Helme had discovered the flaws (which he detailed last week in a post titled EE BrightBox router hacked – bares all if you ask nicely) when he became an EE fiber customer and looked at the traffic going to and from the box. He attempted 'responsible disclosure' of what he discovered, but got nowhere with EE's customer services. "Eventually I gave up and emailed the CEO and CTO directly", he says, and began to think he was finally getting somewhere. EE accepted the flaws and told him a patch would be released in December, then in mid-January, and then at some point in the future.
"I strongly considered when to publish this blog, but after much debate, I decided it was in the interest of the public to do so, due to the lack of confidence I now have in EE."
In that blog he says he "found that it is incredibly easy to access sensitive information. This includes the md5 hash of the device admin password and my ISP user credentials, amongst other sensitive data. Allowing me to pass account security over the phone with EE, this not only leads to a total compromise of the device, but gives an attacker control of your account too."
Oh dear, he says. "With a little CSRF [cross-site request forgery], I can enable remote management on your router and steal all of your sensitive data like WPA keys, ISP credentials and the md5 hash of your admin password over the Internet. Once I’ve cracked the hash I can login and do just about anything I like with your device or not bother with any of that and just call EE to cancel your internet connection."
EE has now responded. "We are aware of Mr Helme's article," it said. "while no personal data will be compromised by the device itself, we would like to reassure customers that we are working on a service update which we plan to issue shortly, and which will remotely and automatically update customers’ Brightboxes with enhanced security protection."
EE's primary response is to stress that customers should only give access to their network to people they trust. Helme told The Register, that this is too simplistic. "You might give a friend or someone else your Wi-Fi password but you wouldn't want to give them access to the admin account – but that's what EE is doing here." Another example would be small companies providing courtesy access to visitors.
A further problem is the ease with which such details can be phished – something that EE recognizes in its statement. "Customers should also be suspicious of any unsolicited emails and web pages, and keep their security software up to date."
Wieland Alge, VP and general manager EMEA at Barracuda Networks, explains the threat: “With phishing attacks, the attacker usually researches personal information about the targeted individuals in order to make their messages sound more convincing. The availability of personal information via social media has made this process a lot easier for cyber criminals." Phishing plus Helme's flaws could seriously compromise a Brightbox.