EE BrightBox router could expose customer data

published 20 January 2014

EE has admitted the existence of a security hole in its BrightBox router that makes it possible for cyber attackers to discover personal information about a customer and allegedly gain control of their account.

The flaw was uncovered by blogger and programmer Scott Helme, who had just had a BrightBox installed after signing up for a broadband contract with the telco.

According to Helme, it is "incredibly easy" to access information from the box, including the hash of the device admin password and ISP user credentials, amongst others.

Helme said after an engineer installed his BrightBox, he decided to take a closer look at the traffic passing through the device.

"It became apparent that the device leaks access to all kinds of sensitive data to clients on the network and there's also the possibility to exploit this remotely," Helme claimed

He also claimed it was possible to carry out a type of attack known as a cross site request forgery and reboot the device.

Furthermore, Helme claims he initially agreed not to publish his findings until EE had issued a patch, which was due in December 2013.

"After several weeks of updating them with new findings, things started to slow down. At the time of publishing, the latest information I have is that the firmware is back in development to resolve further issues found during testing," Helme said.

"I strongly considered when to publish this blog, but after much debate, I decided it was in the interest of the public to do so, due to the lack of confidence I now have in EE," he explained.

Following the initial publication of Helme's blog, EE has publicly admitted a security hole exists in its BrightBox device.

In a statement, the company said: "We are aware of Mr Helme's article. As is the case for all home broadband customers, regardless of their provider, it is recommend they only give network access to people they trust. Customers should also be suspicious of any unsolicited emails and web pages, and keep their security software up to date.

"We treat all security matters seriously (no personal data will be compromised by the device itself), we would like to reassure customers that we are working on a service update which we plan to issue shortly, and which will remotely and automatically update customers' Brightboxes (sic) with enhanced security protection."

Jane McCallion is Managing Editor of ITPro and ChannelPro, specializing in data centers, enterprise IT infrastructure, and cybersecurity. Before becoming Managing Editor, she held the role of Deputy Editor and, prior to that, Features Editor, managing a pool of freelance and internal writers, while continuing to specialize in enterprise IT infrastructure, and business strategy.

Prior to joining ITPro, Jane was a freelance business journalist writing as both Jane McCallion and Jane Bordenave for titles such as European CEO, World Finance, and Business Excellence Magazine.