UPDATE EE UK Rush to Fix Security Flaw in BrightBox Broadband Routers

The past few months seem to have been loaded with reports of serious security flaws in many home broadband ISP routers. Now EE’s BrightBox 1 kit has become the latest to hit troubled times after a web security specialist, Scott Helme, revealed just how easy it is to hack.

According to Scott’s Website, it is “incredibly easy to access sensitive information” on EE’s BrightBox 1 kit, such as the md5 hash of the devices admin password, the customers ISP user credentials, WPA and WEP keys, SSID lists and more.

The news is very worrying, especially as at the last count the ISP had a total of 714,000 customers on its related ADSL and “Fibre Broadband” (FTTC) packages. But some of those use older routers from the Orange era and others have the latest BrightBox 2 kit (i.e. EE’s most recent Fibre subscribers), none of which have been exposed to Scott’s testing.. yet.

Scott Helme’s said:

“The engineer came out and connected my fibre broadband (FTTC) and as with all new devices on my network, I decided to take a closer look at the traffic going to and from the device. It became apparent that the device leaks access to all kinds of sensitive data to clients on the network and there’s also the possibility to exploit this remotely.

Being able to grab details like the WPA keys or the hash of my admin passwords was bad enough, but exposing my ISP user credentials represents a huge risk. This is made even worse by the fact it’s possible to access all of the data remotely. Even if the device is only used in the home or small office, this represents a total compromise of the device’s security and an attacker could wreak havoc with your account causing huge inconvenience and even financial losses.”

Scott then proceeds to pick apart the routers many embarrassing security holes one by one and explain how he did it, although many of the exploits only work for those on the same Home Network (Local Area Network) as the device. But Scott does warn that a “targeted social engineering attack could easily be crafted to gain remote access” (note: this kind of attack often involves first tricking a user into clicking or downloading something).

Naturally Scott, working under the principle of Responsible Disclosure, then made EE aware of the problems and only a few hours later received a response from the ISPs Head of Security Operations, which is impressive. Initially EE promised to release a Firmware patch in mid-December 2013, which later slipped to mid-January 2014 after Scott reported new flaws.

Since then Scott says that “updates and information from EE regarding when this might be patched seem to have dried up completely” and as a result he decided, having lost confidence in EE, to publish his findings.

Statement from EE to ISPreview.co.uk:

“We are aware of Mr Helme’s article. As is the case for all home broadband customers, regardless of their provider, it is recommend they only give network access to people they trust. Customers should also be suspicious of any unsolicited emails and web pages, and keep their security software up to date.

We treat all security matters seriously, and while no personal data will be compromised by the device itself, we would like to reassure customers that we are working on a service update which we plan to issue shortly, and which will remotely and automatically update customers’ Brightboxes with enhanced security protection.”

As it stands we still do not have a clear ETA but it’s well known that ISPs don’t like to rush out major updates, especially ones where a multitude of vulnerabilities need to be resolved and properly tested. Indeed it would be all too easy to issue a new Firmware, which hadn’t been properly tested, and have it break something more serious. On the other hand some ISPs get around this by issuing BETA firmware that customers can test by choice (e.g. Virgin Media, TalkTalk etc.) but EE does not appear to take that approach.

In the meantime it’s probably a good idea for anybody whom lives in a busy area, with a lot of neighbouring wifi networks, to consider disabling the wireless aspect from your routers admin panel and using a wired network approach. Alternatively you could always use another router entirely, at least until EE has fixed the bugs. Credits to Threatpost for bringing this to our attention.

UPDATE 20th Jan 2014

Curiously the BBC’s coverage of this story today suggests that the newer BrightBox 2 router might also be affected (here), which has not yet been confirmed by Scott and would be a bit odd since they are quite different pieces of kit (it’s possible that some of the same flaws may exist but probably not all). Scott told ISPreview.co.uk that he has yet to test the BB2 but has put in a request for one.