TR-069 is a common protocol used by a variety of Internet Service Providers and network device manufactures for remote administration of network equipment such as switches and routers, so firmware or configuration updates can be pushed on a large scale basis. In the past there have been notable exploits and attacks leveraging TR-069, mainly on consumer routers.
An interesting event occurred, which led me down a bit of a rabbit hole on what looks like a recent change made by Virgin Media in their network, exposed by Shodan.io.
I use Shodan with a paid plan along with it’s IP monitoring service to track various IP addresses that I have to keep an eye on things, on 21st October I got a notification from Shodan, saying an IP address I have monitored suddenly showed TCP 7547 open on a Virgin Media UK IP address.
This was in fact a previous Virgin Media IP address I had, because not long before this, Virgin Media seemed to have performed some network segmentation changes as my IP address changed on 6th October, so this IP was no longer allocated to me, but the monitor was still active. For those who don’t know, Virgin Media’s UK residential broadband service only offer a dynamic IPv4 address through DHCP, so this can happen from time to time but mostly, their IPs are seen as “sticky”, they can change, but more often than not, they won’t.
Despite this not being my IP address anymore, I was intrigued because I had personally never seen TCP 7547 (TR-069/CWMP) wide open on a Virgin Media router before. I knew they used TR-069 like most ISPs though. Using nmap, I confirmed what Shodan was telling me to be correct.
nmap -v 81.xx.xx.x -p 7547
Starting Nmap 7.91 ( https://nmap.org ) at 2020-11-01 08:40 GMT Standard Time
Initiating Ping Scan at 08:40
Scanning 18.104.22.168 [4 ports]
Completed Ping Scan at 08:40, 0.13s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 08:40
Completed Parallel DNS resolution of 1 host. at 08:40, 0.00s elapsed
Initiating SYN Stealth Scan at 08:40
Scanning cpcxxxxxx-xxxxxx-2-0-custxxxx.cable.virginm.net (81.xx.xx.x) [1 port]
Discovered open port 7547/tcp on 81.xx.xx.x
Completed SYN Stealth Scan at 08:40, 0.03s elapsed (1 total ports)
Nmap scan report for cpcxxxxxx-xxxxxx-2-0-custxxxx.cable.virginm.nett (81.xx.xx.x)
Host is up (0.034s latency).PORT STATE SERVICE
7547/tcp open cwmp
I have obscured the IP address and reverse DNS info, due to this being a Virgin Media IP address of a random customer. We don’t need to paint targets for the innocent. For bonus credit, here’s an explanation of the reverse DNS format Virgin Media use and what the naming convention relates to.
I can see TCP 7547 is indeed open. Because I am Virgin Media customer as well, I figured it might be only showing open within Virgin Media’s own IP ranges, so I tried querying with nmap using another independent network and it still shows as open too, so the port seems completely open to any host on the wider internet.
Looking through the window with Shodan
Because I have access to a paid plan with Shodan I’m able to perform queries for various ports, services and other criteria without limitations on their free or public access offer. I decided to query TCP 7547 in relation to Virgin Media. This is the query I used:
Breaking it down, I used a couple of parameters:
org— Virgin Media
The organisation is tied to the IP who.is data and the port being the specific service we are interested in.
Unfortunately, for those who don’t have a paid plan, you may not be able to see this information for yourself from the query URL, so I’ll provide some screenshots of the search results returned. I won’t be going too in depth with what Shodan provides. I have blurred the IP addresses returned on results, just to be safe and responsible.
When I first used the above query on 21st October, I saw around 235,000 Virgin Media IP addresses with TCP 7547 open that had been indexed by Shodan. Then the next day I saw around 421,000 entries.
24th October, the number had gone up to closer to 800,000 results.
By the end of the week on Friday 30th October, the number had exceeded 1 million IP addresses, as of 1st November, it’s now at over 1.7 million and still increasing, albeit it does seemed to have slowed down.
I don’t work for Virgin Media but a few things about this are interesting.
- It seems a network wide change had recently occurred on or before 21st October 2020. When I first started looking the results were over 200,000, so it’s possible Shodan had started seeing TCP 7547 open on Virgin Media IPs a little before this date. Equally Shodan is not real time data so there may have been delay in crawling the Virgin Media IP that tipped me off to this.
- This seems to be something new, as seen by the very sudden increase from hosts that Shodan has been tracking. If this was always happening, you’d have thought Shodan would have a significantly higher results count from the start in it’s index.
- The port is open for a significant amount of Virgin Media IP addresses, but it doesn’t seem to be the case for every Virgin Media customer. I can personally confirm this, because my mother is also a Virgin Media customer for broadband and we are in the same area reference, her IP address does not show TCP 7547 open. Equally, my own IP doesn’t show it either, but I use modem mode, so the Virgin Media router is not doing NAT, therefore it cannot expose this port externally. It is worth noting however, that Virgin Media can still get to any modem in modem mode, using their management network side at anytime regardless.
- It’s also possible that a further requirement would be to have the Virgin Media provided router in router mode, rather than modem mode for this port to be open, so the portion of customers in modem mode will likely not see this behaviour ever.
- While the majority of the IP addresses appear under Virgin Media, there are also entries for Virgin Media Ireland and Virgin Media Business, two subsidiaries of Virgin Media, with much lower returned results. The majority are coming from Virgin Media UK IP addresses it would seem.
What does Virgin Media say on the matter?
I was intrigued by all of this, because I’m that kind of nerdy person. I put out a couple of posts on some forums to see if I got any confirmations on anything recent happening. I ended up discovering a post on Virgin Media’s own community forums:
Following an earlier post on a different subject (Re: WIFI OPEN DURING START UP) The issue has not repeated but…
A Virgin Media forum moderator did formally respond and confirm TR-069 being open is expected and not an issue, but not really any clarity on why the sudden visibility of TR-069 being open to world+dog. I then decided to contact ISPreview as they often have inside channels with various ISPs to get a more comprehensive response on more technical matters.
ISPreview ended up running a small story after I flagged this to them with the details in this article:
ISP Virgin Media UK Restricting Port 7547 After Leaving it Open - ISPreview UK
Nothing to worry about, move along please. Cable broadband ISP Virgin Media has "taken steps to ensure is no longer…
From the conversation Mark at ISPreview had with a Virgin Media spokesperson, they said:
“We opened port 7547 for remote management using TR-069 and this was discoverable to internet users searching for it. This posed no security risk to our customers.
We have taken steps to ensure the port is no longer discoverable to provide an additional layer of security over and above the measures we already have in place.”
So Virgin Media acknowledge the port is open (although nmap and Shodan confirmed that for me already). What’s interesting is their “additional layer of security” statement. Given the port still seems to be visible to any host right now, I’m not exactly sure what that comment is referring to. I do see that from Shodan’s index data, that the response from it’s probes do seem to be returning a 401 Unauthorized response, rather than a 404 Not Found in a lot of cases compared to before, perhaps this is the change they are referring to?
Is there a security issue?
Well yes, but actually no. Just because a port is open doesn’t mean there’s immediately any danger. However, the fact a port is open, means it’s a potential window for something, if an exploit or even user credentials are leaked. I’m not an ISP or network engineer at Virgin Media, so I can’t possibly comment on the reasons for this recent change, but I’m struggling to see a reason why TCP 7547 needs to even be open to any host. Surely, this can be restricted to a specific set of IP addresses or ranges within Virgin Media’s management network, given that’s what TR-069 will be connected to anyway. Let’s not forget TR-069 has been exploited in the past before on a wide scale, leveraging several weaknesses and chaining exploits together to create a nasty botnet. So you’ve always got to be aware any port being open to any host, is still an attack surface. Virgin Media certainly aren’t the first ISP to have TR-069 wide open however.
It remains to be seen if the number of IP addresses Shodan is seeing starts to drop. Shodan will cache results for a period of time, if TCP 7547 starts disappearing being open on Virgin Media IP addresses, it will be an indication that the port has been restricted or closed off. At the moment however, the results are still going up, so we’ll have to wait and see!
Summary of events
- 6th October — My Virgin Media Dynamic IPv4 address changes (Had it for about a year).
- 21st October — Shodan IP monitor
new_servicetrigger for the previous Virgin Media IP I had sends an alert, as I hadn’t updated the monitor (Shodan only supports raw IPv4, not DDNS names). Shodan reports TCP 7547 as open on this IP. Confirmed with nmap. I built a query in Shodan to look at the wider picture on the Virgin Media network, 235,000 results indexed at that time.
- 22nd October — Performed same query again, now over 400,000 results
- 24th October — Performed the same query again, now nearing 800,000 results. Contacted ISPreview with findings.
- 30th October —Performed the same query again, now over 1 million results. ISPreview receive a response from Virgin Media on the situation with TR-069, state it’s normal but they’ve implemented an “additional layer of security” based on the the information.
- 1st November — ISPreview publish their news story. Currently showing over 1.7 million results and still increasing. I publish my findings publicly following the ISPreview article.