An EE Broadband customer claims to have discovered a loophole in the EE BrightBox router which could give people access to customers account details.
Programmer Scott Helme alleges that the admin password of the device is easily obtainable, potentially exposing customers to phishing attacks.
Helme also claims that once armed with a customers account details, hackers could cancel someone’s broadband account by calling up EE directly and posing as a customer – although EE has said that this is impossible.
The first-generation BrightBox router is bundled free with EE’s regular, non-fibre broadband packages. It’s not yet known if the more recent BrightBox 2, supplied with EE’s FTTC (Fibre to the Cabinet)-based products.
An EE spokesperson said that retreiving someone’s email address and username would not be enough to give someone the power to cancel an EE account. The spokesperson said:
“To cancel an account a caller must verify their identity to one of our customer service agents. An email or username, which is the only information a third party could access, is not accepted as an account identifier.”
The spokesperson added: “We are aware of Mr Helme’s article. As is the case for all home broadband customers, regardless of their provider, it is recommend they only give network access to people they trust. Customers should also be suspicious of any unsolicited emails and web pages, and keep their security software up to date.”
On his blog Helme alleges that BrightBoxes can be made to give up sensitive data remotely, regardless of whether network access has been shared or not. EE is now working on a service update which will update all BrightBox routers.
The spokesperson added: “We treat all security matters seriously, and while no personal data will be compromised by the device itself, we would like to reassure customers that we are working on a service update which we plan to issue shortly, and which will remotely and automatically update customers’ Brightboxes with enhanced security protection.”
EE currently has 718,000 broadband customers, making it the UK’s fifth biggest ISP by subscriber size. While the BrightBox has been sent out to many customers, not every EE subscriber out there will be using the BrightBox router.
Some will have either installed their own routers or will be using the older Orange Broadband-era hardware or the newer BrightBox 2.
Helme talks about potential attacker using so-called rainbow tables – in a nutshell, lists of commonly used passwords – to crack the admin password of a router, so one way in which you could safeguard your router while waiting for an EE update is to choose a good, strong password.
While this wouldn’t stop a hypothetical hacker from finding out your account details, choosing a strong password could stop any potential compromising of the router itself.
It’s important to note that while a flaw appears to have been found in EE’s hardware it’s not a reason for non-EE customers to be complacent. Choosing a complex harder-to-crack admin password for your router is advisable regardless of who supplies you with home broadband.
Update: Details regarding the information required to cancel accounts added to the 5th paragraph at 14:20.