EE BrightBox router could expose customer data

Blogger uncovers critical BrightBox security flaw.

EE store

EE has admitted the existence of a security hole in its BrightBox router that makes it possible for cyber attackers to discover personal information about a customer and allegedly gain control of their account.

The flaw was uncovered by blogger and programmer Scott Helme, who had just had a BrightBox installed after signing up for a broadband contract with the telco.

According to Helme, it is "incredibly easy" to access information from the box, including the hash of the device admin password and ISP user credentials, amongst others.

Helme said after an engineer installed his BrightBox, he decided to take a closer look at the traffic passing through the device.

"It became apparent that the device leaks access to all kinds of sensitive data to clients on the network and there's also the possibility to exploit this remotely," Helme claimed

He also claimed it was possible to carry out a type of attack known as a cross site request forgery and reboot the device.

Furthermore, Helme claims he initially agreed not to publish his findings until EE had issued a patch, which was due in December 2013.

"After several weeks of updating them with new findings, things started to slow down. At the time of publishing, the latest information I have is that the firmware is back in development to resolve further issues found during testing," Helme said.

"I strongly considered when to publish this blog, but after much debate, I decided it was in the interest of the public to do so, due to the lack of confidence I now have in EE," he explained.

Following the initial publication of Helme's blog, EE has publicly admitted a security hole exists in its BrightBox device.

In a statement, the company said: "We are aware of Mr Helme's article. As is the case for all home broadband customers, regardless of their provider, it is recommend they only give network access to people they trust. Customers should also be suspicious of any unsolicited emails and web pages, and keep their security software up to date.

"We treat all security matters seriously (no personal data will be compromised by the device itself), we would like to reassure customers that we are working on a service update which we plan to issue shortly, and which will remotely and automatically update customers' Brightboxes (sic) with enhanced security protection."

Featured Resources

Seven steps to connect and empower your frontline workers

How business leaders can improve communication with a secure platform

Free download

Create what’s next

The future of collaboration and productivity

Free Download

Leveraging the cloud without relinquishing control

Your data. Their cloud.

Free download

Re-architecting for nonstop innovation

Unlocking productivity, scalability, and lower costs for cloud natives

Free Download

Recommended

Pizza chain exposed 100,000 employees' Social Security numbers
data breaches

Pizza chain exposed 100,000 employees' Social Security numbers

19 Nov 2021
Hackers use Linux backdoor on compromised e-commerce sites with software skimmer
malware

Hackers use Linux backdoor on compromised e-commerce sites with software skimmer

19 Nov 2021
Iranian hackers ramp up attacks against IT services sector
hacking

Iranian hackers ramp up attacks against IT services sector

19 Nov 2021
TikTok phishing campaign tried to scam over 125 influencer accounts
social media

TikTok phishing campaign tried to scam over 125 influencer accounts

18 Nov 2021

Most Popular

How to speed up Microsoft's Windows 11
Microsoft Windows

How to speed up Microsoft's Windows 11

9 Nov 2021
Nike to take customers into the metaverse with 'NIKELAND'
virtualisation

Nike to take customers into the metaverse with 'NIKELAND'

19 Nov 2021
Best MDM solutions 2020
mobile device management (MDM)

Best MDM solutions 2020

12 Nov 2021