Wednesday, 22 January 2014

EE admits Bright Box router security flaw

EE Bright Box router
EE has confirmed reports that its Bright Box home router tool has a security flaw that could be used to expose account owners' personal information.
Security researcher Scott Helme revealed the flaw in a detailed blog post, explaining that he had uncovered the issue after he was given the Bright Box router when he started using a home broadband service from EE.
“The engineer came out and connected my fibre broadband (FTTC) and, as with all new devices on my network, I decided to take a closer look at the traffic going to and from the device,” he said.
“It became apparent that the device leaks access to all kinds of sensitive data to clients on the network and there’s also the possibility to exploit this remotely.”
He explained that this could have serious repercussions. “It discloses the password of the EE account holder so I can call EE and pass account security, leaving me in a position to go as far as cancelling someone else’s broadband package altogether,” he wrote.
EE questioned this claim, though, claiming that cancelling an account requires more information than just a email or username.
The firm did acknowledged the wider security issues, though, although it downplayed its severity, as it plans to issue a firmware update for all its customers.
“As is the case for all home broadband customers, regardless of their provider, it is recommend they only give network access to people they trust. Customers should also be suspicious of any unsolicited emails and webpages, and keep their security software up to date,” the firm said.
“We treat all security matters seriously. No personal data will be compromised by the device itself. We would like to reassure customers that we are working on a service update, which we plan to issue shortly, and which will remotely and automatically update customers’ Bright Boxes with enhanced security protection.”
Although the fix is said to be arriving soon, Helme noted at the end of his post that he informed both the CEO and CTO of EE of the issue and was told by security staff that a fix would be arrive in December. Because of this he felt compelled to release the information after no update was issued.

No comments:

Post a Comment