User comments on ISPs
  >> EE (Everything Everywhere) and Orange


Register (or login) on our website and you will not see this ad.


  Print Thread
Standard User ScottHelme
(newbie) Tue 14-Jan-14 18:52:31
Print Post

EE BrightBox router hacked


[link to this post]
 
I thought people might be interested in an article I've just written about the EE BrightBox.

It seems the security of the device is pretty lax, allowing an attacker to bypass the admin login, exploit the device remotely and even take control of your EE account by leaking credentials.

You can see the article on my blog here: http://scotthel.me/eebb

Scott.

------------------------------------------------------
Catch me on my blog https://scotthelme.co.uk
Standard User Mike_Williams
(committed) Thu 16-Jan-14 09:26:01
Print Post

Re: EE BrightBox router hacked


[re: ScottHelme] [link to this post]
 
Hi Scott,

Really like your in depth coverage of the security issues.

I am still on ADSL 2+ so I am using a Buffalo wbmr-hp-g300h with dd-wrt and find it is excellent.

I also liked your article on WiFi security.

The answer to your question about the blooper on the ico web page on WiFi security is
A Service Set Identifier (SSID) is a unique ID used for naming wireless networks
SSID is not unique.

Regards
Mike Williams

Info :-
Line: Length 250 metres
Modem router: Buffalo wbmr-hp-g300h + LinkSys wg54g both running dd-wrt firmware
IP Profile = Down 19418 kbps Up 1019 kbps

2012: EE WBC 20Mbps Down: 22010 kbps Up: 1019 kbps
2003: Demon ADSLMax 8Mbps Down: 8128 kbps Up: 448 kbps
Standard User ScottHelme
(newbie) Thu 16-Jan-14 09:45:49
Print Post

Re: EE BrightBox router hacked


[re: Mike_Williams] [link to this post]
 
Hi Mike,

Thanks for the comments, I'm glad you liked the article.

Good spot on the ICO page, there's also another one!

"You should change the network name from the routerís default. This will make it harder for anyone to identify your browser and guess its default settings."

I'm not even sure where to begin with that...!

Scott.

------------------------------------------------------
Catch me on my blog https://scotthelme.co.uk


Register (or login) on our website and you will not see this ad.

Standard User Mike_Williams
(committed) Thu 16-Jan-14 12:53:15
Print Post

Re: EE BrightBox router hacked


[re: ScottHelme] [link to this post]
 
Two bloopers in one paragraph is very sloppy for them smile

Regards
Mike Williams

Info :-
Line: Length 250 metres
Modem router: Buffalo wbmr-hp-g300h + LinkSys wg54g both running dd-wrt firmware
IP Profile = Down 19418 kbps Up 1019 kbps

2012: EE WBC 20Mbps Down: 22010 kbps Up: 1019 kbps
2003: Demon ADSLMax 8Mbps Down: 8128 kbps Up: 448 kbps
Standard User XRaySpeX
(eat-sleep-adslguide) Tue 11-Feb-14 17:38:41
Print Post

Re: EE BrightBox router hacked


[re: ScottHelme] [link to this post]
 
In your latest blog, http://scotthel.me/eebb2 , you say:
I can no longer retrieve account data from another serial number. It seems odd that the ability to retrieve account data in this fashion was present, but upon receiving an official comment from EE 7 days after disclosure and several chaser emails, the problem is gone. Perhaps a coincidence, perhaps not, at least the issue is no longer present.
It's simple for EE to present a user's ISP creds only to the original user of that BrightBox('s serial #) and to no other user, by checking the phone # of the line making the TR-069 request, as I suggested in my thread about the possibility of user's creds being 'baked' in. Perhaps they are now checking the phone #?

As to EE's statement:
In response to the points you have raised, the ACS system is secured with a unique username and password for every user, so cannot be exploited in the way you describe. The only reason this was not the case for a short time on your router is because we had removed your router from the network, and then reinstated it so you could test the firmware.
What can it mean? Each BrightBox is already associated with a unique username and password for every user and has been for some time. What are they saying has changed?

1999: Freeserve 48K Dial-Up => 2005: Wanadoo 1 Meg BB => 2007: Orange 2 Meg BB => 2008: Orange 8 Meg LLU => 2010: Orange 16 Meg LLU => 2011: Orange 20 Meg WBC
Standard User ScottHelme
(learned) Tue 11-Feb-14 18:26:30
Print Post

Re: EE BrightBox router hacked


[re: XRaySpeX] [link to this post]
 
I don't know, this is why I'm a tad suspicious of what they are saying.

I was able to recover the details for several days after receiving the firmware patch. I can't see why them removing or adding my router from the network would allow me to retrieve other configuration data. I assume they mean that each router has unique credentials for the TR-069 request? If that's the case, why would I ever be able to recover data other than my own? I also don't see how they could manage this. The fact that the website that the router communicates with also changed doesn't support their argument either really...

Also, does this mean when they patch every router over the phone line they will also be able to do the same for several days, or was it just an issue with mine specifically?

Maybe I've misunderstood something but it doesn't seem to quite add up.

------------------------------------------------------
Catch me on my blog https://scotthelme.co.uk
Standard User XRaySpeX
(eat-sleep-adslguide) Thu 13-Feb-14 00:56:30
Print Post

Re: EE BrightBox router hacked


[re: ScottHelme] [link to this post]
 
Heeding your misgivings about EE pwds, I changed my pwd at the Member's Centre. It auto changed my EE email pwd but not the router's ISP BB login pwd.

I wonder of which of the pwds the phone CSs will ask you to supply characters grin?

1999: Freeserve 48K Dial-Up => 2005: Wanadoo 1 Meg BB => 2007: Orange 2 Meg BB => 2008: Orange 8 Meg LLU => 2010: Orange 16 Meg LLU => 2011: Orange 20 Meg WBC
Standard User ScottHelme
(learned) Thu 13-Feb-14 07:18:52
Print Post

Re: EE BrightBox router hacked


[re: XRaySpeX] [link to this post]
 
I've actually been discussing this with someone via email after they noted similar behaviour.

If you change it via the member centre then it changes everything except your router password. If you call EE and ask them to update the password on the router then it updates everything.

The only thing we haven't established yet is the question you raised, if you change it via the member centre, which one do they ask for? If you find out, please let us know. My money is on them expecting characters from the router password.

------------------------------------------------------
Catch me on my blog https://scotthelme.co.uk
Standard User XRaySpeX
(eat-sleep-adslguide) Thu 13-Feb-14 11:39:03
Print Post

Re: EE BrightBox router hacked


[re: ScottHelme] [link to this post]
 
In reply to a post by ScottHelme:
If you call EE and ask them to update the password on the router then it updates everything.
That's how you used to it in the old days, Freeserve, Wanadoo & prob early Orange. There was no Member's Centre. Hence my believing that all the pwds had to be the same.

1999: Freeserve 48K Dial-Up => 2005: Wanadoo 1 Meg BB => 2007: Orange 2 Meg BB => 2008: Orange 8 Meg LLU => 2010: Orange 16 Meg LLU => 2011: Orange 20 Meg WBC

Edited by XRaySpeX (Thu 13-Feb-14 11:39:59)

  Print Thread

Jump to