Home
 » ISP News » 
Sponsored

UPDATE EE UK Rush to Fix Security Flaw in BrightBox Broadband Routers

Saturday, January 18th, 2014 (7:46 am) - Score 5,905

The past few months seem to have been loaded with reports of serious security flaws in many home broadband ISP routers. Now EE’s BrightBox 1 kit has become the latest to hit troubled times after a web security specialist, Scott Helme, revealed just how easy it is to hack.

According to Scott’s Website, it is “incredibly easy to access sensitive information” on EE’s BrightBox 1 kit, such as the md5 hash of the devices admin password, the customers ISP user credentials, WPA and WEP keys, SSID lists and more.

The news is very worrying, especially as at the last count the ISP had a total of 714,000 customers on its related ADSL and “Fibre Broadband” (FTTC) packages. But some of those use older routers from the Orange era and others have the latest BrightBox 2 kit (i.e. EE’s most recent Fibre subscribers), none of which have been exposed to Scott’s testing.. yet.

Scott Helme’s said:

The engineer came out and connected my fibre broadband (FTTC) and as with all new devices on my network, I decided to take a closer look at the traffic going to and from the device. It became apparent that the device leaks access to all kinds of sensitive data to clients on the network and there’s also the possibility to exploit this remotely.

Being able to grab details like the WPA keys or the hash of my admin passwords was bad enough, but exposing my ISP user credentials represents a huge risk. This is made even worse by the fact it’s possible to access all of the data remotely. Even if the device is only used in the home or small office, this represents a total compromise of the device’s security and an attacker could wreak havoc with your account causing huge inconvenience and even financial losses.”

Scott then proceeds to pick apart the routers many embarrassing security holes one by one and explain how he did it, although many of the exploits only work for those on the same Home Network (Local Area Network) as the device. But Scott does warn that a “targeted social engineering attack could easily be crafted to gain remote access” (note: this kind of attack often involves first tricking a user into clicking or downloading something).

Naturally Scott, working under the principle of Responsible Disclosure, then made EE aware of the problems and only a few hours later received a response from the ISPs Head of Security Operations, which is impressive. Initially EE promised to release a Firmware patch in mid-December 2013, which later slipped to mid-January 2014 after Scott reported new flaws.

Since then Scott says that “updates and information from EE regarding when this might be patched seem to have dried up completely” and as a result he decided, having lost confidence in EE, to publish his findings.

Statement from EE to ISPreview.co.uk:

We are aware of Mr Helme’s article. As is the case for all home broadband customers, regardless of their provider, it is recommend they only give network access to people they trust. Customers should also be suspicious of any unsolicited emails and web pages, and keep their security software up to date.

We treat all security matters seriously, and while no personal data will be compromised by the device itself, we would like to reassure customers that we are working on a service update which we plan to issue shortly, and which will remotely and automatically update customers’ Brightboxes with enhanced security protection.”

As it stands we still do not have a clear ETA but it’s well known that ISPs don’t like to rush out major updates, especially ones where a multitude of vulnerabilities need to be resolved and properly tested. Indeed it would be all too easy to issue a new Firmware, which hadn’t been properly tested, and have it break something more serious. On the other hand some ISPs get around this by issuing BETA firmware that customers can test by choice (e.g. Virgin Media, TalkTalk etc.) but EE does not appear to take that approach.

In the meantime it’s probably a good idea for anybody whom lives in a busy area, with a lot of neighbouring wifi networks, to consider disabling the wireless aspect from your routers admin panel and using a wired network approach. Alternatively you could always use another router entirely, at least until EE has fixed the bugs. Credits to Threatpost for bringing this to our attention.

UPDATE 20th Jan 2014

Curiously the BBC’s coverage of this story today suggests that the newer BrightBox 2 router might also be affected (here), which has not yet been confirmed by Scott and would be a bit odd since they are quite different pieces of kit (it’s possible that some of the same flaws may exist but probably not all). Scott told ISPreview.co.uk that he has yet to test the BB2 but has put in a request for one.

Add to Diigo
Tags: ,
Mark Jackson
By Mark Jackson
Mark is a professional technology writer, IT consultant and computer engineer from Dorset (England), he also founded ISPreview in 1999 and enjoys analysing the latest telecoms and broadband developments. Find me on Twitter, , Facebook and Linkedin.
Leave a Comment
0 Responses

Comments are closed.

Comments RSS Feed

Javascript must be enabled to post (most browsers do this automatically)

Privacy Notice: Please note that news comments are anonymous, which means that we do NOT require you to enter any real personal details to post a message. By clicking to submit a post you agree to storing your comment content, display name, IP, email and / or website details in our database, for as long as the post remains live.

Only the submitted name and comment will be displayed in public, while the rest will be kept private (we will never share this outside of ISPreview, regardless of whether the data is real or fake). This comment system uses submitted IP, email and website address data to spot abuse and spammers. All data is transferred via an encrypted (https secure) session.

NOTE 1: Sometimes your comment might not appear immediately due to site cache (this is cleared every few hours) or it may be caught by automated moderation / anti-spam.

NOTE 2: Comments that break our rules, spam, troll or post via known fake IP/proxy servers may be blocked or removed.
Cheapest Superfast ISPs
  • Hyperoptic £20.00 (*22.00)
    Avg. Speed 50Mbps, Unlimited
    Gift: None
  • Direct Save Telecom £22.95 (*29.95)
    Avg. Speed 35Mbps, Unlimited
    Gift: None
  • Origin Broadband £23.00
    Avg. Speed 35Mbps, Unlimited
    Gift: None
  • Vodafone £23.00
    Avg. Speed 35Mbps, Unlimited
    Gift: None
  • SSE £23.00 (*33.00)
    Avg. Speed 35Mbps, Unlimited (FUP)
    Gift: None
Prices inc. Line Rental | View All
The Top 20 Category Tags
  1. BT (2464)
  2. FTTP (2093)
  3. FTTC (1631)
  4. Building Digital UK (1574)
  5. Politics (1380)
  6. Openreach (1378)
  7. Business (1207)
  8. Statistics (1077)
  9. FTTH (1014)
  10. Mobile Broadband (1006)
  11. Fibre Optic (957)
  12. Ofcom Regulation (902)
  13. Wireless Internet (885)
  14. 4G (874)
  15. Virgin Media (843)
  16. Sky Broadband (587)
  17. EE (577)
  18. TalkTalk (563)
  19. Vodafone (497)
  20. Security (402)
Promotion
Helpful ISP Guides and Tips
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
Sponsored

Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved - Terms , Privacy and Cookie Policy , Links , Website Rules , Contact