An expert has questioned the effectiveness and privacy implications of TalkTalk's network-level HomeSafe security system.
Criminals could easily serve harmless content to TalkTalk, and malicious content to everyone else, according to Richard Clayton, a security researcher based at the University of Cambridge. TalkTalk relies on a recognisable anti-malware agent to determine whether a site is malicious, which can be detected by criminals, Clayton told ZDNet UK.
If you're a bad guy, what you would do is arrange to alert when TalkTalk visits your site, and serve them up fluffy bunnies, and serve everyone else a drive-by.– Richard Clayton, security researcher
"If you're a bad guy, then what you would do is arrange to alert when TalkTalk visits your site, and serve them up fluffy bunnies, and serve everyone else a drive-by," said Clayton on Wednesday.
Cybercriminals should not have much of a problem detecting TalkTalk's user agent string, Clayton wrote on the University of Cambridge computer labs security blog on Tuesday.
"The notion that it is possible for a centralised checking system — especially one that tells a remote site its identity — to determine whether sites are malicious are not [...] is problematic and I doubt that malware distributors will see this as much of a challenge," the researcher said.
Clayton visited TalkTalk in January to discuss the implications of its network-level security service, which the company said is intended to block malware and other web-borne threats.
The opt-in HomeSafe system — which also has parental control as well as anti-malware features — works by scanning the URLs that customers visit and creating a blocklist of malicious websites. However, while the end-user part of the service is opt-in, the company scans all web addresses that its customers visit regardless of whether they have opted-in to the service.
"Even if you haven't opted-in to the system, your URLs are still being sniffed," Clayton told ZDNet UK. "It turns the system into something that has all sorts of caveats."
TalkTalk on Wednesday confirmed that its system scans URLs, but added that the company does not keep a record of the data.
"In order for our online protection to be effective, we scan all URLs," a TalkTalk spokeswoman told ZDNet UK on Wednesday. "This is done on a completely anonymous basis and recorded in temporary memory, prior to being deleted. The system is subject to the same high level of security already applicable to the TalkTalk network and TalkTalk's customer data."
Digital rights organisation the Open Rights Group has published a legal analysis (PDF) on its website that is attributed to TalkTalk, in which the ISP says it "already scans incoming emails received on TalkTalk domains for virus and other malware". It goes on to add that the HomeSafe virus alerts system is "simply an extension of TalkTalk's existing actions to protect customers and our network from malware and viruses".
ZDNet UK's Tom Espiner contributed to this article
Get the latest technology news and analysis, blogs and reviews delivered directly to your inbox with ZDNet UK's newsletters.