EE has admitted the existence of a security hole in its BrightBox router that makes it possible for cyber attackers to discover personal information about a customer and allegedly gain control of their account.
The flaw was uncovered by blogger and programmer Scott Helme, who had just had a BrightBox installed after signing up for a broadband contract with the telco.
According to Helme, it is "incredibly easy" to access information from the box, including the hash of the device admin password and ISP user credentials, amongst others.
Helme said after an engineer installed his BrightBox, he decided to take a closer look at the traffic passing through the device.
"It became apparent that the device leaks access to all kinds of sensitive data to clients on the network and there's also the possibility to exploit this remotely," Helme claimed
He also claimed it was possible to carry out a type of attack known as a cross site request forgery and reboot the device.
Furthermore, Helme claims he initially agreed not to publish his findings until EE had issued a patch, which was due in December 2013.
"After several weeks of updating them with new findings, things started to slow down. At the time of publishing, the latest information I have is that the firmware is back in development to resolve further issues found during testing," Helme said.
"I strongly considered when to publish this blog, but after much debate, I decided it was in the interest of the public to do so, due to the lack of confidence I now have in EE," he explained.
Following the initial publication of Helme's blog, EE has publicly admitted a security hole exists in its BrightBox device.
In a statement, the company said: "We are aware of Mr Helme's article. As is the case for all home broadband customers, regardless of their provider, it is recommend they only give network access to people they trust. Customers should also be suspicious of any unsolicited emails and web pages, and keep their security software up to date.
"We treat all security matters seriously (no personal data will be compromised by the device itself), we would like to reassure customers that we are working on a service update which we plan to issue shortly, and which will remotely and automatically update customers' Brightboxes (sic) with enhanced security protection."
-
Should AI PCs be part of your next hardware refresh?AI PCs are fast becoming a business staple and a surefire way to future-proof your business
-
Westcon-Comstor and Vectra AI launch brace of new channel initiativesNews Westcon-Comstor and Vectra AI have announced the launch of two new channel growth initiatives focused on the managed security service provider (MSSP) space and AWS Marketplace.
-
Capita tells pension provider to 'assume' nearly 500,000 customers' data stolenCapita told the pension provider to “work on the assumption” that data had been stolen
-
IT Pro News in Review: Vulnerable Lenovo laptops, record EE 5G speeds, Okta ends LAPSUS$ probeVideo Catch up on the biggest headlines of the week in just two minutes
-
Gumtree site code made personal data of users and sellers publicly accessibleNews Anyone could scan the website's HTML code to reveal personal information belonging to users of the popular second-hand classified adverts website
-
Pizza chain exposed 100,000 employees' Social Security numbersNews Former and current staff at California Pizza Kitchen potentially burned by hackers
-
83% of critical infrastructure companies have experienced breaches in the last three yearsNews Survey finds security practices are weak if not non-existent in critical firms
-
Identity Automation launches credential breach monitoring serviceNews New monitoring solution adds to the firm’s flagship RapidIdentity platform
-
Neiman Marcus data breach hits 4.6 million customersNews The breach took place last year, but details have only now come to light
-
Indiana notifies 750,000 after COVID-19 tracing data accessedNews The state is following up to ensure no information was transferred to bad actors
