IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

EE BrightBox router could expose customer data

Blogger uncovers critical BrightBox security flaw.

EE store

EE has admitted the existence of a security hole in its BrightBox router that makes it possible for cyber attackers to discover personal information about a customer and allegedly gain control of their account.

The flaw was uncovered by blogger and programmer Scott Helme, who had just had a BrightBox installed after signing up for a broadband contract with the telco.

According to Helme, it is "incredibly easy" to access information from the box, including the hash of the device admin password and ISP user credentials, amongst others.

Helme said after an engineer installed his BrightBox, he decided to take a closer look at the traffic passing through the device.

"It became apparent that the device leaks access to all kinds of sensitive data to clients on the network and there's also the possibility to exploit this remotely," Helme claimed

He also claimed it was possible to carry out a type of attack known as a cross site request forgery and reboot the device.

Furthermore, Helme claims he initially agreed not to publish his findings until EE had issued a patch, which was due in December 2013.

"After several weeks of updating them with new findings, things started to slow down. At the time of publishing, the latest information I have is that the firmware is back in development to resolve further issues found during testing," Helme said.

"I strongly considered when to publish this blog, but after much debate, I decided it was in the interest of the public to do so, due to the lack of confidence I now have in EE," he explained.

Following the initial publication of Helme's blog, EE has publicly admitted a security hole exists in its BrightBox device.

In a statement, the company said: "We are aware of Mr Helme's article. As is the case for all home broadband customers, regardless of their provider, it is recommend they only give network access to people they trust. Customers should also be suspicious of any unsolicited emails and web pages, and keep their security software up to date.

"We treat all security matters seriously (no personal data will be compromised by the device itself), we would like to reassure customers that we are working on a service update which we plan to issue shortly, and which will remotely and automatically update customers' Brightboxes (sic) with enhanced security protection."

Featured Resources

Activation playbook: Deliver data that powers impactful, game-changing campaigns

Bringing together data and technology to drive better business outcomes

Free Download

In unpredictable times, a data strategy is key

Data processes are crucial to guide decisions and drive business growth

Free Download

Achieving resiliency with Everything-as-a-Service (XAAS)

Transforming the enterprise IT landscape

Free Download

What is contextual analytics?

Creating more customer value in HR software applications

Free Download

Recommended

IT Pro News in Review: Vulnerable Lenovo laptops, record EE 5G speeds, Okta ends LAPSUS$ probe
Security

IT Pro News in Review: Vulnerable Lenovo laptops, record EE 5G speeds, Okta ends LAPSUS$ probe

22 Apr 2022
Ten ways to protect your company from the next big data breach
data breaches

Ten ways to protect your company from the next big data breach

18 Feb 2022
EE, Vodafone delay post-Brexit return of roaming charges
mobile networks

EE, Vodafone delay post-Brexit return of roaming charges

6 Jan 2022
Gumtree site code made personal data of users and sellers publicly accessible
data protection

Gumtree site code made personal data of users and sellers publicly accessible

16 Dec 2021

Most Popular

Europe's first autonomous petrol station opens in Lisbon
automation

Europe's first autonomous petrol station opens in Lisbon

23 May 2022
Nvidia pauses hiring to help cope with inflation
Careers & training

Nvidia pauses hiring to help cope with inflation

23 May 2022
Windows 11's nifty new search feature has one major downside
Microsoft Windows

Windows 11's nifty new search feature has one major downside

23 May 2022