Security researcher Scott Helme has disclosed the discovery of a vulnerability in BrightBox routers that would allow attackers remote access to the devices and expose potentially sensitive information.
The routers in question are employed by Network provider EE, a British advanced digital communications company that provides 4G mobile and Fiber Broadband services.
Helme stated that “it is incredibly easy to access sensitive information. This includes the md5 hash of the device admin password and my ISP user credentials, amongst other sensitive data, allowing me to pass account security over the phone with EE. This not only leads to a total compromise of the device, but gives an attacker control of your account too.”
EE broadband customers who signed after early 2012 as well as earlier customers who opted to upgrade their routers are potentially affected by the vulnerability, and estimates put the number at nearly 350,000.
“It became apparent that the device leaks access to all kinds of sensitive data to clients on the network and there’s also the possibility to exploit this remotely. It discloses the password of the EE account holder so I can call EE and pass account security, leaving me in a position to go as far as cancelling someone else’s broadband package altogether,” Helme said.
The company downplayed the vulnerability as “moderate,” but nonetheless plans to rush out a fix for the flaw by the end of January.
“We treat all security matters seriously, and while no personal data will be compromised by the device itself, we would like to reassure customers that we are working on a service update which we plan to issue shortly, and which will remotely and automatically update customers’ Brightboxes with enhanced security protection,” the company said in a statement.
Read More Here…