Home
 » ISP News » 
Sponsored

Major Security Holes Found at the Big Six UK Home Broadband ISPs

Wednesday, December 2nd, 2015 (11:41 am) - Score 2,708

A new report from security consultant Paul Moore has revealed that many of the United Kingdom’s major broadband ISPs, including BT, PlusNet, EE, Virgin Media, Sky Broadband and TalkTalk, have significant vulnerabilities in their systems that could be exploited by hackers. But some, such as EE and TalkTalk, did far worse than others.

The audit used publicly available information and examined a number of different areas, albeit largely focused upon the email platform, website servers and HTML forms etc. used by all of the aforementioned Internet providers. Various aspects of each were then scored for support of various security features (or lack thereof) and a result returned.

Overall the ISPs passed 87 of the checks, but there were 22 warnings and 84 failures in good security practice. However the only ISP to record a “critical issue” out of the group was TalkTalk, which had left itself exposed to a Database Credential Leak (the related database is now offline), which is hardly a surprise given their recent hacking scandal (here and here).

In terms of “serious issues“, just one problem was found on Sky Broadband, while both EE and PlusNet were exposed to two issues and once again TalkTalk topped the table with a total of four series issues to its name. Happily both BT and Virgin Media escaped without any serious problems, although Paul Moore’s checking won’t pick up everything.

Brief Summary of the Serious Issues

Plusnet
* Cross Site Request Forgery / My Account
* RFC 2142 / Obtained Genuine TLS Certificate

EE
* Cross Site Request Forgery / My Account
* RFC 2142 / Obtained Genuine TLS Certificate

TalkTalk
* TalkTalk Firmware update pages serve malware
* Webmail credentials sent over HTTP post-breach
* Account credentials sent over HTTP post-breach
* Lied about periodicity of Information Commissioner’s Office auditing

Sky
* Cross Site Request Forgery / My Account

Overall the best of the big six for security were BT (1st) and PlusNet (2nd), which Moore praised for being quick to respond to his initial email(s) and detailed in their updates. “I remain thoroughly impressed by their professional and remarkably candid approach and wouldn’t hesitate using either service in future,” said Moore.

Similarly Sky Broadband, which came 3rd, also garnered praise for their quick response to the issue(s) raised and then making “significant improvements to their TLS deployment.” Sadly the results for the bottom three providers weren’t so good.

Summary of Paul Moore’s Comments

EE

Just a few days after my initial email, EE arranged a conference call to discuss the issues. Less than a week later, EE forwarded a detailed spreadsheet which outlined how they intended to mitigate many of the issues raised. EE have since commissioned a source-code review.

EE have not taken any mitigative action with reference to the CSRF exploit thus far, pending the results of a source audit. There has been little/no immediate improvement with reference to their poor Qualys scores, despite an estimated fix being just weeks away.

Unfortunately, EE have one of the weakest overall deployments, saved only by their willingness to discuss these issues so candidly.

Virgin Media

Having been a Virgin Media customer for well over a decade, I’m acutely aware that trying to engage in any security-related discussion is virtually impossible, the sole exception being a SuperHub 2 vulnerability last year.

Unfortunately, Virgin Media did not reply to numerous requests for comment. However, the results of this audit haven’t given any immediate cause for concern.

TalkTalk

Unfortunately, TalkTalk operate in a bubble of blissful ignorance. Their utterly shambolic approach to security, combined with a proclivity to make wild & demonstrably fallacious claims, places TalkTalk firmly in last place during this audit.

A related report over at the BBC also includes a response from TalkTalk, which now claims to be integrating Paul Moore’s comments into their on-going security improvements. “We constantly run vulnerability checks using industry-standard third party tools. The vulnerability exploited by the hackers was not picked up by this testing, and if it had been, we would clearly have acted on that information straight-away to secure our system,” said a spokesperson for the ISP.

The full report can be read online (here) and hopefully more ISPs will take notice of the issues raised, particularly since consumers are now paying closer attention to matters of security in the wake of TalkTalk’s hack. Hopefully in the future Paul Moore may be able to expand his checking to other providers, such as Vodafone, KC, Zen Internet and so forth.

It’s also important to point out that nearly all of the problems identified by Moore are now being actively examined and hopefully fixed by the various providers.

Share with Twitter
Share with Linkedin
Share with Facebook
Share with Reddit
Share with Pinterest
Mark Jackson
By Mark Jackson
Mark is a professional technology writer, IT consultant and computer engineer from Dorset (England), he also founded ISPreview in 1999 and enjoys analysing the latest telecoms and broadband developments. Find me on Twitter, , Facebook and Linkedin.
Leave a Comment
2 Responses
  1. Avatar Steve Jones says:

    Given that TalkTalk’s site was compromised by an SQL injection attack, which is down at the kiddie level of vulnerabilities, it is hardly surprising.

    Competent systems houses have design rules and security auditing processes to minimise exposures, especially to known vulnerabilities. In addition, robust systems for public access have very tight boundaries (and controlled interfaces) between the strictly front-end systems and back-end databases. Good systems have tightly controlled transactional interfaces between front and back ends and it’s unforgivable to allow front ends to have arbitrary database access capabilities.

    Design rules and auditing processes don’t pick up everything, but if it isn’t drilled into the very soul of developers (or gets overruled my management for reasons of speed or cost) then we get the sort of debacle that TalkTalk suffered (not that they are alone in this of course – plenty of other big names have been caught out).

  2. Avatar Tom says:

    ” * TalkTalk Firmware update pages serve malware”
    This looks more like a false positive by Google and CleanMX who detect “AutoIT” (a macro recording and playback tool often used to automate tasks).

    Certainly didn’t try to serve me any malware when I went through the same steps and ignored the Firefox warning. (Although Firefox did warn me that the page was reported as a potential issue – probably using the google safe browsing database too, I expect).

Comments are closed.

Comments RSS Feed

Javascript must be enabled to post (most browsers do this automatically)

Privacy Notice: Please note that news comments are anonymous, which means that we do NOT require you to enter any real personal details to post a message. By clicking to submit a post you agree to storing your comment content, display name, IP, email and / or website details in our database, for as long as the post remains live.

Only the submitted name and comment will be displayed in public, while the rest will be kept private (we will never share this outside of ISPreview, regardless of whether the data is real or fake). This comment system uses submitted IP, email and website address data to spot abuse and spammers. All data is transferred via an encrypted (https secure) session.

NOTE 1: Sometimes your comment might not appear immediately due to site cache (this is cleared every few hours) or it may be caught by automated moderation / anti-spam.

NOTE 2: Comments that break our rules, spam, troll or post via known fake IP/proxy servers may be blocked or removed.
Cheapest Superfast ISPs
  • Hyperoptic £22.00
    Avg. Speed 50Mbps, Unlimited
    Gift: None
  • Onestream £22.49 (*29.99)
    Avg. Speed 45Mbps, Unlimited
    Gift: None
  • xln telecom £22.74 (*47.94)
    Avg. Speed 66Mbps, Unlimited
    Gift: None
  • Plusnet £22.99 (*35.98)
    Avg. Speed 36Mbps, Unlimited
    Gift: £50 Reward Card
  • Vodafone £23.00
    Avg. Speed 35Mbps, Unlimited
    Gift: None
Prices inc. Line Rental | View All
The Top 20 Category Tags
  1. BT (2768)
  2. FTTP (2746)
  3. FTTC (1783)
  4. Building Digital UK (1740)
  5. Politics (1662)
  6. Openreach (1619)
  7. Business (1429)
  8. FTTH (1340)
  9. Statistics (1240)
  10. Mobile Broadband (1221)
  11. Fibre Optic (1062)
  12. 4G (1052)
  13. Wireless Internet (1020)
  14. Ofcom Regulation (1014)
  15. Virgin Media (1004)
  16. EE (696)
  17. Sky Broadband (668)
  18. Vodafone (666)
  19. TalkTalk (661)
  20. 5G (514)
Promotion
Helpful ISP Guides and Tips
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
Sponsored

Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved - Terms , Privacy and Cookie Policy , Links , Website Rules , Contact