All the latest UK technology news, reviews and analysis


EE admits Bright Box router security flaw

20 Jan 2014
EE Bright Box router

EE has confirmed reports that its Bright Box home router tool has a security flaw that could be used to expose account owners' personal information.

Security researcher Scott Helme revealed the flaw in a detailed blog post, explaining that he had uncovered the issue after he was given the Bright Box router when he started using a home broadband service from EE.

“The engineer came out and connected my fibre broadband (FTTC) and, as with all new devices on my network, I decided to take a closer look at the traffic going to and from the device,” he said.

“It became apparent that the device leaks access to all kinds of sensitive data to clients on the network and there’s also the possibility to exploit this remotely.”

He explained that this could have serious repercussions. “It discloses the password of the EE account holder so I can call EE and pass account security, leaving me in a position to go as far as cancelling someone else’s broadband package altogether,” he wrote.

EE questioned this claim, though, claiming that cancelling an account requires more information than just a email or username. Helme's point was that having accessed some information, it would be easy to gather the other data required, though.

EE later confirmed to V3 that it had changed the information that operators accepted when trying to verify if someone was the account holder to cover the potential issue Helme had found.

The firm also confirmed it would be issuing a firmware update for the router to fix the security issue.

“As is the case for all home broadband customers, regardless of their provider, it is recommend they only give network access to people they trust. Customers should also be suspicious of any unsolicited emails and webpages, and keep their security software up to date,” the firm said.

“We treat all security matters seriously. No personal data will be compromised by the device itself. We would like to reassure customers that we are working on a service update, which we plan to issue shortly, and which will remotely and automatically update customers’ Bright Boxes with enhanced security protection.”

Although the fix is said to be arriving soon, Helme noted at the end of his post that he informed both the CEO and CTO of EE of the issue and was told by security staff that a fix would be arrive in December. Because of this he felt compelled to release the information after no update was issued.

  • Comment  
  • Tweet  
  • Google plus  
  • Facebook  
  • LinkedIn  
  • Stumble Upon  
Dan Worth
About

Dan Worth is the news editor for V3 having first joined the site as a reporter in November 2009. He specialises in a raft of areas including fixed and mobile telecoms, data protection, social media and government IT. Before joining V3 Dan covered communications technology, data handling and resilience in the emergency services sector on the BAPCO Journal

View Dan's Google+ profile

More on Security
What do you think?
blog comments powered by Disqus
Poll

Tech gifts for Christmas 2014

Is a new tablet on your wish list this festive season, or have they become yesterday’s fad?
12%
23%
11%
6%
48%

Popular Threads

Powered by Disqus
iPhone 6 is available in silver gold and space grey

iPhone 6 video review

The best iOS handset to date

Updating your subscription status Loading
Newsletters

Get the latest news (daily or weekly) direct to your inbox with V3 newsletters.

newsletter sign-up button
hpv3may

Getting started with virtualisation

Virtualisation can help you reduce costs, improve application availability, and simplify IT
management. However, getting started can be challenging

ibmv3may

Converting big data and analytics insights into results

Successful leaders are infusing analytics throughout their organisations to drive smarter decisions, enable faster actions and optimise outcomes

URGENT - IT Support Position - Graduate, Windows, Excel, SQL

Graduate, junior role, Software, Computer Science, Programming...

Graduate IT Support - Financial Services

My financial trading technology client is seeking a Support...

Senior .Net Developer - Kingston Upon Thames, Surrey

Senior .Net Developer - Kingston Upon Thames, Surrey...

Senior Project Manager

Senior Project Manager Up to £45,000.00 per annum...
To send to more than one email address, simply separate each address with a comma.