All the latest UK technology news, reviews and analysis

EE admits Bright Box router security flaw

20 Jan 2014
EE Bright Box router

EE has confirmed reports that its Bright Box home router tool has a security flaw that could be used to expose account owners' personal information.

Security researcher Scott Helme revealed the flaw in a detailed blog post, explaining that he had uncovered the issue after he was given the Bright Box router when he started using a home broadband service from EE.

“The engineer came out and connected my fibre broadband (FTTC) and, as with all new devices on my network, I decided to take a closer look at the traffic going to and from the device,” he said.

“It became apparent that the device leaks access to all kinds of sensitive data to clients on the network and there’s also the possibility to exploit this remotely.”

He explained that this could have serious repercussions. “It discloses the password of the EE account holder so I can call EE and pass account security, leaving me in a position to go as far as cancelling someone else’s broadband package altogether,” he wrote.

EE questioned this claim, though, claiming that cancelling an account requires more information than just a email or username. Helme's point was that having accessed some information, it would be easy to gather the other data required, though.

EE later confirmed to V3 that it had changed the information that operators accepted when trying to verify if someone was the account holder to cover the potential issue Helme had found.

The firm also confirmed it would be issuing a firmware update for the router to fix the security issue.

“As is the case for all home broadband customers, regardless of their provider, it is recommend they only give network access to people they trust. Customers should also be suspicious of any unsolicited emails and webpages, and keep their security software up to date,” the firm said.

“We treat all security matters seriously. No personal data will be compromised by the device itself. We would like to reassure customers that we are working on a service update, which we plan to issue shortly, and which will remotely and automatically update customers’ Bright Boxes with enhanced security protection.”

Although the fix is said to be arriving soon, Helme noted at the end of his post that he informed both the CEO and CTO of EE of the issue and was told by security staff that a fix would be arrive in December. Because of this he felt compelled to release the information after no update was issued.

  • Comment  
  • Tweet  
  • Google plus  
  • Facebook  
  • LinkedIn  
  • Stumble Upon  
Dan Worth

Dan Worth is the news editor for V3 having first joined the site as a reporter in November 2009. He specialises in a raft of areas including fixed and mobile telecoms, data protection, social media and government IT. Before joining V3 Dan covered communications technology, data handling and resilience in the emergency services sector on the BAPCO Journal

View Dan's Google+ profile

More on Security
What do you think?
blog comments powered by Disqus

BYOD vs CYOD vs BYOC poll

Which approach is your firm taking to managing employees' mobile devices?

Popular Threads

Powered by Disqus
Galaxy S5 vs Xperia Z2 home screen

Xperia Z2 vs Galaxy S5

We break down the strengths and weaknesses of the two Android heavyweights

Updating your subscription status Loading

Get the latest news (daily or weekly) direct to your inbox with V3 newsletters.

newsletter sign-up button

Data protection: the key challenges

Deduplication is a foundational technology for efficient backup and recovery


iPad makes its mark in the enterprise

The iPad can become a supercharged unified communications endpoint, allowing users to enhance their productivity

Contract Business Analyst Online Brand London

CONTRACT: Business Analyst, Datacentre, Infrastructure...

Contract Business Analyst Agile Major Ecommerce Co

CONTRACT: Business Analyst, Business Systems Analyst...

Energy Trading Business Analyst/ Consultant ETRM Germany

Job Description My client is one of the largest consultancies...

Android Developer based in Belfast

Location: Belfast Start Date: ASAP Duration: ASAP...
To send to more than one email address, simply separate each address with a comma.