All the latest UK technology news, reviews and analysis

EE admits Bright Box router security flaw

20 Jan 2014
EE Bright Box router

EE has confirmed reports that its Bright Box home router tool has a security flaw that could be used to expose account owners' personal information.

Security researcher Scott Helme revealed the flaw in a detailed blog post, explaining that he had uncovered the issue after he was given the Bright Box router when he started using a home broadband service from EE.

“The engineer came out and connected my fibre broadband (FTTC) and, as with all new devices on my network, I decided to take a closer look at the traffic going to and from the device,” he said.

“It became apparent that the device leaks access to all kinds of sensitive data to clients on the network and there’s also the possibility to exploit this remotely.”

He explained that this could have serious repercussions. “It discloses the password of the EE account holder so I can call EE and pass account security, leaving me in a position to go as far as cancelling someone else’s broadband package altogether,” he wrote.

EE questioned this claim, though, claiming that cancelling an account requires more information than just a email or username. Helme's point was that having accessed some information, it would be easy to gather the other data required, though.

EE later confirmed to V3 that it had changed the information that operators accepted when trying to verify if someone was the account holder to cover the potential issue Helme had found.

The firm also confirmed it would be issuing a firmware update for the router to fix the security issue.

“As is the case for all home broadband customers, regardless of their provider, it is recommend they only give network access to people they trust. Customers should also be suspicious of any unsolicited emails and webpages, and keep their security software up to date,” the firm said.

“We treat all security matters seriously. No personal data will be compromised by the device itself. We would like to reassure customers that we are working on a service update, which we plan to issue shortly, and which will remotely and automatically update customers’ Bright Boxes with enhanced security protection.”

Although the fix is said to be arriving soon, Helme noted at the end of his post that he informed both the CEO and CTO of EE of the issue and was told by security staff that a fix would be arrive in December. Because of this he felt compelled to release the information after no update was issued.

  • Comment  
  • Tweet  
  • Google plus  
  • Facebook  
  • LinkedIn  
  • Stumble Upon  
Dan Worth

Dan Worth is the news editor for V3 having first joined the site as a reporter in November 2009. He specialises in a raft of areas including fixed and mobile telecoms, data protection, social media and government IT. Before joining V3 Dan covered communications technology, data handling and resilience in the emergency services sector on the BAPCO Journal

View Dan's Google+ profile

More on Security
What do you think?
blog comments powered by Disqus

Devices at work poll

Which device do you use most for work?

Popular Threads

Powered by Disqus
LG G Flex 2 hands-on review

CES 2015: LG G Flex 2 video

A closer look at LG's latest curved-screen smartphone

Updating your subscription status Loading

Get the latest news (daily or weekly) direct to your inbox with V3 newsletters.

newsletter sign-up button

Getting started with virtualisation

Virtualisation can help you reduce costs, improve application availability, and simplify IT
management. However, getting started can be challenging


Converting big data and analytics insights into results

Successful leaders are infusing analytics throughout their organisations to drive smarter decisions, enable faster actions and optimise outcomes

Microsoft Unified Communications Consultant

Microsoft Lync, Unified Communications, Voice, Messaging...

Agile Tester - Contract - Leeds - Scrum/.NET/SQL./Automation

Agile Tester/Scrum/.NET/SQL./Automation Leeds Contract...

Test Analyst

(Tank Recruitment, Test, Analyst, system, TQAT, ISEB...

Active Directory & Exchange Consultant

Active Directory Architecture Design and Deployment...
To send to more than one email address, simply separate each address with a comma.