EE rushes to fix broadband box security risk

  • Published
EE brightbox routerImage source, EE
Image caption,
The flaw affects the Brightbox broadband router, as well as the newer Brightbox 2 model

Network provider EE will push out an emergency upgrade to its broadband customers after a security flaw was discovered by a UK researcher.

Scott Helme said the vulnerability made "remote access" to EE's routers possible.

The problem affects customers who have either the Brightbox 1 or 2 router in their homes.

EE described the threat as "moderate", but plans to send out an automatic upgrade before the end of this month.

Any broadband customer who has signed up to EE since early 2012 is affected, as are earlier customers who upgraded their routers, the company told the BBC.

It has not specified how many of its customers will need the upgrade, but the BBC understands it to be in the region of 350,000.

In a statement, EE said: "We treat all security matters seriously, and while no personal data will be compromised by the device itself, we would like to reassure customers that we are working on a service update which we plan to issue shortly, and which will remotely and automatically update customers' Brightboxes with enhanced security protection."

Phishing risk

In his blog post, Mr Helme detailed how gaining the wi-fi password would provide sufficient access for a hacker to gain administrator-level control - potentially exposing personal details about the customer.

He wrote that the vulnerability exposed enough personal data to enable a hacker "to go as far as cancelling someone else's broadband package altogether".

EE told the BBC that on Friday it changed its measures so that such actions were no longer possible, and it had briefed its call centre staff on the change of procedure.

The network said it had not received any complaints about the flaw.

It stressed that customers were protected as long as they did not disclose their wi-fi passwords - although security professionals pointed out that such details could be gleaned through phishing attacks designed to trick a user into handing over details.

"We are aware of Mr Helme's article," an EE spokesman said.

"As is the case for all home broadband customers, regardless of their provider, it is recommended they only give network access to people they trust.

"Customers should also be suspicious of any unsolicited emails and web pages, and keep their security software up to date."