EE routers vulnerable to ‘incredibly easy’ hack

A blogger claims to have found a flaw in EE’s BrightBox broadband routers that could leave sensitive information accessible to hackers

A flaw in EE’s broadband routers could leave user data vulnerable to hackers.

Computer programmer Scott Helme claimed he discovered how to compromise the BrightBox devices EE customers use, making it “incredibly easy to access sensitive information”, including the administrator's password and ISP user credentials.

Helme said the device leaked access to sensitive data to clients on the network that could be accessed remotely, meaning an attacker could easily get through any security measures put in place by EE over the phone and even go as far as cancelling their account.

“Once a user has access to your ‘guest network’, they could simply view the WPA key for your ‘main network’ and completely bypass all of your restrictions with a simple copy/paste operation,” wrote Helme.

“Not only that, but if someone has brief access to your premises and perhaps connects to your LAN, they can steal a copy of your Wi-Fi password

"This would allow them remote access to your Wi-Fi from outside the premises without you ever divulging the passwords to anyone.” 

EE tried to play down the flaw but admitted it is now working on an update to the routers to stop it being so easy to access data, claiming the information available would be insufficient to pass its phone security process.

More on EE

A spokesman from the company said: "As is the case for all home broadband customers, regardless of their provider, it is recommended they only give network access to people they trust. Customers should also be suspicious of any unsolicited emails and web pages, and keep their security software up to date.
 
“We treat all security matters seriously and, while no personal data will be compromised by the device itself, we would like to re-assure customers that we are working on a service update which we plan to issue shortly, and which will remotely and automatically update customers’ Brightboxes with enhanced security protection.”

There are two versions of the BrightBox router. Version one launched alongside the EE brand in October 2012, while version two came out a year later in October 2013.

In December 2013, Ofcom named EE as the most complained-about broadband provider in the UK for the fifth consecutive quarter. 

Read more on Network routing and switching