What is going on with TR-069 and Virgin Media routers?

The Virgin Media Hub3, probably the most infamous ISP provided router ever.
Telegram notification from Shodan.io for detecting a new service open on a monitored IP address
nmap -v 81.xx.xx.x -p 7547
Starting Nmap 7.91 ( https://nmap.org ) at 2020-11-01 08:40 GMT Standard Time
Initiating Ping Scan at 08:40
Scanning 81.96.65.9 [4 ports]
Completed Ping Scan at 08:40, 0.13s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 08:40
Completed Parallel DNS resolution of 1 host. at 08:40, 0.00s elapsed
Initiating SYN Stealth Scan at 08:40
Scanning cpcxxxxxx-xxxxxx-2-0-custxxxx.cable.virginm.net (81.xx.xx.x) [1 port]
Discovered open port 7547/tcp on 81.xx.xx.x
Completed SYN Stealth Scan at 08:40, 0.03s elapsed (1 total ports)
Nmap scan report for cpcxxxxxx-xxxxxx-2-0-custxxxx.cable.virginm.nett (81.xx.xx.x)
Host is up (0.034s latency).
PORT STATE SERVICE
7547/tcp open cwmp

Looking through the window with Shodan

https://beta.shodan.io/search?query=org%3A%22Virgin+Media%22+port%3A%227547%22
  • org — Virgin Media
  • port — 7547
Shodan search results for TCP 7547 being open on Virgin Media IP addresses (22nd October)
Shodan search results for TCP 7547 being open on Virgin Media IP addresses (24th October)
TR-069 being open on Virgin Media IP addresses surpassed 1 million entries in Shodan
  1. It seems a network wide change had recently occurred on or before 21st October 2020. When I first started looking the results were over 200,000, so it’s possible Shodan had started seeing TCP 7547 open on Virgin Media IPs a little before this date. Equally Shodan is not real time data so there may have been delay in crawling the Virgin Media IP that tipped me off to this.
  2. This seems to be something new, as seen by the very sudden increase from hosts that Shodan has been tracking. If this was always happening, you’d have thought Shodan would have a significantly higher results count from the start in it’s index.
  3. The port is open for a significant amount of Virgin Media IP addresses, but it doesn’t seem to be the case for every Virgin Media customer. I can personally confirm this, because my mother is also a Virgin Media customer for broadband and we are in the same area reference, her IP address does not show TCP 7547 open. Equally, my own IP doesn’t show it either, but I use modem mode, so the Virgin Media router is not doing NAT, therefore it cannot expose this port externally. It is worth noting however, that Virgin Media can still get to any modem in modem mode, using their management network side at anytime regardless.
  4. It’s also possible that a further requirement would be to have the Virgin Media provided router in router mode, rather than modem mode for this port to be open, so the portion of customers in modem mode will likely not see this behaviour ever.
  5. While the majority of the IP addresses appear under Virgin Media, there are also entries for Virgin Media Ireland and Virgin Media Business, two subsidiaries of Virgin Media, with much lower returned results. The majority are coming from Virgin Media UK IP addresses it would seem.

What does Virgin Media say on the matter?

Is there a security issue?

Summary of events

  • 6th October — My Virgin Media Dynamic IPv4 address changes (Had it for about a year).
  • 21st October — Shodan IP monitor new_service trigger for the previous Virgin Media IP I had sends an alert, as I hadn’t updated the monitor (Shodan only supports raw IPv4, not DDNS names). Shodan reports TCP 7547 as open on this IP. Confirmed with nmap. I built a query in Shodan to look at the wider picture on the Virgin Media network, 235,000 results indexed at that time.
  • 22nd October — Performed same query again, now over 400,000 results
  • 24th October — Performed the same query again, now nearing 800,000 results. Contacted ISPreview with findings.
  • 30th October —Performed the same query again, now over 1 million results. ISPreview receive a response from Virgin Media on the situation with TR-069, state it’s normal but they’ve implemented an “additional layer of security” based on the the information.
  • 1st November — ISPreview publish their news story. Currently showing over 1.7 million results and still increasing. I publish my findings publicly following the ISPreview article.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store