In reply to a post by ScottHelme:

I thought you'd be interested in an article I've just written about the EE BrightBox.

It seems the security of the device is worse than it appears, allowing an attacker to bypass the admin login, exploit the device remotely and even take control of your EE account by leaking credentials.

You can see the article on my blog here: http://scotthel.me/eebb

Scott.

Hello Scott

That's a nice article; FAR more research than I could be bothered to do over such a poor device. I'm now moving back to electronics as the majority of my work - I'm a hardware guy more - I have been since I was a child - software just frustrates me and confuses me.

LOVE the shotgun - that's the best thing for this piece of hardware - I have SIX spares, all brand new, and do you think EE will listen to me, and send me a BB 2? Nope - they just stonewall me. Poor show.

Great article!

God bless you,

Matt.

Hey Matt,

Yeah, it is bad that they're still shipping these things out and considering how long they have been aware of this and not patched it, well, unbelievable.

I've been trying to get a BB 2 also, let me know if you have any joy and how you get one.

Cheers,

Scott.

At last EE taking action:

EE rushes to fix broadband box security risk

Well done, Scott, and getting it in the news !

In reply to a post by XRaySpeX:

Well done, Scott, and getting it in the news !

I thought it "wasn't an issue"?

How soon people change their minds... LOL.

Where did I say that? I just pointed your findings were of low risk, not Scott's.. Here I was just congratulating Scott on his much more in-depth research.

You are most spiteful and defensive!

I notice the scotthelme website doesn't credit you for finding the exploited URLs.

Who originally discovered these?

Post deleted by Zak_

I found the first exploited URLs using packet sniffing software and then went on to find the rest from the device itself. I used to be a firmware tester so hooking up to JTAG/serial headers on an embedded device is something I'm familiar with.

If credit were due, it would have been given!

Scott.

Thanks to Zak and Ray for the comments/links!