Both the newer Brightbox 2 and the Brightbox 1 are affected

EE rushing to fix router vulnerability

Network operator EE is working on an emergency security upgrade after a researchers discovered a security flaw in its routers.

The vulnerability affects the firm’s Brightbox 1 and 2 routers, which have been given to broadband customers since early 2012, and allows criminals to remotely access users’ sensitive information such as their Wi-Fi login credentials.

According to Scott Helme, the flaw could even allow a hacker access to ISP credentials that, if combined with a social engineering attack, would allow them to pass account security over the phone with EE.

Writing in a blog post Helme said: “Being able to grab details like the WPA keys or the hash of my admin passwords was bad enough, but exposing my ISP user credentials represents a huge risk. This is made even worse by the fact it’s possible to access all of the data remotely.

“Even if the device is only used in the home or small office, this represents a total compromise of the device’s security and an attacker could wreak havoc with your account causing huge inconvenience and even financial losses.”

EE described the threat as "moderate", but said it plans to send out an automatic upgrade before the end of this month.

An EE spokeswoman said: "We are aware of Mr Helme's article. As is the case for all home broadband customers, regardless of their provider, it is recommend they only give network access to people they trust. Customers should also be suspicious of any unsolicited e-mails and web pages, and keep their security software up to date.

“We treat all security matters seriously, and while no personal data will be compromised by the device itself, we would like to reassure customers that we are working on a service update which we plan to issue shortly, and which will remotely and automatically update customers’ Brightboxes with enhanced security protection.”

Recent articles

Info Message

Our sites use cookies to support some functionality, and to collect anonymous user data.

Learn more about IET cookies and how to control them