK Home Broadband ISPs

A new report from security consultant Paul Moore has revealed that many of the United Kingdom’s major broadband ISPs, including BT, PlusNet, EE, Virgin Media, Sky Broadband and TalkTalk, have significant vulnerabilities in their systems that could be exploited by hackers. But some, such as EE and TalkTalk, did far worse than others.

The audit used publicly available information and examined a number of different areas, albeit largely focused upon the email platform, website servers and HTML forms etc. used by all of the aforementioned Internet providers. Various aspects of each were then scored for support of various security features (or lack thereof) and a result returned.

Overall the ISPs passed 87 of the checks, but there were 22 warnings and 84 failures in good security practice. However the only ISP to record a “critical issue” out of the group was TalkTalk, which had left itself exposed to a Database Credential Leak (the related database is now offline), which is hardly a surprise given their recent hacking scandal (here and here).

In terms of “serious issues“, just one problem was found on Sky Broadband, while both EE and PlusNet were exposed to two issues and once again TalkTalk topped the table with a total of four series issues to its name. Happily both BT and Virgin Media escaped without any serious problems, although Paul Moore’s checking won’t pick up everything.

Brief Summary of the Serious Issues

Plusnet
* Cross Site Request Forgery / My Account
* RFC 2142 / Obtained Genuine TLS Certificate

EE
* Cross Site Request Forgery / My Account
* RFC 2142 / Obtained Genuine TLS Certificate

TalkTalk
* TalkTalk Firmware update pages serve malware
* Webmail credentials sent over HTTP post-breach
* Account credentials sent over HTTP post-breach
* Lied about periodicity of Information Commissioner’s Office auditing

Sky
* Cross Site Request Forgery / My Account

Overall the best of the big six for security were BT (1st) and PlusNet (2nd), which Moore praised for being quick to respond to his initial email(s) and detailed in their updates. “I remain thoroughly impressed by their professional and remarkably candid approach and wouldn’t hesitate using either service in future,” said Moore.

Similarly Sky Broadband, which came 3rd, also garnered praise for their quick response to the issue(s) raised and then making “significant improvements to their TLS deployment.” Sadly the results for the bottom three providers weren’t so good.

Summary of Paul Moore’s Comments

EE

Just a few days after my initial email, EE arranged a conference call to discuss the issues. Less than a week later, EE forwarded a detailed spreadsheet which outlined how they intended to mitigate many of the issues raised. EE have since commissioned a source-code review.

EE have not taken any mitigative action with reference to the CSRF exploit thus far, pending the results of a source audit. There has been little/no immediate improvement with reference to their poor Qualys scores, despite an estimated fix being just weeks away.

Unfortunately, EE have one of the weakest overall deployments, saved only by their willingness to discuss these issues so candidly.

Virgin Media

Having been a Virgin Media customer for well over a decade, I’m acutely aware that trying to engage in any security-related discussion is virtually impossible, the sole exception being a SuperHub 2 vulnerability last year.

Unfortunately, Virgin Media did not reply to numerous requests for comment. However, the results of this audit haven’t given any immediate cause for concern.

TalkTalk

Unfortunately, TalkTalk operate in a bubble of blissful ignorance. Their utterly shambolic approach to security, combined with a proclivity to make wild & demonstrably fallacious claims, places TalkTalk firmly in last place during this audit.

A related report over at the BBC also includes a response from TalkTalk, which now claims to be integrating Paul Moore’s comments into their on-going security improvements. “We constantly run vulnerability checks using industry-standard third party tools. The vulnerability exploited by the hackers was not picked up by this testing, and if it had been, we would clearly have acted on that information straight-away to secure our system,” said a spokesperson for the ISP.

The full report can be read online (here) and hopefully more ISPs will take notice of the issues raised, particularly since consumers are now paying closer attention to matters of security in the wake of TalkTalk’s hack. Hopefully in the future Paul Moore may be able to expand his checking to other providers, such as Vodafone, KC, Zen Internet and so forth.

It’s also important to point out that nearly all of the problems identified by Moore are now being actively examined and hopefully fixed by the various providers.