EE BrightBox router could expose customer data

Blogger uncovers critical BrightBox security flaw.

EE store

EE has admitted the existence of a security hole in its BrightBox router that makes it possible for cyber attackers to discover personal information about a customer and allegedly gain control of their account.

The flaw was uncovered by blogger and programmer Scott Helme, who had just had a BrightBox installed after signing up for a broadband contract with the telco.

According to Helme, it is "incredibly easy" to access information from the box, including the hash of the device admin password and ISP user credentials, amongst others.

Helme said after an engineer installed his BrightBox, he decided to take a closer look at the traffic passing through the device.

"It became apparent that the device leaks access to all kinds of sensitive data to clients on the network and there's also the possibility to exploit this remotely," Helme claimed

He also claimed it was possible to carry out a type of attack known as a cross site request forgery and reboot the device.

Furthermore, Helme claims he initially agreed not to publish his findings until EE had issued a patch, which was due in December 2013.

"After several weeks of updating them with new findings, things started to slow down. At the time of publishing, the latest information I have is that the firmware is back in development to resolve further issues found during testing," Helme said.

"I strongly considered when to publish this blog, but after much debate, I decided it was in the interest of the public to do so, due to the lack of confidence I now have in EE," he explained.

Following the initial publication of Helme's blog, EE has publicly admitted a security hole exists in its BrightBox device.

In a statement, the company said: "We are aware of Mr Helme's article. As is the case for all home broadband customers, regardless of their provider, it is recommend they only give network access to people they trust. Customers should also be suspicious of any unsolicited emails and web pages, and keep their security software up to date.

"We treat all security matters seriously (no personal data will be compromised by the device itself), we would like to reassure customers that we are working on a service update which we plan to issue shortly, and which will remotely and automatically update customers' Brightboxes (sic) with enhanced security protection."

Featured Resources

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Evaluate your order-to-cash process

15 recommended metrics to benchmark your O2C operations

Download now

AI 360: Hold, fold, or double down?

How AI can benefit your business

Download now

Getting started with Azure Red Hat OpenShift

A developer’s guide to improving application building and deployment capabilities

Download now

Recommended

Global ransom DDoS extortionists are retargeting companies
distributed denial of service (DDOS)

Global ransom DDoS extortionists are retargeting companies

22 Jan 2021
Pixlr data breach exposes over 1.9 million user records
data breaches

Pixlr data breach exposes over 1.9 million user records

22 Jan 2021
BEC scammers are using Google Forms to identify easy victims
phishing

BEC scammers are using Google Forms to identify easy victims

21 Jan 2021
FBI warns of ongoing corporate vishing attacks
phishing

FBI warns of ongoing corporate vishing attacks

19 Jan 2021

Most Popular

How to move Windows 10 from your old hard drive to SSD
operating systems

How to move Windows 10 from your old hard drive to SSD

21 Jan 2021
WhatsApp could face €50 million GDPR fine
General Data Protection Regulation (GDPR)

WhatsApp could face €50 million GDPR fine

25 Jan 2021
Trump pardons convicted ex-Google engineer Levandowski
intellectual property

Trump pardons convicted ex-Google engineer Levandowski

20 Jan 2021