Flaws in EE’s BrightBox Router Expose WPA Keys, Passwords and ISP User Credentials

Critical vulnerabilities found in EE's BrightBox routers

British security researcher Scott Helme has identified a series of critical vulnerabilities in the BrightBox routers given by the telecoms company EE to customers with broadband and fibre packages.

The security holes can be exploited to compromise the device’s administrator password, WPA keys and even ISP user credentials.

The first issue discovered by the expert is the fact that when the user logs in to the device, credentials are sent without any transport layer security, exposing the username and an md5 hash of the password to traffic sniffing.

An even bigger problem is that users have access to a cgi_status.js file which contains a lot of sensitive information, including ISP user credentials, WiFi SSIDs and WPA2 keys.

“The problem is, that even when you’re not logged in, any client on the network can access the information,” Helme explained.

This means that anyone can completely bypass the restrictions set by the device’s owner.

“Once a user has access to your ‘Guest Network’ for example, they could simply view the WPA key for your ‘Main Network’ and completely bypass all of your restrictions with a simple copy/paste operation,” the expert noted.

“Not only that, but if someone has brief access to your premises and perhaps connects to your LAN, they can steal a copy of your WiFi password/s. This would allow them remote access to your WiFi from outside the premises without you ever divulging the passwords to anyone.”

Password management is also flawed, allowing an attacker to easily change the current admin password by cracking the old password’s MD5 hash, which is easily obtainable.

As far as the ISP user credentials are concerned, someone who has access to the information can hijack your broadband account.

“Not only could a malicious attacker incur some hefty cancellation fees on your account and leave you without any internet connection, they wouldn’t even have to get out of their chair,” the researcher said.

Probably the worst part of all this is that the vulnerabilities can be exploited remotely, without local access, due to a cross-site reference forgery flaw that plagues BrightBox routers.

Helme has reported his findings to EE. The company promised to roll out a firmware update to address the vulnerabilities. However, currently, there’s no firmware update.

EE has told the researcher that some issues have been found during testing so the firmware has been sent back to development.

For additional technical details on the EE BrightBox vulnerabilities, including some hardware hacking information, check out Scott Helme’s blog.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s