Virgin Media are one of the UK’s largest Internet Service Providers (ISP), with over 5 million broadband subscribers.

Yesterday, a concerned Virgin Media customer forwarded me an email they’d received:

The email – which was addressed to the customer by name, and included their name and IP address – had genuinely originated from Virgin Media. It stated that a device on the customer’s home network “might have a vulnerability that puts it at risk of being hacked“. The customer was naturally concerned about this and reached out to me.

The vulnerability the email refereed to was “POODLE“, which first came to prominence back in October 2014.

In simple terms, the POODLE vulnerability can allow an attacker who already has control over a router/hotspot which your computer, laptop, tablet, or mobile is connected to, to force your web browser to “downgrade” the security of https connections to a less secure variant, which the attacker can then exploit to hijack your browser sessions.

Most web servers on the internet have long since been “patched” against the POODLE vulnerability, and if you primarily browse the web from home, don’t use public hotspots, and your web browser is up-to-date, the potential for damage is very low. None the less Virgin Media felt it necessary to notify this customer that a device on their home network was susceptible, and directed the customer to a page on their website with more information

So was there a vulnerable device on the customer’s home network?

Working with the customer, I was able to determine that port 443 (used for https) was open on their home router, which in turn was port forwarding to a small Windows Home Server residing within their network. It was this server that Virgin Media had detected. As external https access to this server was not required, simply closing port 443 on the router resolved the issue.

How did Virgin Media know there was a vulnerable device on the customer’s home network in the first place?

Virgin Media would have only known about this vulnerability their customer’s home networks were actively scanned or “probed”, a technique often referred to as “port scanning”. “Port Scanning” is when attempts are made to connect to an IP address via a number of different “ports” in order to determine which ports are open, and therefore, which will potentially allow external connections through.

“Ports” allow multiple services to run through the same IP address. For example, when you connect to a website via http, you’re connecting to a server hosting the site over port 80. When you connect to the same website over https, you’re connecting instead over port 443. Other services running on the same server, such as SMTP, IMAP, FTP, etc may also be connected to through the same IP address, but by connecting to a different “port” for each service.

Regardless of their intent, the Port Scans carried out by/on behalf of Virgin Media are an intrusion into their customer’s home networks, and carried out without the customer’s prior knowledge or consent. There is no mention in their Privacy Policy that Virgin Media reserve the right to “scan” their customers networks and store details of devices found.

The help page that Virgin Media point customer’s which they’ve scanned to also contains some revealing and some misleading information.

Firstly, the misleading information…

In the “How do I check if I’m vulnerable?” section, Virgin Media advise you visit a 3rd party site poodletest.com in each web browser on every computer on your home network to determine whether you’re vulnerable to POODLE.

This will be of little help! The issue that Virgin Media have detected on your network will not be due to a web browser on your network per say – it will be due to a device (such as a server or NAS, etc) that listens for connections on port 443. Therefore, you could get an “not vulnerable” response from poodletest.com on all your browsers, as this site only checks your web browser, not your actual IP address and devices on your network.

Secondly, the revealing information….

Virgin Media’s article contains a number of statements that would concern a regular customer who perhaps isn’t all that tech-savvy. Statements like:

“a 3rd party can use this … to access personal and financial data being sent from your network/devices”

“…appear to be compromised…”

“If the vulnerability is not rectified, your personal and financial information could be at risk” Scary stuff to the average customer! The article subsequently provides detailed and lengthy steps for how to upgrade just about every web browser on just about every device – again, information that may go over the head of the average customer, and even if they did follow all the steps outlined would not resolve the issue anyway, as the issue is not with the customer’s web browser(s). So, having scared the customer with worrying statements, and providing long and detailed instructions which would ultimately not actually resolve the root cause of the issue, what do Virgin Media suggest the customer does?… ..they suggest the customer uses their chargeable “Gadget Rescue service” to “help secure your home devices“. A service which costs “£5 a month for six months” or “You can get a one-off fix for only £35” Another interesting point in the case of this particular customer is that Virgin Media detected the “vulnerability” on 11th February, yet waited a whole TWO WEEKS before notifying the customer by email! If this was such a serious security concern for Virgin Media that needed urgently addressing, why the significant delay in sending a notification via email? It appears the “two-week delay” for this customer isn’t an isolated incident – the same delay has also been experienced by other customers, according to VM’s own community forums. In summary…

Virgin Media scanned and intruded into a customer’s home network

Virgin Media waited 14 days before notifying the customer

“self-help” steps provided to the customer by Virgin Media would not have resolved the issue