EE working on emergency fix to security flaw - UPDATED
Provider's broadband customers who signed up after early 2012 are affected, as are earlier customers who upgraded their routers
Telecoms provider EE is working on an emergency fix for a security flaw in its routers, discovered by a researcher earlier this month.
Writing on his blog, security enthusiast Scott Helme said that he found the vulnerability shortly after receiving his router from EE.
"Shortly after having my new fibre broadband installed, I discovered a method to permanently compromise the security of the BrightBox router provided by EE. After a brief period of traffic analysis, something I do to all new devices on my network, I had found that it is incredibly easy to access sensitive information."
The issue affects any EE customer with a Brightbox router in their homes. In a statement, EE said:
"We treat all security matters seriously, and while no personal data will be compromised by the device itself, we would like to reassure customers that we are working on a service update which we plan to issue shortly, and which will remotely and automatically update customers' Brightboxes with enhanced security protection."
Whilst EE claims that the threat is only moderate, Helme found that the vulnerability allows full customer account details to be leaked.
"It became apparent that the device leaks access to all kinds of sensitive data to clients on the network and there's also the possibility to exploit this remotely. It discloses the password of the EE account holder so I can call EE and pass account security, leaving me in a position to go as far as cancelling someone else's broadband package altogether."
However, a spokesperson for EE contacted Computing to refute the claim that a third party account could be cancelled in this way.
"To access an account, a caller must verify their identity to one of our customer service agents. An email or username, which is the only information a third party could access, is not accepted as an account identifier," she said.